Edit tour

Windows Analysis Report
installer.exe

Overview

General Information

Sample name:	installer.exe
Analysis ID:	1464451
MD5:	a0e213177ee87cbb5ec32bef195bbfa9
SHA1:	6265b138b96d83b070ce14cc16e528bdf68aa160
SHA256:	141be7789497012b7911cabb1307e25e19f747e2e8fb5375f9cddff7e5f28265
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

installer.exe (PID: 4868 cmdline: "C:\Users\user\Desktop\installer.exe" MD5: A0E213177EE87CBB5EC32BEF195BBFA9)

schtasks.exe (PID: 2788 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 1664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2912 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 4156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 3896 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A0E213177EE87CBB5EC32BEF195BBFA9)

MPGPH131.exe (PID: 5040 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: A0E213177EE87CBB5EC32BEF195BBFA9)

RageMP131.exe (PID: 4828 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A0E213177EE87CBB5EC32BEF195BBFA9)

RageMP131.exe (PID: 6108 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: A0E213177EE87CBB5EC32BEF195BBFA9)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
Process Memory Space: installer.exe PID: 4868	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 3896	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 5040	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 4828	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 6108	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\installer.exe, ProcessId: 4868, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

ET TROJAN RisePro TCP Heartbeat Packet - Source IP: 192.168.2.6 - Destination IP: 77.91.77.66

Timestamp:	06/28/24-21:10:01.833498
SID:	2049060
Source Port:	49712
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 68%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 68%

Multi AV Scanner detection for submitted file

Source: installer.exe

ReversingLabs: Detection: 68%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: installer.exe

Joe Sandbox ML: detected

Source: installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2049060 ET TROJAN RisePro TCP Heartbeat Packet 192.168.2.6:49712 -> 77.91.77.66:58709

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 77.91.77.66 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.6:49712 -> 77.91.77.66:58709

Source: Joe Sandbox View

IP Address: 77.91.77.66 77.91.77.66

Source: Joe Sandbox View

ASN Name: FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU

Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66
Source: unknown	TCP traffic detected without corresponding DNS query: 77.91.77.66

Source: C:\Users\user\Desktop\installer.exe

Code function: 0_2_00999280 recv,WSASend,

0_2_00999280

Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe	String found in binary or memory: https://ipinfo.io/
Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: installer.exe, 00000000.00000002.3366357434.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3366350121.000000000160E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3366635395.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3354481282.000000000089E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3354916992.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000008.00000002.3354481282.000000000089E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTS
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary

PE file contains section with special chars

Source: installer.exe	Static PE information: section name:
Source: installer.exe	Static PE information: section name: .idata
Source: installer.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009C71A0	0_2_009C71A0
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009CA928	0_2_009CA928
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009CC960	0_2_009CC960
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009DDA86	0_2_009DDA86
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009E8BB0	0_2_009E8BB0
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009D036F	0_2_009D036F
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_00A7FC40	0_2_00A7FC40
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009BF580	0_2_009BF580
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009E2610	0_2_009E2610
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009E47BF	0_2_009E47BF
Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_00A82FD0	0_2_00A82FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0017A928	6_2_0017A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0017C960	6_2_0017C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001771A0	6_2_001771A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0018DA86	6_2_0018DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0018036F	6_2_0018036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00198BB0	6_2_00198BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0022FC40	6_2_0022FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0016F580	6_2_0016F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001947BF	6_2_001947BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00232FD0	6_2_00232FD0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0017A928	7_2_0017A928
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0017C960	7_2_0017C960
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_001771A0	7_2_001771A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0018DA86	7_2_0018DA86
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0018036F	7_2_0018036F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00198BB0	7_2_00198BB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0022FC40	7_2_0022FC40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0016F580	7_2_0016F580
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_001947BF	7_2_001947BF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00232FD0	7_2_00232FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F871A0	8_2_00F871A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F8C960	8_2_00F8C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F8A928	8_2_00F8A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F9DA86	8_2_00F9DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00FA8BB0	8_2_00FA8BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F9036F	8_2_00F9036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0103FC40	8_2_0103FC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F7F580	8_2_00F7F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_01042FD0	8_2_01042FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00FA2610	8_2_00FA2610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00FA47BF	8_2_00FA47BF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F871A0	12_2_00F871A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F8C960	12_2_00F8C960
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F8A928	12_2_00F8A928
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F9DA86	12_2_00F9DA86
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00FA8BB0	12_2_00FA8BB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F9036F	12_2_00F9036F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_0103FC40	12_2_0103FC40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F7F580	12_2_00F7F580
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_01042FD0	12_2_01042FD0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00FA2610	12_2_00FA2610
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00FA47BF	12_2_00FA47BF

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 00174380 appears 48 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 00F84380 appears 48 times

Source: installer.exe, 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamedotnet.exe6 vs installer.exe
Source: installer.exe	Binary or memory string: OriginalFilenamedotnet.exe6 vs installer.exe

Source: installer.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: installer.exe	Static PE information: Section: ZLIB complexity 0.9983676437043796
Source: installer.exe	Static PE information: Section: iolmakfn ZLIB complexity 0.9944186223712282
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983676437043796
Source: RageMP131.exe.0.dr	Static PE information: Section: iolmakfn ZLIB complexity 0.9944186223712282
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9983676437043796
Source: MPGPH131.exe.0.dr	Static PE information: Section: iolmakfn ZLIB complexity 0.9944186223712282

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@0/1

Source: C:\Users\user\Desktop\installer.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1664:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4156:120:WilError_03

Source: C:\Users\user\Desktop\installer.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\installer.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: installer.exe

ReversingLabs: Detection: 68%

Source: installer.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: installer.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\installer.exe

File read: C:\Users\user\Desktop\installer.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\installer.exe "C:\Users\user\Desktop\installer.exe"
Source: C:\Users\user\Desktop\installer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\installer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\installer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\installer.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior

Source: installer.exe

Static file information: File size 2402816 > 1048576

Source: installer.exe

Static PE information: Raw size of iolmakfn is bigger than: 0x100000 < 0x19a200

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\installer.exe	Unpacked PE file: 0.2.installer.exe.990000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.140000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.140000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 12.2.RageMP131.exe.f50000.0.unpack :EW;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;iolmakfn:EW;rrgdmorv:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x2578f2 should be: 0x25a30a
Source: installer.exe	Static PE information: real checksum: 0x2578f2 should be: 0x25a30a
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x2578f2 should be: 0x25a30a

Source: installer.exe	Static PE information: section name:
Source: installer.exe	Static PE information: section name: .idata
Source: installer.exe	Static PE information: section name:
Source: installer.exe	Static PE information: section name: iolmakfn
Source: installer.exe	Static PE information: section name: rrgdmorv
Source: installer.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: iolmakfn
Source: RageMP131.exe.0.dr	Static PE information: section name: rrgdmorv
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: iolmakfn
Source: MPGPH131.exe.0.dr	Static PE information: section name: rrgdmorv
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\installer.exe	Code function: 0_2_009C3F59 push ecx; ret	0_2_009C3F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00173F59 push ecx; ret	6_2_00173F6C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00173F59 push ecx; ret	7_2_00173F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00F83F59 push ecx; ret	8_2_00F83F6C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00F83F59 push ecx; ret	12_2_00F83F6C

Source: installer.exe	Static PE information: section name: entropy: 7.983217514944371
Source: installer.exe	Static PE information: section name: iolmakfn entropy: 7.952587985100504
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.983217514944371
Source: RageMP131.exe.0.dr	Static PE information: section name: iolmakfn entropy: 7.952587985100504
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.983217514944371
Source: MPGPH131.exe.0.dr	Static PE information: section name: iolmakfn entropy: 7.952587985100504

Source: C:\Users\user\Desktop\installer.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\installer.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\installer.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\installer.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\installer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\installer.exe	Stalling execution: Execution stalls by calling Sleep	graph_0-16331
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep	graph_6-16105

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\installer.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C8A71F second address: C8A729 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C979C5 second address: C979DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FD228B1E7D1h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C979DD second address: C979E5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C979E5 second address: C979EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007FD228B1E7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C97B78 second address: C97B7D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C97B7D second address: C97B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD228B1E7C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C97E3E second address: C97E58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jg 00007FD22947DF7Eh 0x0000000d push esi 0x0000000e pop esi 0x0000000f jl 00007FD22947DF76h 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C97E58 second address: C97E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C97E5D second address: C97E73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Bh 0x00000007 pushad 0x00000008 ja 00007FD22947DF76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C97FA0 second address: C97FBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007FD228B1E7D5h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C98290 second address: C982B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jc 00007FD22947DF7Ah 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD22947DF80h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C982B3 second address: C982B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C9A36A second address: C9A36F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C9A45E second address: C9A464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C9A464 second address: C9A4E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d xor dword ptr [ebp+122D18D3h], edx 0x00000013 movzx esi, di 0x00000016 push CE59CEDCh 0x0000001b push esi 0x0000001c jmp 00007FD22947DF81h 0x00000021 pop esi 0x00000022 add dword ptr [esp], 31A631A4h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007FD22947DF78h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000017h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 pushad 0x00000044 xor dx, 3CF9h 0x00000049 sub dword ptr [ebp+122D1CF1h], esi 0x0000004f popad 0x00000050 push 00000003h 0x00000052 or ch, FFFFFFCBh 0x00000055 sub dword ptr [ebp+122D1D1Eh], edx 0x0000005b push 00000000h 0x0000005d mov ecx, ebx 0x0000005f push 00000003h 0x00000061 mov dword ptr [ebp+122D1F33h], ecx 0x00000067 push 7A4FCE02h 0x0000006c pushad 0x0000006d push eax 0x0000006e push edx 0x0000006f pushad 0x00000070 popad 0x00000071 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C9A4E6 second address: C9A4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C9A4EA second address: C9A4F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C9A4F4 second address: C9A4F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C9A708 second address: C9A71D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 jbe 00007FD22947DF82h 0x0000000d jns 00007FD22947DF7Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CABBF5 second address: CABBFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CABBFB second address: CABC19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jl 00007FD22947DF76h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CABC19 second address: CABC1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C88CBB second address: C88CE7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FD22947DF82h 0x0000000a pop ecx 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e jno 00007FD22947DF7Eh 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB8353 second address: CB8369 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB8369 second address: CB837D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF7Bh 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB837D second address: CB8385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB8385 second address: CB8395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 js 00007FD22947DF76h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB8395 second address: CB83A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FD228B1E7C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB83A5 second address: CB83CB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FD22947DF7Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FD22947DF81h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB83CB second address: CB83F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D6h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD228B1E7CCh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB83F1 second address: CB83F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB867D second address: CB86A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD228B1E7D9h 0x00000010 jnc 00007FD228B1E7C6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB86A7 second address: CB86B1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FD22947DF76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB884D second address: CB8858 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jnl 00007FD228B1E7C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB8858 second address: CB8865 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ecx 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB8865 second address: CB8874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FD228B1E7C6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB8A00 second address: CB8A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB9328 second address: CB932E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB932E second address: CB9337 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CADF00 second address: CADF1B instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD228B1E7C6h 0x00000008 jmp 00007FD228B1E7D1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB94A8 second address: CB94DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jmp 00007FD22947DF7Dh 0x0000000c jp 00007FD22947DF7Eh 0x00000012 popad 0x00000013 push edx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 jo 00007FD22947DF76h 0x0000001d pop edx 0x0000001e jo 00007FD22947DF89h 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB9C11 second address: CB9C1B instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB9D6F second address: CB9D8F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007FD22947DF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d pushad 0x0000000e push ecx 0x0000000f jnc 00007FD22947DF76h 0x00000015 pushad 0x00000016 popad 0x00000017 pop ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a jng 00007FD22947DF76h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB9D8F second address: CB9D9A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB9D9A second address: CB9DA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB9EDA second address: CB9EDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CB9EDE second address: CB9EEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FD22947DF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD1AE second address: CBD1B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FD228B1E7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD1B8 second address: CBD1C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD1C6 second address: CBD1CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD333 second address: CBD33D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD33D second address: CBD343 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD343 second address: CBD399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jp 00007FD22947DF86h 0x00000011 jg 00007FD22947DF78h 0x00000017 push edx 0x00000018 pop edx 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c jp 00007FD22947DF90h 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pushad 0x0000002a popad 0x0000002b pop esi 0x0000002c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD399 second address: CBD3A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FD228B1E7C6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CBD3A3 second address: CBD3A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC0FC0 second address: CC0FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC0FC6 second address: CC0FD4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC0FD4 second address: CC0FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC0FDA second address: CC0FFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF84h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jns 00007FD22947DF76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC0FFE second address: CC1002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C8F712 second address: C8F717 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC520E second address: CC5212 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC5212 second address: CC5218 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC5218 second address: CC5249 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD228B1E7DDh 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FD228B1E7D0h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC469B second address: CC46B1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD22947DF7Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC4814 second address: CC4822 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FD228B1E7CCh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC4822 second address: CC4826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC4826 second address: CC4836 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD228B1E7CAh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC4ACE second address: CC4AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC4F17 second address: CC4F1D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC4F1D second address: CC4F37 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FD22947DF76h 0x00000009 jnl 00007FD22947DF76h 0x0000000f jg 00007FD22947DF76h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC7F03 second address: CC7F22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7D9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC7F22 second address: CC7F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC87CF second address: CC87D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC8B2E second address: CC8B33 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC8C31 second address: CC8C56 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jo 00007FD228B1E7C6h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FD228B1E7D6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC92B6 second address: CC92D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD22947DF80h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC92D1 second address: CC92D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC92D7 second address: CC92DC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC92DC second address: CC9308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 xor di, 6E00h 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnc 00007FD228B1E7DCh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC93BC second address: CC93D7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD22947DF7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f ja 00007FD22947DF76h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC93D7 second address: CC93E1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC970D second address: CC9721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007FD22947DF76h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC9F49 second address: CC9F4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC9F4D second address: CC9F56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC9F56 second address: CC9FC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 nop 0x00000009 or di, B100h 0x0000000e push 00000000h 0x00000010 jmp 00007FD228B1E7D9h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 movzx esi, bx 0x0000001b pop edi 0x0000001c xchg eax, ebx 0x0000001d pushad 0x0000001e jmp 00007FD228B1E7D4h 0x00000023 jmp 00007FD228B1E7D0h 0x00000028 popad 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007FD228B1E7D6h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CC9FC6 second address: CC9FCB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CCB929 second address: CCB92D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CCB92D second address: CCB971 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a jmp 00007FD22947DF83h 0x0000000f jmp 00007FD22947DF84h 0x00000014 pop ebx 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CCE4D3 second address: CCE4F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CCE2D0 second address: CCE2DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD0EF9 second address: CD0EFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD3A29 second address: CD3A33 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD22947DF7Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD8EBE second address: CD8EC4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDAEBD second address: CDAEC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD805F second address: CD8072 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD7039 second address: CD703F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDBD35 second address: CDBD7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+124487C1h], edi 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 movsx edi, di 0x00000015 pop ebx 0x00000016 mov edi, 136CC90Eh 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007FD228B1E7C8h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000019h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDBD7A second address: CDBD84 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDBD84 second address: CDBD9F instructions: 0x00000000 rdtsc 0x00000002 js 00007FD228B1E7C8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD228B1E7CCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDC019 second address: CDC01E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDC01E second address: CDC03A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7D8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDC03A second address: CDC04F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jng 00007FD22947DF78h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDEB90 second address: CDEC04 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD228B1E7C6h 0x00000009 jmp 00007FD228B1E7D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FD228B1E7C8h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c mov bl, 1Ah 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push edx 0x00000033 call 00007FD228B1E7C8h 0x00000038 pop edx 0x00000039 mov dword ptr [esp+04h], edx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc edx 0x00000046 push edx 0x00000047 ret 0x00000048 pop edx 0x00000049 ret 0x0000004a movsx edi, bx 0x0000004d push 00000000h 0x0000004f mov bx, ax 0x00000052 xchg eax, esi 0x00000053 pushad 0x00000054 push edi 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDEC04 second address: CDEC0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDEC0C second address: CDEC12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDEC12 second address: CDEC23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jl 00007FD22947DF78h 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDFB6E second address: CDFB72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CE19F4 second address: CE19FA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDDDCE second address: CDDDE5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FD228B1E7CEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CE19FA second address: CE1A11 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD22947DF7Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDFD2B second address: CDFD43 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CE1A11 second address: CE1A1B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDDDE5 second address: CDDE4C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov di, dx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 mov ebx, dword ptr [ebp+122D1D37h] 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 xor bl, 00000036h 0x00000024 mov eax, dword ptr [ebp+122D01E1h] 0x0000002a mov ebx, 60C60267h 0x0000002f push FFFFFFFFh 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007FD228B1E7C8h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 00000014h 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b or edi, dword ptr [ebp+122D2900h] 0x00000051 sub dword ptr [ebp+1247105Dh], ebx 0x00000057 nop 0x00000058 pushad 0x00000059 push eax 0x0000005a push edx 0x0000005b push ebx 0x0000005c pop ebx 0x0000005d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDFD43 second address: CDFDDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a nop 0x0000000b push edi 0x0000000c pop ebx 0x0000000d push dword ptr fs:[00000000h] 0x00000014 push 00000000h 0x00000016 push edi 0x00000017 call 00007FD22947DF78h 0x0000001c pop edi 0x0000001d mov dword ptr [esp+04h], edi 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edi 0x0000002a push edi 0x0000002b ret 0x0000002c pop edi 0x0000002d ret 0x0000002e movzx edi, ax 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 push 00000000h 0x0000003a push esi 0x0000003b call 00007FD22947DF78h 0x00000040 pop esi 0x00000041 mov dword ptr [esp+04h], esi 0x00000045 add dword ptr [esp+04h], 00000017h 0x0000004d inc esi 0x0000004e push esi 0x0000004f ret 0x00000050 pop esi 0x00000051 ret 0x00000052 call 00007FD22947DF82h 0x00000057 pop edi 0x00000058 mov eax, dword ptr [ebp+122D1041h] 0x0000005e sbb ebx, 1A944DFDh 0x00000064 push FFFFFFFFh 0x00000066 mov dword ptr [ebp+122D230Ch], edx 0x0000006c push eax 0x0000006d pushad 0x0000006e push edx 0x0000006f push ebx 0x00000070 pop ebx 0x00000071 pop edx 0x00000072 push eax 0x00000073 push edx 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDDE4C second address: CDDE50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDFDDE second address: CDFDE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDDE50 second address: CDDE5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FD228B1E7C6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDDE5E second address: CDDE6B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CDDE6B second address: CDDE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CE1C15 second address: CE1C26 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CE38C5 second address: CE38DD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FD228B1E7D0h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CE3B79 second address: CE3B8A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CE3B8A second address: CE3B94 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FD228B1E7CCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CECB78 second address: CECB7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CECB7C second address: CECB9D instructions: 0x00000000 rdtsc 0x00000002 je 00007FD228B1E7C6h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FD228B1E7D2h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CEC32F second address: CEC350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FD22947DF85h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CEC600 second address: CEC60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jbe 00007FD228B1E7C6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CEC73A second address: CEC74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 jnp 00007FD22947DF7Eh 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CEC74B second address: CEC74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CEC74F second address: CEC757 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CEC757 second address: CEC75B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CEC75B second address: CEC761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CF57F5 second address: CF57F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CF5969 second address: CF59A1 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FD22947DF89h 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FD22947DF81h 0x0000000f jmp 00007FD22947DF85h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CF59A1 second address: CF59C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FD228B1E7D8h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CF59C8 second address: CF59CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CF5C63 second address: CF5C67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CF5DBF second address: CF5DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFA378 second address: CFA37D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFA37D second address: CFA389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD22947DF76h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFA389 second address: CFA3B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007FD228B1E7CCh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD228B1E7D2h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFA3B0 second address: CFA3B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFA3B8 second address: CFA3C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C8C14D second address: C8C153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C8C153 second address: C8C15E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edi 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C8C15E second address: C8C184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FD22947DF8Ah 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FD22947DF7Ah 0x00000016 pushad 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFE8D6 second address: CFE8F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD228B1E7D4h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFE8F2 second address: CFE908 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD22947DF81h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFE908 second address: CFE927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FD228B1E7D9h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFE927 second address: CFE92B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFE92B second address: CFE952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnc 00007FD228B1E7C6h 0x0000000d pushad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 pop edx 0x00000018 jmp 00007FD228B1E7CFh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CFF28D second address: CFF291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: C92BFD second address: C92C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D024A7 second address: D024C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push edx 0x0000000a pop edx 0x0000000b jmp 00007FD22947DF83h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0664D second address: D0667E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D4h 0x00000007 jmp 00007FD228B1E7D1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0667E second address: D06686 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D06C1D second address: D06C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D06C21 second address: D06C2E instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D06C2E second address: D06C37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D06C37 second address: D06C57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD22947DF7Ah 0x00000008 jmp 00007FD22947DF7Fh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D07012 second address: D07016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D07016 second address: D07031 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D072BC second address: D072C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D072C2 second address: D072C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D07A6D second address: D07A73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D07A73 second address: D07A77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D06365 second address: D06379 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FD228B1E7C6h 0x0000000a jmp 00007FD228B1E7CAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D06379 second address: D0637F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD1F29 second address: CD1F64 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 jl 00007FD228B1E7CEh 0x0000000e jl 00007FD228B1E7C8h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 xchg eax, esi 0x00000017 adc cx, 7329h 0x0000001c mov cx, 2D94h 0x00000020 nop 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FD228B1E7D8h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD2613 second address: CD2621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD2621 second address: CD2625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD2625 second address: CD262B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD29BE second address: CD29C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: CD29C2 second address: CD2A19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF7Bh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e jmp 00007FD22947DF86h 0x00000013 push edx 0x00000014 jg 00007FD22947DF76h 0x0000001a pop edx 0x0000001b popad 0x0000001c mov eax, dword ptr [esp+04h] 0x00000020 jmp 00007FD22947DF84h 0x00000025 mov eax, dword ptr [eax] 0x00000027 jl 00007FD22947DF84h 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0B65B second address: D0B65F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0B65F second address: D0B69B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF7Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD22947DF7Ch 0x00000014 jmp 00007FD22947DF88h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0B9BA second address: D0B9DD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD228B1E7C6h 0x00000008 jmp 00007FD228B1E7D5h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0BF11 second address: D0BF2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF85h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0BF2A second address: D0BF30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0BF30 second address: D0BF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0C082 second address: D0C0A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD228B1E7CEh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0C0A7 second address: D0C0BC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0C0BC second address: D0C0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0FF92 second address: D0FF96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D0FF96 second address: D0FF9C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D11E0D second address: D11E1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1503E second address: D15042 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D15042 second address: D1504B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1504B second address: D1506E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD228B1E7CDh 0x00000009 popad 0x0000000a popad 0x0000000b js 00007FD228B1E7DCh 0x00000011 push edi 0x00000012 push edx 0x00000013 pop edx 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a pop eax 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D14D57 second address: D14D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007FD22947DF84h 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FD22947DF7Eh 0x0000001d jnc 00007FD22947DF76h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1A907 second address: D1A923 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 jmp 00007FD228B1E7D6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1A923 second address: D1A93B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF84h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1A93B second address: D1A93F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1DFA7 second address: D1DFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1DFAD second address: D1DFB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1DFB1 second address: D1DFBB instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD22947DF76h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D1DFBB second address: D1DFCB instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD228B1E7D2h 0x00000008 jne 00007FD228B1E7C6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2259D second address: D225AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FD22947DF76h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D225AC second address: D225B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D225B0 second address: D225B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D225B4 second address: D225BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2271E second address: D22740 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF80h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnp 00007FD22947DF82h 0x0000000f jng 00007FD22947DF76h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D228DF second address: D228EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D234AA second address: D234BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FD22947DF76h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D234BC second address: D234C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D234C0 second address: D234D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D29539 second address: D2953D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2953D second address: D29541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D29541 second address: D29560 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD228B1E7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FD228B1E7CCh 0x00000012 pushad 0x00000013 push esi 0x00000014 pop esi 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D29560 second address: D29566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D296C7 second address: D296CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D296CB second address: D296DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2984F second address: D29855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2A355 second address: D2A35A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2A6B6 second address: D2A6CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD228B1E7C6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e jc 00007FD228B1E7C6h 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 pop ebx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2AC4B second address: D2AC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2AC56 second address: D2AC60 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D2AC60 second address: D2AC65 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D30776 second address: D30782 instructions: 0x00000000 rdtsc 0x00000002 js 00007FD228B1E7C6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D34448 second address: D3444C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D3444C second address: D34452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D34452 second address: D34465 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FD22947DF76h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D34465 second address: D3446A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D3446A second address: D3446F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D338CF second address: D338EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 jp 00007FD228B1E7D6h 0x0000000f jc 00007FD228B1E7C6h 0x00000015 jmp 00007FD228B1E7CAh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D33BC7 second address: D33BEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD22947DF90h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D33BEB second address: D33BF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D33BF2 second address: D33C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D33C06 second address: D33C17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD228B1E7CDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D39EB8 second address: D39EC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD22947DF76h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D39EC2 second address: D39ED6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007FD228B1E7CEh 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D39ED6 second address: D39EDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D3A503 second address: D3A516 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D3AC4A second address: D3AC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF7Fh 0x00000009 jnc 00007FD22947DF78h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D3AC6A second address: D3AC70 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F35A second address: D4F362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F362 second address: D4F36B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F36B second address: D4F36F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F36F second address: D4F3C2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD228B1E7D7h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 jmp 00007FD228B1E7D4h 0x00000018 push esi 0x00000019 push eax 0x0000001a pop eax 0x0000001b jmp 00007FD228B1E7D2h 0x00000020 pop esi 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F3C2 second address: D4F3C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F1DF second address: D4F225 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD228B1E7DDh 0x00000008 push edi 0x00000009 pushad 0x0000000a popad 0x0000000b js 00007FD228B1E7C6h 0x00000011 pop edi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 jmp 00007FD228B1E7D3h 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push esi 0x0000001e pop esi 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F225 second address: D4F22F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D4F22F second address: D4F243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FD228B1E7CBh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D51771 second address: D51779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D51779 second address: D5177F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D5177F second address: D51784 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D51784 second address: D517A3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007FD228B1E7C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push ebx 0x0000000e ja 00007FD228B1E7C6h 0x00000014 pop ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 jbe 00007FD228B1E7C6h 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D517A3 second address: D517AD instructions: 0x00000000 rdtsc 0x00000002 ja 00007FD22947DF76h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D55459 second address: D5545F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D5545F second address: D55467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D55467 second address: D55483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FD228B1E7C6h 0x0000000a jmp 00007FD228B1E7D0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D555E2 second address: D5561D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD22947DF83h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007FD22947DF7Eh 0x00000011 pop eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FD22947DF7Eh 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D5561D second address: D55621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D55621 second address: D55625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D55625 second address: D5562E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D5562E second address: D55636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D59F92 second address: D59F96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D59F96 second address: D59F9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D59F9A second address: D59FC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FD228B1E7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FD228B1E7C6h 0x00000014 jmp 00007FD228B1E7D9h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D59FC7 second address: D59FD3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007FD22947DF76h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D60525 second address: D6052B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6052B second address: D6052F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6052F second address: D6053F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007FD228B1E7C6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6034D second address: D60353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D60353 second address: D60384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FD228B1E7CBh 0x0000000a jne 00007FD228B1E7D2h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FD228B1E7C8h 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D60384 second address: D60399 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D60399 second address: D603A5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FD228B1E7C6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D63BCB second address: D63BD7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FD22947DF76h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D63BD7 second address: D63BF4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c pop eax 0x0000000d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D63BF4 second address: D63C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF80h 0x00000007 jmp 00007FD22947DF84h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 jns 00007FD22947DF87h 0x00000017 jmp 00007FD22947DF81h 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD22947DF7Bh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6B1B0 second address: D6B1BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D69B73 second address: D69B7C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6A03C second address: D6A042 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6A45E second address: D6A464 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6A464 second address: D6A487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD228B1E7D3h 0x00000008 jmp 00007FD228B1E7CBh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D6AEB8 second address: D6AEDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d jmp 00007FD22947DF82h 0x00000012 push eax 0x00000013 pop eax 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D83F52 second address: D83F56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D86333 second address: D8634D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FD22947DF81h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D8634D second address: D86353 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D81BE5 second address: D81BE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D81BE9 second address: D81BFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FD228B1E7C8h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 pop esi 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D81BFE second address: D81C02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D81C02 second address: D81C08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D81C08 second address: D81C0D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94FA1 second address: D94FA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94FA7 second address: D94FBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jc 00007FD22947DF7Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94FBA second address: D94FCC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94FCC second address: D94FD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94FD0 second address: D94FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94FD4 second address: D94FED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD22947DF83h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94A9D second address: D94ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jc 00007FD228B1E7D8h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94ABA second address: D94AF4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FD22947DF76h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007FD22947DF7Dh 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD22947DF86h 0x0000001b jo 00007FD22947DF76h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94AF4 second address: D94B12 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FD228B1E7C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edx 0x0000000d jg 00007FD228B1E7C6h 0x00000013 pop edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push esi 0x00000017 pop esi 0x00000018 jc 00007FD228B1E7C6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94B12 second address: D94B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: D94B16 second address: D94B26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007FD228B1E7CEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DBFAF9 second address: DBFAFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DBFAFD second address: DBFB14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FD228B1E7CDh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DBEC8E second address: DBEC92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DBEC92 second address: DBEC96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DBEDE0 second address: DBEDE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DBF4E5 second address: DBF4F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jo 00007FD228B1E7C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e popad 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DBF4F5 second address: DBF50F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF86h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC27DF second address: DC27E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC27E3 second address: DC27E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC27E7 second address: DC27ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC27ED second address: DC281E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a js 00007FD22947DF93h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD22947DF85h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC2A7E second address: DC2AC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b sub dx, 7F58h 0x00000010 push dword ptr [ebp+1244DFE4h] 0x00000016 push 00000000h 0x00000018 push esi 0x00000019 call 00007FD228B1E7C8h 0x0000001e pop esi 0x0000001f mov dword ptr [esp+04h], esi 0x00000023 add dword ptr [esp+04h], 00000018h 0x0000002b inc esi 0x0000002c push esi 0x0000002d ret 0x0000002e pop esi 0x0000002f ret 0x00000030 call 00007FD228B1E7C9h 0x00000035 push eax 0x00000036 push edx 0x00000037 push ecx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC2AC2 second address: DC2AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC2AC7 second address: DC2ACE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC2ACE second address: DC2AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FD22947DF7Ch 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jnc 00007FD22947DF76h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC2AEF second address: DC2B14 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FD228B1E7C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007FD228B1E7C8h 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 mov eax, dword ptr [eax] 0x00000015 pushad 0x00000016 pushad 0x00000017 jg 00007FD228B1E7C6h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f popad 0x00000020 pushad 0x00000021 push eax 0x00000022 pop eax 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC3D78 second address: DC3D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF86h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC3D92 second address: DC3D99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC3D99 second address: DC3DB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF80h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC3DB2 second address: DC3DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC3DB6 second address: DC3DCA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ecx 0x0000000a ja 00007FD22947DF76h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC563E second address: DC5644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC5644 second address: DC5649 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC5649 second address: DC566F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD228B1E7D2h 0x00000008 jne 00007FD228B1E7C6h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC566F second address: DC5673 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC5673 second address: DC568A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FD228B1E7CAh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC568A second address: DC56A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FD22947DF81h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC7615 second address: DC761B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC761B second address: DC7621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC7621 second address: DC7632 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jp 00007FD228B1E7C6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC7632 second address: DC763D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: DC763D second address: DC7648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FD228B1E7C6h 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55008F9 second address: 5500916 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5500916 second address: 5500938 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 005D5C02h 0x00000008 mov dx, 364Eh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FD228B1E7D0h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D006C second address: 54D0070 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0070 second address: 54D0074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0074 second address: 54D007A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5540165 second address: 554016C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 554016C second address: 554017B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 554017B second address: 55401DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FD228B1E7CEh 0x00000011 push eax 0x00000012 pushad 0x00000013 jmp 00007FD228B1E7D1h 0x00000018 mov di, cx 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FD228B1E7CAh 0x00000022 mov ebp, esp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FD228B1E7CAh 0x0000002d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55401DB second address: 55401E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0C6E second address: 54C0C74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0C74 second address: 54C0CF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007FD22947DF88h 0x0000000b and ch, FFFFFFA8h 0x0000000e jmp 00007FD22947DF7Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 mov ax, 1EBBh 0x0000001d pushfd 0x0000001e jmp 00007FD22947DF80h 0x00000023 and ch, 00000008h 0x00000026 jmp 00007FD22947DF7Bh 0x0000002b popfd 0x0000002c popad 0x0000002d push eax 0x0000002e jmp 00007FD22947DF89h 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 jmp 00007FD22947DF7Dh 0x0000003b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0CF5 second address: 54C0D22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FD228B1E7CEh 0x00000010 push dword ptr [ebp+04h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0D22 second address: 54C0D68 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007FD22947DF84h 0x0000000d sbb esi, 08308958h 0x00000013 jmp 00007FD22947DF7Bh 0x00000018 popfd 0x00000019 popad 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007FD22947DF80h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0D68 second address: 54C0D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0D6C second address: 54C0D72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0DE3 second address: 54C0DE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54C0DE7 second address: 54C0DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530DA0 second address: 5530DC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 5A41BA53h 0x00000010 push eax 0x00000011 push edx 0x00000012 mov esi, 6AB38C45h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530DC3 second address: 5530DE8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov edx, 52A23CC0h 0x0000000e movsx ebx, si 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 pushad 0x00000014 movzx esi, bx 0x00000017 mov bh, B5h 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov dx, 3752h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530DE8 second address: 5530DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510B7A second address: 5510B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF89h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510B97 second address: 5510BBF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD228B1E7CDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5540D84 second address: 5540E51 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007FD22947DF7Eh 0x00000010 push esi 0x00000011 pop ebx 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FD22947DF87h 0x00000019 sub al, FFFFFFDEh 0x0000001c jmp 00007FD22947DF89h 0x00000021 popfd 0x00000022 popad 0x00000023 push eax 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FD22947DF87h 0x0000002b and si, 64EEh 0x00000030 jmp 00007FD22947DF89h 0x00000035 popfd 0x00000036 pushfd 0x00000037 jmp 00007FD22947DF80h 0x0000003c add ax, 4C68h 0x00000041 jmp 00007FD22947DF7Bh 0x00000046 popfd 0x00000047 popad 0x00000048 xchg eax, ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FD22947DF85h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D05FA second address: 54D0600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0600 second address: 54D0604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0604 second address: 54D0696 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FD228B1E7CAh 0x00000010 sub cl, 00000048h 0x00000013 jmp 00007FD228B1E7CBh 0x00000018 popfd 0x00000019 mov si, D5BFh 0x0000001d popad 0x0000001e mov dword ptr [esp], ebp 0x00000021 pushad 0x00000022 mov ah, BDh 0x00000024 pushfd 0x00000025 jmp 00007FD228B1E7CDh 0x0000002a xor esi, 07667F66h 0x00000030 jmp 00007FD228B1E7D1h 0x00000035 popfd 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FD228B1E7CCh 0x00000040 xor ch, 00000008h 0x00000043 jmp 00007FD228B1E7CBh 0x00000048 popfd 0x00000049 popad 0x0000004a pop ebp 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f jmp 00007FD228B1E7D7h 0x00000054 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0696 second address: 54D06B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530E24 second address: 5530E80 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 pushfd 0x00000007 jmp 00007FD228B1E7D0h 0x0000000c and cl, FFFFFFF8h 0x0000000f jmp 00007FD228B1E7CBh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a mov eax, 3B33C04Bh 0x0000001f pushfd 0x00000020 jmp 00007FD228B1E7D0h 0x00000025 or si, 2D58h 0x0000002a jmp 00007FD228B1E7CBh 0x0000002f popfd 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 push eax 0x00000034 push edx 0x00000035 mov edi, 653D9C88h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530E80 second address: 5530F23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF81h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edi, ecx 0x0000000b popad 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e movzx ecx, bx 0x00000011 pushfd 0x00000012 jmp 00007FD22947DF85h 0x00000017 xor eax, 0A87D256h 0x0000001d jmp 00007FD22947DF81h 0x00000022 popfd 0x00000023 popad 0x00000024 mov ebp, esp 0x00000026 pushad 0x00000027 movzx ecx, dx 0x0000002a push edx 0x0000002b pushfd 0x0000002c jmp 00007FD22947DF84h 0x00000031 xor ax, D3A8h 0x00000036 jmp 00007FD22947DF7Bh 0x0000003b popfd 0x0000003c pop esi 0x0000003d popad 0x0000003e pop ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 pushad 0x00000042 pushfd 0x00000043 jmp 00007FD22947DF80h 0x00000048 xor eax, 42F34608h 0x0000004e jmp 00007FD22947DF7Bh 0x00000053 popfd 0x00000054 popad 0x00000055 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5540521 second address: 554052A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 1DFCh 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 554052A second address: 5540551 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF82h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FD22947DF7Eh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5540551 second address: 5540557 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5540557 second address: 554055B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 554055B second address: 554055F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 554055F second address: 5540577 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD22947DF7Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5540577 second address: 554057D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 554057D second address: 55405C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, 7E0CB1C1h 0x00000008 pushfd 0x00000009 jmp 00007FD22947DF7Eh 0x0000000e and cx, 55D8h 0x00000013 jmp 00007FD22947DF7Bh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FD22947DF85h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55405C1 second address: 55405F3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c jmp 00007FD228B1E7CEh 0x00000011 and dword ptr [eax], 00000000h 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 mov dx, 24B0h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55405F3 second address: 55405F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55405F8 second address: 5540621 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD228B1E7D2h 0x00000009 sbb ax, 44F8h 0x0000000e jmp 00007FD228B1E7CBh 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5540621 second address: 5540639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and dword ptr [eax+04h], 00000000h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD22947DF7Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510A43 second address: 5510A49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510A49 second address: 5510A5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510A5A second address: 5510A7E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD228B1E7D9h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510A7E second address: 5510ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, E6h 0x00000005 pushfd 0x00000006 jmp 00007FD22947DF88h 0x0000000b sbb ecx, 711ECFD8h 0x00000011 jmp 00007FD22947DF7Bh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov dword ptr [esp], ebp 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 mov cx, di 0x00000023 mov si, bx 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F0825 second address: 54F082B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F082B second address: 54F083C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F083C second address: 54F084B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F084B second address: 54F084F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F084F second address: 54F0855 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F0855 second address: 54F086F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov edx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FD22947DF7Bh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F086F second address: 54F0894 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F0894 second address: 54F0898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F0898 second address: 54F089C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54F089C second address: 54F08A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5550B3B second address: 5550B6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007FD228B1E7D6h 0x0000000f call 00007FD228B1E7D2h 0x00000014 pop ecx 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510008 second address: 551000C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551000C second address: 5510010 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510010 second address: 5510016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510016 second address: 551001C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551001C second address: 5510020 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55100FE second address: 5510104 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510104 second address: 5510108 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510108 second address: 551012A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 jmp 00007FD228B1E7D0h 0x0000000e mov dword ptr [esp], ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551012A second address: 551012E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551012E second address: 5510134 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510134 second address: 5510143 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510143 second address: 551019C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e mov si, bx 0x00000011 pop edi 0x00000012 mov di, si 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 movsx edx, si 0x0000001b movzx ecx, dx 0x0000001e popad 0x0000001f xchg eax, ebx 0x00000020 pushad 0x00000021 mov ax, di 0x00000024 popad 0x00000025 mov ebx, dword ptr [ebp+10h] 0x00000028 pushad 0x00000029 mov eax, edx 0x0000002b mov bh, 14h 0x0000002d popad 0x0000002e xchg eax, esi 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD228B1E7D2h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551019C second address: 55101A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55101A0 second address: 55101A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55101A6 second address: 55101AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55101AC second address: 55101F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d call 00007FD228B1E7D1h 0x00000012 mov edi, ecx 0x00000014 pop esi 0x00000015 mov eax, edx 0x00000017 popad 0x00000018 xchg eax, esi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FD228B1E7D2h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55101F8 second address: 551020A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551020A second address: 5510262 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 call 00007FD228B1E7D0h 0x00000017 pop ecx 0x00000018 popad 0x00000019 call 00007FD228B1E7CBh 0x0000001e push esi 0x0000001f pop edi 0x00000020 pop ecx 0x00000021 popad 0x00000022 push ebx 0x00000023 pushad 0x00000024 call 00007FD228B1E7CEh 0x00000029 mov edi, ecx 0x0000002b pop eax 0x0000002c mov esi, ebx 0x0000002e popad 0x0000002f mov dword ptr [esp], edi 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510262 second address: 5510274 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510274 second address: 5510286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510286 second address: 551028A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551028A second address: 55102B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FD228B1E7D9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55102B1 second address: 55102B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55102B7 second address: 55102EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD29A9BCB14h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov ebx, 4839FBA0h 0x00000017 jmp 00007FD228B1E7D9h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55102EF second address: 551031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD22947DF87h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d cmp dword ptr [esi+08h], DDEEDDEEh 0x00000014 pushad 0x00000015 movzx ecx, bx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 551031C second address: 5510322 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510322 second address: 5510357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007FD29B31C279h 0x0000000c jmp 00007FD22947DF7Fh 0x00000011 mov edx, dword ptr [esi+44h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD22947DF85h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510357 second address: 5510367 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510367 second address: 55103DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b jmp 00007FD22947DF87h 0x00000010 test edx, 61000000h 0x00000016 pushad 0x00000017 mov bx, ax 0x0000001a mov si, EC67h 0x0000001e popad 0x0000001f jne 00007FD29B31C266h 0x00000025 jmp 00007FD22947DF7Ah 0x0000002a test byte ptr [esi+48h], 00000001h 0x0000002e jmp 00007FD22947DF80h 0x00000033 jne 00007FD29B31C25Bh 0x00000039 jmp 00007FD22947DF80h 0x0000003e test bl, 00000007h 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55103DA second address: 55103F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 call 00007FD228B1E7D3h 0x00000009 pop esi 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55300F8 second address: 55300FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55300FC second address: 553010C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553010C second address: 553014F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop esi 0x00000005 pushfd 0x00000006 jmp 00007FD22947DF7Dh 0x0000000b xor cx, E7F6h 0x00000010 jmp 00007FD22947DF81h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FD22947DF7Eh 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553014F second address: 5530153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530153 second address: 5530157 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530157 second address: 553015D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553015D second address: 55301AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD22947DF86h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov si, dx 0x00000017 call 00007FD22947DF89h 0x0000001c pop eax 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55301AA second address: 5530229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and esp, FFFFFFF8h 0x0000000c pushad 0x0000000d movzx esi, di 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FD228B1E7D9h 0x00000017 adc cx, 3ED6h 0x0000001c jmp 00007FD228B1E7D1h 0x00000021 popfd 0x00000022 jmp 00007FD228B1E7D0h 0x00000027 popad 0x00000028 popad 0x00000029 xchg eax, ebx 0x0000002a jmp 00007FD228B1E7D0h 0x0000002f push eax 0x00000030 push eax 0x00000031 push edx 0x00000032 jmp 00007FD228B1E7CEh 0x00000037 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530229 second address: 553023F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 2904h 0x00000007 mov ch, bh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop eax 0x00000012 mov si, di 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553023F second address: 55302AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, 941Bh 0x00000007 pushfd 0x00000008 jmp 00007FD228B1E7D0h 0x0000000d add esi, 0A3FC0E8h 0x00000013 jmp 00007FD228B1E7CBh 0x00000018 popfd 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c xchg eax, esi 0x0000001d pushad 0x0000001e movzx eax, di 0x00000021 push eax 0x00000022 push edx 0x00000023 pushfd 0x00000024 jmp 00007FD228B1E7D7h 0x00000029 sbb eax, 12B4F8DEh 0x0000002f jmp 00007FD228B1E7D9h 0x00000034 popfd 0x00000035 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55302AB second address: 553031D instructions: 0x00000000 rdtsc 0x00000002 mov edi, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FD22947DF83h 0x0000000f sub al, FFFFFFEEh 0x00000012 jmp 00007FD22947DF89h 0x00000017 popfd 0x00000018 mov cx, 0E77h 0x0000001c popad 0x0000001d xchg eax, esi 0x0000001e pushad 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FD22947DF86h 0x00000026 or eax, 60F2FD98h 0x0000002c jmp 00007FD22947DF7Bh 0x00000031 popfd 0x00000032 mov ax, 374Fh 0x00000036 popad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553031D second address: 553032E instructions: 0x00000000 rdtsc 0x00000002 mov ax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553032E second address: 5530334 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530334 second address: 5530366 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub ebx, ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, 7017h 0x00000012 call 00007FD228B1E7CCh 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530366 second address: 553037F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, 245Dh 0x00000007 mov eax, 75AAA959h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f test esi, esi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop esi 0x00000016 mov esi, edi 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553037F second address: 5530473 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FD29A9947BBh 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FD228B1E7CEh 0x00000016 xor ch, 00000048h 0x00000019 jmp 00007FD228B1E7CBh 0x0000001e popfd 0x0000001f jmp 00007FD228B1E7D8h 0x00000024 popad 0x00000025 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002c jmp 00007FD228B1E7D0h 0x00000031 mov ecx, esi 0x00000033 jmp 00007FD228B1E7D0h 0x00000038 je 00007FD29A994769h 0x0000003e jmp 00007FD228B1E7D0h 0x00000043 test byte ptr [77436968h], 00000002h 0x0000004a pushad 0x0000004b mov ax, 224Dh 0x0000004f pushfd 0x00000050 jmp 00007FD228B1E7CAh 0x00000055 sub cx, FD68h 0x0000005a jmp 00007FD228B1E7CBh 0x0000005f popfd 0x00000060 popad 0x00000061 jne 00007FD29A99473Dh 0x00000067 pushad 0x00000068 pushfd 0x00000069 jmp 00007FD228B1E7D4h 0x0000006e jmp 00007FD228B1E7D5h 0x00000073 popfd 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530473 second address: 553049D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov edx, dword ptr [ebp+0Ch] 0x0000000a jmp 00007FD22947DF89h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 mov bx, si 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553049D second address: 55304F7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD228B1E7D6h 0x00000008 and cx, 9FB8h 0x0000000d jmp 00007FD228B1E7CBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov cx, CBEFh 0x00000019 popad 0x0000001a push eax 0x0000001b pushad 0x0000001c movsx ebx, cx 0x0000001f mov esi, 42139D83h 0x00000024 popad 0x00000025 xchg eax, ebx 0x00000026 jmp 00007FD228B1E7D6h 0x0000002b xchg eax, ebx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55304F7 second address: 55304FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55304FB second address: 5530501 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530501 second address: 553056E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FD22947DF82h 0x00000009 or ecx, 089E3BA8h 0x0000000f jmp 00007FD22947DF7Bh 0x00000014 popfd 0x00000015 mov dx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d pushfd 0x0000001e jmp 00007FD22947DF7Bh 0x00000023 add cx, 08EEh 0x00000028 jmp 00007FD22947DF89h 0x0000002d popfd 0x0000002e call 00007FD22947DF80h 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 553056E second address: 55305F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 pushad 0x00000008 push edi 0x00000009 pushfd 0x0000000a jmp 00007FD228B1E7D8h 0x0000000f and al, FFFFFFC8h 0x00000012 jmp 00007FD228B1E7CBh 0x00000017 popfd 0x00000018 pop esi 0x00000019 movsx ebx, ax 0x0000001c popad 0x0000001d push dword ptr [ebp+14h] 0x00000020 pushad 0x00000021 mov edx, ecx 0x00000023 call 00007FD228B1E7CAh 0x00000028 pushfd 0x00000029 jmp 00007FD228B1E7D2h 0x0000002e or si, 2858h 0x00000033 jmp 00007FD228B1E7CBh 0x00000038 popfd 0x00000039 pop eax 0x0000003a popad 0x0000003b push dword ptr [ebp+10h] 0x0000003e push eax 0x0000003f push edx 0x00000040 jmp 00007FD228B1E7D2h 0x00000045 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55305F1 second address: 55305F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55305F7 second address: 55305FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530631 second address: 5530636 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530636 second address: 5530656 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ebx, 0C5FDC60h 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ch, 9Fh 0x00000012 jmp 00007FD228B1E7CDh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5530656 second address: 553065B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 552000A second address: 552000F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 552000F second address: 5520015 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5520015 second address: 5520019 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5520019 second address: 552003D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FD22947DF89h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 552003D second address: 55200A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 9102h 0x0000000f jmp 00007FD228B1E7D3h 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FD228B1E7D6h 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e movzx esi, bx 0x00000021 mov di, E95Eh 0x00000025 popad 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a call 00007FD228B1E7CDh 0x0000002f pop esi 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571A94 second address: 5571AD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 29D87F57h 0x00000008 mov dh, ah 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov esi, edi 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 popad 0x00000017 push 0000007Fh 0x00000019 jmp 00007FD22947DF89h 0x0000001e push 00000001h 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FD22947DF7Dh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571AD7 second address: 5571AE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571AE7 second address: 5571AF8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571AF8 second address: 5571AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571AFC second address: 5571B00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571B00 second address: 5571B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571B06 second address: 5571B0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571B0C second address: 5571B10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5571B10 second address: 5571B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D02AD second address: 54D02CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D02CA second address: 54D0344 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, 84A2h 0x00000007 jmp 00007FD22947DF83h 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ecx 0x00000010 jmp 00007FD22947DF86h 0x00000015 push eax 0x00000016 pushad 0x00000017 mov esi, ebx 0x00000019 mov edi, 5A698480h 0x0000001e popad 0x0000001f xchg eax, ecx 0x00000020 pushad 0x00000021 mov ch, dh 0x00000023 mov edx, eax 0x00000025 popad 0x00000026 and dword ptr [ebp-04h], 00000000h 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d pushfd 0x0000002e jmp 00007FD22947DF85h 0x00000033 and cx, 8136h 0x00000038 jmp 00007FD22947DF81h 0x0000003d popfd 0x0000003e popad 0x0000003f rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0344 second address: 54D035B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7D3h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D035B second address: 54D0392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b lea eax, dword ptr [ebp-04h] 0x0000000e jmp 00007FD22947DF7Eh 0x00000013 nop 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0392 second address: 54D0396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0396 second address: 54D03B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF89h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D03B3 second address: 54D03B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D03B9 second address: 54D040C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF83h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov dl, 0Dh 0x0000000f pushfd 0x00000010 jmp 00007FD22947DF80h 0x00000015 and al, FFFFFFD8h 0x00000018 jmp 00007FD22947DF7Bh 0x0000001d popfd 0x0000001e popad 0x0000001f nop 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FD22947DF80h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D040C second address: 54D0412 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0412 second address: 54D0418 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0418 second address: 54D041C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D041C second address: 54D0420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D045E second address: 54D0464 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0464 second address: 54D0468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54D0468 second address: 54D04D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test eax, eax 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007FD228B1E7D4h 0x00000014 adc eax, 23E9FB58h 0x0000001a jmp 00007FD228B1E7CBh 0x0000001f popfd 0x00000020 mov bh, cl 0x00000022 popad 0x00000023 js 00007FD29988A3CDh 0x00000029 jmp 00007FD228B1E7CBh 0x0000002e mov eax, dword ptr [ebp-04h] 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FD228B1E7D5h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54B0B2A second address: 54B0B6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FD22947DF87h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FD22947DF84h 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FD22947DF7Eh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54B0B6F second address: 54B0B9D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FD228B1E7D6h 0x0000000f mov ebp, esp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov di, si 0x00000017 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 54B0B9D second address: 54B0BDC instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FD22947DF88h 0x00000008 add si, 8948h 0x0000000d jmp 00007FD22947DF7Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 mov cx, 38BFh 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov esi, ebx 0x00000020 mov edx, 7A2E3B8Eh 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55600BB second address: 556012D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FD228B1E7CCh 0x00000011 adc cl, 00000058h 0x00000014 jmp 00007FD228B1E7CBh 0x00000019 popfd 0x0000001a popad 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FD228B1E7CBh 0x00000024 and ax, E01Eh 0x00000029 jmp 00007FD228B1E7D9h 0x0000002e popfd 0x0000002f popad 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 556012D second address: 5560131 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5560131 second address: 5560135 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5560135 second address: 556013B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 556013B second address: 556014B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 556014B second address: 556014F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510D1C second address: 5510D3C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov dl, F5h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FD228B1E7D3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510D3C second address: 5510D90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, 2EC1A0AAh 0x00000008 pushfd 0x00000009 jmp 00007FD22947DF7Bh 0x0000000e add esi, 7CBA654Eh 0x00000014 jmp 00007FD22947DF89h 0x00000019 popfd 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push eax 0x0000001e pushad 0x0000001f jmp 00007FD22947DF87h 0x00000024 push eax 0x00000025 push edx 0x00000026 mov edi, eax 0x00000028 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510D90 second address: 5510DAD instructions: 0x00000000 rdtsc 0x00000002 mov bx, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FD228B1E7CCh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510DAD second address: 5510DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510DB1 second address: 5510DB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5510DB7 second address: 5510DC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF7Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5590923 second address: 5590975 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, ebx 0x00000005 jmp 00007FD228B1E7CDh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e jmp 00007FD228B1E7CEh 0x00000013 mov ebp, esp 0x00000015 jmp 00007FD228B1E7D0h 0x0000001a push dword ptr [ebp+0Ch] 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FD228B1E7D7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55909CD second address: 55909E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD22947DF88h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55909E9 second address: 55909ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55909ED second address: 5590A06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 movzx eax, al 0x0000000b pushad 0x0000000c mov esi, 7F5D493Fh 0x00000011 popad 0x00000012 pop ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5590A06 second address: 5590A1D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD228B1E7D3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5550563 second address: 5550582 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF84h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5550582 second address: 5550586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5550586 second address: 555058C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 555058C second address: 5550593 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dl, 3Eh 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5550593 second address: 55505AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FD22947DF7Ah 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55505AD second address: 55505B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55505B3 second address: 55505EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FD22947DF82h 0x00000008 pop ecx 0x00000009 mov ecx, edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and esp, FFFFFFF0h 0x00000011 pushad 0x00000012 movsx edi, ax 0x00000015 mov ebx, ecx 0x00000017 popad 0x00000018 sub esp, 44h 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FD22947DF7Dh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55505EA second address: 55505FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FD228B1E7CCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 55505FA second address: 5550612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FD22947DF7Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\installer.exe	RDTSC instruction interceptor: First address: 5550612 second address: 5550616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\installer.exe	Special instruction interceptor: First address: CBD25E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\installer.exe	Special instruction interceptor: First address: CD199E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\installer.exe	Special instruction interceptor: First address: D48510 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\installer.exe	Special instruction interceptor: First address: CBBB23 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 46D25E instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 48199E instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 4F8510 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 46BB23 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 127D25E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 129199E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 1308510 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 127BB23 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\installer.exe

Code function: 0_2_0559088A rdtsc

0_2_0559088A

Source: C:\Users\user\Desktop\installer.exe	Window / User API: threadDelayed 1023	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window / User API: threadDelayed 990	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window / User API: threadDelayed 391	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window / User API: threadDelayed 1068	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Window / User API: threadDelayed 1105	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1163	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 403	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1103	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1067	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1191	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1080	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 374	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1104	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1180	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1154	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 400	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1107	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1109	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1113	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 401	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1110	Jump to behavior

Source: C:\Users\user\Desktop\installer.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-16331
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_6-16125
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

Source: C:\Users\user\Desktop\installer.exe TID: 5724	Thread sleep time: -44022s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3460	Thread sleep count: 1023 > 30	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3460	Thread sleep time: -2047023s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 4620	Thread sleep count: 102 > 30	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 5712	Thread sleep count: 990 > 30	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 5712	Thread sleep time: -1980990s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 4620	Thread sleep count: 123 > 30	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 6252	Thread sleep count: 391 > 30	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3108	Thread sleep count: 1068 > 30	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 3108	Thread sleep time: -2137068s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 1012	Thread sleep count: 1105 > 30	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe TID: 1012	Thread sleep time: -2211105s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6960	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6960	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4972	Thread sleep count: 1163 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4972	Thread sleep time: -2327163s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2496	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2496	Thread sleep count: 137 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2748	Thread sleep count: 403 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4304	Thread sleep count: 1103 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4304	Thread sleep time: -2207103s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6184	Thread sleep count: 1067 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6184	Thread sleep time: -2135067s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6684	Thread sleep count: 1191 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6684	Thread sleep time: -2383191s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3268	Thread sleep count: 51 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4988	Thread sleep count: 1080 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4988	Thread sleep time: -2161080s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3268	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4568	Thread sleep count: 374 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3504	Thread sleep count: 1104 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3504	Thread sleep time: -2209104s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4000	Thread sleep count: 1180 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4000	Thread sleep time: -2361180s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4196	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4196	Thread sleep time: -66033s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1428	Thread sleep count: 1154 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1428	Thread sleep time: -2309154s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7024	Thread sleep count: 168 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3820	Thread sleep count: 400 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2404	Thread sleep count: 1107 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2404	Thread sleep time: -2215107s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4052	Thread sleep count: 1109 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4052	Thread sleep time: -2219109s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6316	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5668	Thread sleep count: 1113 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5668	Thread sleep time: -2227113s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4368	Thread sleep count: 149 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6780	Thread sleep count: 401 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5840	Thread sleep count: 1110 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5840	Thread sleep time: -2221110s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000007.00000002.3366635395.0000000000C96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_80A358DA2
Source: MPGPH131.exe, 00000007.00000003.2212616312.0000000000C96000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
Source: installer.exe, 00000000.00000002.3366357434.00000000013F7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}D
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: installer.exe, 00000000.00000002.3366357434.0000000001448000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: RageMP131.exe, 00000008.00000002.3354481282.00000000008CF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\5
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D65000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}8
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000DA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_80A358DA
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&#
Source: RageMP131.exe, 0000000C.00000003.2359805794.0000000000DA6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: installer.exe, 00000000.00000002.3366357434.0000000001434000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3366350121.0000000001675000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3366635395.0000000000C7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3354916992.0000000000D8D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: installer.exe, 00000000.00000002.3366357434.0000000001434000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&X
Source: installer.exe, 00000000.00000002.3366357434.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}+
Source: RageMP131.exe, 00000008.00000002.3354481282.0000000000904000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 0000000C.00000002.3354916992.0000000000D5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*
Source: installer.exe, 00000000.00000002.3366247638.000000000135B000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: installer.exe, 00000000.00000002.3366357434.000000000143F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&165
Source: MPGPH131.exe, 00000006.00000002.3366350121.0000000001640000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^1{v
Source: RageMP131.exe, 00000008.00000002.3354481282.0000000000904000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
Source: RageMP131.exe, 00000008.00000002.3353547935.00000000003FC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}X
Source: MPGPH131.exe, 00000007.00000002.3366317336.0000000000AFC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}T
Source: installer.exe, 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000007.00000002.3366635395.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\installer.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\installer.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\installer.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_054E010D Start: 054E014C End: 054E0150	6_2_054E010D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_04CA0E07 Start: 04CA0ED7 End: 04CA0E8C	7_2_04CA0E07
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_052E0235 Start: 052E0323 End: 052E031F	12_2_052E0235

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\installer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\installer.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\installer.exe

Code function: 0_2_0559088A rdtsc

0_2_0559088A

Source: installer.exe, 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: o(c}>Program Manager
Source: installer.exe, installer.exe, 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: (c}>Program Manager

Source: C:\Users\user\Desktop\installer.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\installer.exe

Code function: 0_2_009C361D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_009C361D

Source: C:\Users\user\Desktop\installer.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: installer.exe PID: 4868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 3896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6108, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: Process Memory Space: installer.exe PID: 4868, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 3896, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5040, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 4828, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6108, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
installer.exe	68%	ReversingLabs	Win32.Trojan.RisePro
installer.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	68%	ReversingLabs	Win32.Trojan.RisePro
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	68%	ReversingLabs	Win32.Trojan.RisePro

Source	Detection	Scanner	Label
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTS	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	installer.exe, 00000000.00000003.2124792716.0000000005300000.00000004.00001000.00020000.00000000.sdmp, installer.exe, 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2190833961.0000000005260000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2191242486.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2258761527.0000000004B90000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000C.00000003.2342289255.0000000005080000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	installer.exe, 00000000.00000002.3366357434.00000000013CE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3366350121.000000000160E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3366635395.0000000000C2B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3354481282.000000000089E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3354916992.0000000000D3B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTS	RageMP131.exe, 00000008.00000002.3354481282.000000000089E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	RageMP131.exe	false	URL Reputation: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RageMP131.exe	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
77.91.77.66	unknown	Russian Federation		42861	FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1464451
Start date and time:	2024-06-28 21:09:07 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	installer.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: installer.exe

Simulations

Behavior and APIs

Time	Type	Description
15:10:26	API Interceptor	1151821x Sleep call for process: installer.exe modified
15:10:33	API Interceptor	1338018x Sleep call for process: MPGPH131.exe modified
15:10:40	API Interceptor	856147x Sleep call for process: RageMP131.exe modified
21:10:01	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
21:10:02	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
21:10:02	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
21:10:09	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
77.91.77.66	file.exe	Get hash	malicious	RisePro Stealer	Browse
	90ZF1EDs9h.exe	Get hash	malicious	RisePro Stealer	Browse
	Ke5ufWcgxp.exe	Get hash	malicious	RisePro Stealer	Browse
	BqqQh4Jr7L.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	plTAoSCew2.exe	Get hash	malicious	RisePro Stealer	Browse
	7rA1iX60wh.exe	Get hash	malicious	RisePro Stealer	Browse
	PNO3otPYOa.exe	Get hash	malicious	RisePro Stealer	Browse
	YnsEArPlqx.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FOTONTELECOM-TRANSIT-ASFOTONTELECOMISPRU	jYXfxdLoiV.pdf	Get hash	malicious	GRQ Scam	Browse	77.91.77.34
	j7iUba2bki.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	1Cvd8TyYPm.exe	Get hash	malicious	LummaC, Mars Stealer, PureLog Stealer, Stealc, Vidar, Xmrig, zgRAT	Browse	77.91.77.80
	ukuWaeRgPR.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.82
	tAa6xNsucX.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81
	1Vkf7silOj.exe	Get hash	malicious	LummaC, Amadey, Mars Stealer, PureLog Stealer, RedLine, SmokeLoader, Stealc	Browse	77.91.77.81
	wqmnYoVbHr.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81
	EZrw1nNIpG.exe	Get hash	malicious	Amadey, Mars Stealer, Stealc, Vidar	Browse	77.91.77.81
	file.exe	Get hash	malicious	RisePro Stealer	Browse	77.91.77.66
	hsRju5CPK2.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, PureLog Stealer, RedLine, zgRAT	Browse	77.91.77.81

Process:	C:\Users\user\Desktop\installer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2402816
Entropy (8bit):	7.963073123261248
Encrypted:	false
SSDEEP:	49152:n6CEHkNJDeZ2sZb3l+8R9lko90cf423IC/bVAvOe8HPPRgnda6cv3mVQdw:nikuZB13l+87lko90cf423z6vOeg2d86
MD5:	A0E213177EE87CBB5EC32BEF195BBFA9
SHA1:	6265B138B96D83B070CE14CC16E528BDF68AA160
SHA-256:	141BE7789497012B7911CABB1307E25E19F747E2E8FB5375F9CDDFF7E5F28265
SHA-512:	421A34499B2C6B74DB08C527CC9FC11C0D590E0572FE8CB4FD8A4BF857E396F3FAC892FDF944DC8A9E63AA3B57A0C2585EF8BE2CF5F36F897110890540A4B54F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|........]...........@...........................^......x%...@.................................^...r.......8.....................].............................P.]..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... .@+.........................@...iolmakfn......D.....................@...rrgdmorv......].......$.............@....taggant.0....].."....$.............@...........................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\installer.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2402816
Entropy (8bit):	7.963073123261248
Encrypted:	false
SSDEEP:	49152:n6CEHkNJDeZ2sZb3l+8R9lko90cf423IC/bVAvOe8HPPRgnda6cv3mVQdw:nikuZB13l+87lko90cf423z6vOeg2d86
MD5:	A0E213177EE87CBB5EC32BEF195BBFA9
SHA1:	6265B138B96D83B070CE14CC16E528BDF68AA160
SHA-256:	141BE7789497012B7911CABB1307E25E19F747E2E8FB5375F9CDDFF7E5F28265
SHA-512:	421A34499B2C6B74DB08C527CC9FC11C0D590E0572FE8CB4FD8A4BF857E396F3FAC892FDF944DC8A9E63AA3B57A0C2585EF8BE2CF5F36F897110890540A4B54F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 68%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s..../.s..zq./.s.Rich..s.................PE..L....iLf...............'.....\|........]...........@...........................^......x%...@.................................^...r.......8.....................].............................P.]..............................6..@................... . ............................@....rsrc...8...........................@....idata ............................@... .@+.........................@...iolmakfn......D.....................@...rrgdmorv......].......$.............@....taggant.0....].."....$.............@...........................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\installer.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\installer.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.7192945256669794
Encrypted:	false
SSDEEP:	3:L7XS6W:X/W
MD5:	B7FD846280A7C3D53B785A393A4EC861
SHA1:	8F62D2C8C2E8CA6CB9A2D8AE1B6B41DF69937C8F
SHA-256:	31E9906EC844DBC68CC70B72497B71705E75585BEC6E12C76FD12DB73374459B
SHA-512:	4E620FB78E04DD0264F10594AFD7547EC8EBB5A8280ECA13C1F9A9DB7261633F954C19A8DE0B8FAC93D4D187F4B7D77729758C4D5061BB48FF7D3F58AF324902
Malicious:	false
Reputation:	low
Preview:	1719608074981

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.963073123261248
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	installer.exe
File size:	2'402'816 bytes
MD5:	a0e213177ee87cbb5ec32bef195bbfa9
SHA1:	6265b138b96d83b070ce14cc16e528bdf68aa160
SHA256:	141be7789497012b7911cabb1307e25e19f747e2e8fb5375f9cddff7e5f28265
SHA512:	421a34499b2c6b74db08c527cc9fc11c0d590e0572fe8cb4fd8a4bf857e396f3fac892fdf944dc8a9e63aa3b57a0c2585ef8be2cf5f36f897110890540a4b54f
SSDEEP:	49152:n6CEHkNJDeZ2sZb3l+8R9lko90cf423IC/bVAvOe8HPPRgnda6cv3mVQdw:nikuZB13l+87lko90cf423z6vOeg2d86
TLSH:	FBB5337D6AE04A2BCD196EB1D0735B0067E6747858C01F31EB980D261E5B3D0B2BEB5B
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......j.....s...s...s.e.p.%.s.e.v...s.e.t./.s..y..*.s..yw.=.s..yp.4.s..yv.u.s.e.w.6.s.e.u./.s.e.r.5.s...r...s..zz.2.s..z../.s...../.s

File Icon


Icon Hash:	8596a1a0a1a1b171

Static PE Info

General

Entrypoint:	0x9dd000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x664C6914 [Tue May 21 09:27:48 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FD22909E22Ah
js 00007FD22909E24Ah
add byte ptr [eax], al
jmp 00007FD2290A0225h
add byte ptr [edx+ecx], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
xor byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add ecx, dword ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [ecx], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add cl, byte ptr [edx]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
inc eax
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x18c05e	0x72	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x18a000	0x1638	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5db0a0	0x10	iolmakfn
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5db050	0x18	iolmakfn
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x18369c	0x40
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x189000	0xab400	c701a85cecf3b3f22a78ad90707dd02f	False	0.9983676437043796	data	7.983217514944371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x18a000	0x1638	0x1800	fe6f3fdb9e7e97cba92d8ce4e4fcc95b	False	0.7220052083333334	data	6.54017046361188	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x18c000	0x1000	0x200	0e14477ce436cc9ebd87f17a92173639	False	0.1640625	data	1.180504109820196	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x18d000	0x2b4000	0x200	2b1e4d974d2a744f1ad1e8f8a9813fb3	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
iolmakfn	0x441000	0x19b000	0x19a200	1b1ea038225ab9e28bd80c96a1b0f863	False	0.9944186223712282	data	7.952587985100504	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rrgdmorv	0x5dc000	0x1000	0x600	8c23be9ee6595eb32eadfb5a3f1a2003	False	0.5963541666666666	data	5.138385364628414	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5dd000	0x3000	0x2200	fbede7870e45c66f6df0ff589c9c41e5	False	0.04607077205882353	DOS executable (COM)	0.46755545145268296	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x18a440	0x1060	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.8838263358778626
RT_GROUP_ICON	0x18b4a0	0x14	data	Russian	Russia	1.05
RT_VERSION	0x18a130	0x310	data	Russian	Russia	0.45408163265306123
RT_MANIFEST	0x18b4b8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
06/28/24-21:10:01.833498	TCP	2049060	ET TROJAN RisePro TCP Heartbeat Packet	49712	58709	192.168.2.6	77.91.77.66

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jun 28, 2024 21:10:01.800635099 CEST	49712	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:01.805669069 CEST	58709	49712	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:01.805752039 CEST	49712	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:01.833498001 CEST	49712	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:01.838398933 CEST	58709	49712	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:03.543785095 CEST	58709	49712	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:03.543842077 CEST	49712	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:07.376029015 CEST	49713	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:07.378325939 CEST	49714	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:07.380923986 CEST	58709	49713	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:07.381010056 CEST	49713	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:07.383158922 CEST	58709	49714	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:07.383228064 CEST	49714	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:07.408123016 CEST	49713	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:07.412668943 CEST	49714	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:07.413063049 CEST	58709	49713	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:07.417433023 CEST	58709	49714	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:09.146461010 CEST	58709	49714	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:09.146630049 CEST	49714	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:09.147983074 CEST	58709	49713	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:09.148058891 CEST	49713	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:13.325586081 CEST	49716	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:13.419960976 CEST	58709	49716	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:13.420197010 CEST	49716	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:13.438668966 CEST	49716	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:13.443630934 CEST	58709	49716	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:15.259150982 CEST	58709	49716	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:15.259269953 CEST	49716	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:22.090804100 CEST	49722	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:22.095841885 CEST	58709	49722	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:22.096249104 CEST	49722	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:22.126061916 CEST	49722	58709	192.168.2.6	77.91.77.66
Jun 28, 2024 21:10:22.130995989 CEST	58709	49722	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:23.821499109 CEST	58709	49722	77.91.77.66	192.168.2.6
Jun 28, 2024 21:10:23.821680069 CEST	49722	58709	192.168.2.6	77.91.77.66

Target ID:	0
Start time:	15:09:55
Start date:	28/06/2024
Path:	C:\Users\user\Desktop\installer.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\installer.exe"
Imagebase:	0x990000
File size:	2'402'816 bytes
MD5 hash:	A0E213177EE87CBB5EC32BEF195BBFA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	15:10:00
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x560000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	15:10:00
Start date:	28/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	15:10:00
Start date:	28/06/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x560000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	15:10:00
Start date:	28/06/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	15:10:02
Start date:	28/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x140000
File size:	2'402'816 bytes
MD5 hash:	A0E213177EE87CBB5EC32BEF195BBFA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	15:10:02
Start date:	28/06/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x140000
File size:	2'402'816 bytes
MD5 hash:	A0E213177EE87CBB5EC32BEF195BBFA9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	15:10:09
Start date:	28/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0xf50000
File size:	2'402'816 bytes
MD5 hash:	A0E213177EE87CBB5EC32BEF195BBFA9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 68%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	15:10:17
Start date:	28/06/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0xf50000
File size:	2'402'816 bytes
MD5 hash:	A0E213177EE87CBB5EC32BEF195BBFA9
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.5%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	2.4%
Total number of Nodes:	1839
Total number of Limit Nodes:	28

Executed Functions

Function 00999280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00ADD15C,00000000,761B23A0,-00B19880), ref: 009996C9

Strings

Ws2_32.dll, xrefs: 0099969A

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 204b4cfd6fe731efa467850a350f48472a989abd59e28528ef11dd80a7586fbf
Instruction ID: 22b8c0a3b6346a43e9936d5a70d233772f845444dab924895600bcdc14615830
Opcode Fuzzy Hash: 204b4cfd6fe731efa467850a350f48472a989abd59e28528ef11dd80a7586fbf
Instruction Fuzzy Hash: 4002C070D04298EFDF25CFA8C8907ADBBB0EF59314F24428DE4856B686D7741986CF92

Function 0559088A Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 502f5161555a2e4ba77503f0fd93e5590be017f8a973701229207daf3e22d542
Instruction ID: 2c6d98c40cecfea483c2aa53eb9aa45064b432fc4f11108387f665ca6598ae45
Opcode Fuzzy Hash: 502f5161555a2e4ba77503f0fd93e5590be017f8a973701229207daf3e22d542
Instruction Fuzzy Hash: E82138BB20D022BD7A09C541271CABA7B6FF6C62313308C37F407CB4A2D6890A4D51F1

Function 00A57B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000430,0000FFFF,00001006,?,00000008), ref: 00A57BA7
recv.WS2_32(?,00000004,00000002), ref: 00A57BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00A57C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00A57C64

Part of subcall function 00A58590: WSAStartup.WS2_32 ref: 00A585BB
Part of subcall function 00A58590: socket.WS2_32(?,?,?,?,?,?,00B19328,?,?), ref: 00A5865E
Part of subcall function 00A58590: connect.WS2_32(00000000,00AE9BFC,?,?,?,?,00B19328,?,?), ref: 00A58672
Part of subcall function 00A58590: closesocket.WS2_32(00000000), ref: 00A5867D

recv.WS2_32(00000000,?,00000008), ref: 00A57D1B
recv.WS2_32(?,00000004,00000008), ref: 00A57E23
__Xtime_get_ticks.LIBCPMT ref: 00A57E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00A57E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00A57EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00A57EB9

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: 181453efcbed2701102cb820406689215eb9fcd0376c7e5a03d6586ce0c397e6
Instruction ID: 406309810862a8135fa329fcdc70177cacbb1e6b18c2539bd24e2ff206261f99
Opcode Fuzzy Hash: 181453efcbed2701102cb820406689215eb9fcd0376c7e5a03d6586ce0c397e6
Instruction Fuzzy Hash: ECB18DB1D04348DBEB10DFA8DC8ABAEBBB5BB45300F604259E854BB2D2D7745D48CB91

Function 00A58590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00A585BB
socket.WS2_32(?,?,?,?,?,?,00B19328,?,?), ref: 00A5865E
connect.WS2_32(00000000,00AE9BFC,?,?,?,?,00B19328,?,?), ref: 00A58672
closesocket.WS2_32(00000000), ref: 00A5867D

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 2c2cdffabe530f1122fe5deb5f15b34c0d4b7f94aefad302786e318d2266d2e9
Instruction ID: 609f74abbd1417f287132c3d58eefe6e5d55870f3d0814c5bc0ef194267889c1
Opcode Fuzzy Hash: 2c2cdffabe530f1122fe5deb5f15b34c0d4b7f94aefad302786e318d2266d2e9
Instruction Fuzzy Hash: 9E3104765043406BC7208F288C8962FB7E4FFC9335F015F19FEA8A22D0E77498088796

Function 05590009 Relevance: 1.9, APIs: 1, Instructions: 372
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 83047a2311aea779f2b1873989b76502466a9f2b2d3acdc889a69f9acafb9f37
Instruction ID: 7b82016f9a0ef028e4b852831b1193ea000aff8197a919fdbbc4bfbee133b8a2
Opcode Fuzzy Hash: 83047a2311aea779f2b1873989b76502466a9f2b2d3acdc889a69f9acafb9f37
Instruction Fuzzy Hash: F5717DEB10C120BDBE49C0856F68AFB576FF6D67307318C26F807D65A2E29C5A4D21B1

Function 05590057 Relevance: 1.9, APIs: 1, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dd9f9f120c9a12ba3a6cca2db910cf274cf9eed086ddc9f25baad259eb16017
Instruction ID: da12ea726781d80673c0b0bf3b46805234e66e87af6b18928e807d6494ac0407
Opcode Fuzzy Hash: 6dd9f9f120c9a12ba3a6cca2db910cf274cf9eed086ddc9f25baad259eb16017
Instruction Fuzzy Hash: FF718EEB20C120BDBE09C4856F58AFA576FF6C67307318C27F807D61A2E29C5A4D21B1

Function 0559001B Relevance: 1.9, APIs: 1, Instructions: 370
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fe7a778a25db773bb38240c07fde28c1749380fc8ab29e5714d2ca97a8063308
Instruction ID: 93b4c16f5b62379762e6c213c8cb539d465b39c9cdc590d9dd1feb17a1d66aea
Opcode Fuzzy Hash: fe7a778a25db773bb38240c07fde28c1749380fc8ab29e5714d2ca97a8063308
Instruction Fuzzy Hash: 23717EEB20C120BDBE49C0956F58AFB576FF6C67307318C27F807D65A2E29C5A4921B1

Function 05590031 Relevance: 1.9, APIs: 1, Instructions: 361
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 97c3b3f4f7cf6dbe2b7b3c514b1bb453f2daca842835248f58f626c9db1d7b0f
Instruction ID: f934aa09fdebb3508555a333c719d88dedb51b1c48b2079acfbf68e492c5c8be
Opcode Fuzzy Hash: 97c3b3f4f7cf6dbe2b7b3c514b1bb453f2daca842835248f58f626c9db1d7b0f
Instruction Fuzzy Hash: C7717DEB10C120BDBE49C0856B68AFA576FF6C67307318C27F807D65A2E29C5A4D21B1

Function 05590043 Relevance: 1.9, APIs: 1, Instructions: 359
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 82c78ced0b96ea9371c84813735394df312e5171d3e5c7b24c80556993d1b282
Instruction ID: 0161c7c18da34f2874d6b56f252486e38c3748bf9081c553192145bb3da03f56
Opcode Fuzzy Hash: 82c78ced0b96ea9371c84813735394df312e5171d3e5c7b24c80556993d1b282
Instruction Fuzzy Hash: 54717FEB20C120BDBE09C0956F58AFA576FF6D67307318C27F807D65A2E29C5A4D21B1

Function 05590066 Relevance: 1.9, APIs: 1, Instructions: 353
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7091926c8e2fb340a97bedada7314a931ec416a3af2e875f0e266760dd237814
Instruction ID: 10e65c9fd620557dcd3bc49e3e7e125ef45454fc95eb87ddc5af0bf9cdbc5088
Opcode Fuzzy Hash: 7091926c8e2fb340a97bedada7314a931ec416a3af2e875f0e266760dd237814
Instruction Fuzzy Hash: 177181EB10C120BDBE09C5956F68AFA576FF6D67307318C26F807D61A2E29C4A4D21B1

Function 0559008F Relevance: 1.8, APIs: 1, Instructions: 344
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 67b9843f7d1367a2340ff55f27ad44abbda043f1d1e04d3ed406b950b6347fae
Instruction ID: d0b9ad85590e3325ae1dddbe9973828c131ecb9274e234bc6356af0f7172c4bf
Opcode Fuzzy Hash: 67b9843f7d1367a2340ff55f27ad44abbda043f1d1e04d3ed406b950b6347fae
Instruction Fuzzy Hash: 7C6180EB20C120BDBA09C5956B58AFA576FF6C67307318C27F807D65A2E39C4A4D21B1

Function 0559007D Relevance: 1.8, APIs: 1, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4fdcb523459ce00dbfcb559e9ad66dfd057b8ebe7c0c085789d5c16663d4fd9f
Instruction ID: 8e948bd4a0d00e54b58345dac8a7504a32f21c765824faaa5ad338056efde431
Opcode Fuzzy Hash: 4fdcb523459ce00dbfcb559e9ad66dfd057b8ebe7c0c085789d5c16663d4fd9f
Instruction Fuzzy Hash: 33617FEB20C120BDBE09C1956B58AFA576FF6C67307318C27F807D65A2E29C4A4D21B1

Function 055900D9 Relevance: 1.8, APIs: 1, Instructions: 326
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2da6b2ceb0af1b0d9d35e1d6d1c1ff48fa0384444adc6af3da33045725ee169f
Instruction ID: 9b5e65598509b49c14e6dea5a2b33efd57bc3ee4e810cfa69ddbb91a2df4d911
Opcode Fuzzy Hash: 2da6b2ceb0af1b0d9d35e1d6d1c1ff48fa0384444adc6af3da33045725ee169f
Instruction Fuzzy Hash: 0C617FEB20C120BDBE09C1916B68AFB576FF6C67307318C66F807D65A2E39C5A4D11B1

Function 055900C1 Relevance: 1.8, APIs: 1, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab33e59af47cbf9da98143a944d2569a89f8c058189c24518ff079f8b0501b75
Instruction ID: 8118254c3b39b706a298aafffcf3e70f7ec1345fe0b7954d8c11319fcbafb990
Opcode Fuzzy Hash: ab33e59af47cbf9da98143a944d2569a89f8c058189c24518ff079f8b0501b75
Instruction Fuzzy Hash: FB616EEB20C120BDBE09C1856F58AFA576FF6C67307318C26F807D65A2E29C4A4D21B1

Function 055900C6 Relevance: 1.8, APIs: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 827bdb44ea7300be2c9fc24b366adea72813b18031ec10629807f33d287edafb
Instruction ID: 7212e6c9ded09143956def76253875c58ba9c6e2a90db68db58d1ea7db62b9eb
Opcode Fuzzy Hash: 827bdb44ea7300be2c9fc24b366adea72813b18031ec10629807f33d287edafb
Instruction Fuzzy Hash: 22617AEB20C120BDBE09C5856B68AFA576FF6D67307318C26F807D55A2E39C4A4D21B1

Function 05590106 Relevance: 1.8, APIs: 1, Instructions: 313
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6daa7c00eabc26f4cd888dae24f8a9220fe978f0d1ce40ec0b3d66da8796b85e
Instruction ID: addfd03019a4789ceecc5d9243cdb23c1a1f8404db82794a5a48377e42d4ad74
Opcode Fuzzy Hash: 6daa7c00eabc26f4cd888dae24f8a9220fe978f0d1ce40ec0b3d66da8796b85e
Instruction Fuzzy Hash: CD515CEB20C120BDBE09C1856B58AFA576FF6C67307318C27F807D55A2E39C4A8D21B1

Function 05590175 Relevance: 1.8, APIs: 1, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b73172e807f12162527af7807109cc757fdb7fad1cefe11d8c66eec98acbd17
Instruction ID: e3b65691fd55b4cbee2c1fd50472eab716d35b6c324ab06639a9ea811eb4c9b9
Opcode Fuzzy Hash: 6b73172e807f12162527af7807109cc757fdb7fad1cefe11d8c66eec98acbd17
Instruction Fuzzy Hash: 4B516DEB20C120BDBE49C1956B68AFB576FF6C67307318C26F807D55A2E39C4A4D11B1

Function 05590125 Relevance: 1.8, APIs: 1, Instructions: 304COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1b2009eb7fee692456dfdf6f49c1ac8c6de8629188caeb204d1537c562c8e847
Instruction ID: 48369ff4065e16a8fba0190a6647687810466621ad6c7c76a7e17d6a13744f7a
Opcode Fuzzy Hash: 1b2009eb7fee692456dfdf6f49c1ac8c6de8629188caeb204d1537c562c8e847
Instruction Fuzzy Hash: FE516CEB20C120BDBE49C1856B68AFB576FF6C67307318C26F807D55A2E39C4A4D21B1

Function 05590135 Relevance: 1.8, APIs: 1, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b44454bc301d89c624bee03b05d7c5cda10ea3f67f7531873d7e0c5625ecd2e
Instruction ID: f4449e4dfc8519f2e2f01beabee2110bc3ac11318b0121d426e048eea9f70ef6
Opcode Fuzzy Hash: 6b44454bc301d89c624bee03b05d7c5cda10ea3f67f7531873d7e0c5625ecd2e
Instruction Fuzzy Hash: 00516DEB20C120BDBE09C1956B58AFA576FF6C67307318C27F807D55A2E39C4A4D21B1

Function 0559014C Relevance: 1.8, APIs: 1, Instructions: 298COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a4ab33dc6495a5eeebeaf343c241b82a93e6300953f97b7b693de1dcffb0203e
Instruction ID: 5172f983550a9c723ac21471cad210812d726304c01cd6caae930e9ac5b4029e
Opcode Fuzzy Hash: a4ab33dc6495a5eeebeaf343c241b82a93e6300953f97b7b693de1dcffb0203e
Instruction Fuzzy Hash: 00514BEB20C120BDBE09C1956B58AFA576FF6D67307318C27F807D55A2E39C4A8D11B1

Function 05590194 Relevance: 1.8, APIs: 1, Instructions: 287COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05590314

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 47639ee7b092140a04e098d69068217e13f11e820d34b82739c61a9e4ef799d5
Instruction ID: 88f2149b6dce46d4ef6e503df67a43a3e67b3629306deee713c736998ac6e20a
Opcode Fuzzy Hash: 47639ee7b092140a04e098d69068217e13f11e820d34b82739c61a9e4ef799d5
Instruction Fuzzy Hash: 6451C3E760C220BDBE0AC1916B58AFB576FF6C26303308C67F807C65A6E39D5A4D51B1

Function 055901E1 Relevance: 1.8, APIs: 1, Instructions: 257COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3e4e227a7bda48ca293a0942c784de89d81cbd2fcc9c87824977b65c4a30fc07
Instruction ID: 16e81169003051b258196541bb698d09e74ffbefb5df2926b46c65e7a96cfde1
Opcode Fuzzy Hash: 3e4e227a7bda48ca293a0942c784de89d81cbd2fcc9c87824977b65c4a30fc07
Instruction Fuzzy Hash: 74517CEB20C224BDBE0AC5916B58AFB572FF6C67303318C66F807D55A2E39C4A4D11B1

Function 05590201 Relevance: 1.7, APIs: 1, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fa977efa2274c458942f274ab0861eaf428cd6600d6a7fb0813d7fbd003dfa80
Instruction ID: b4ecd8a5717d6dd07892ab5fb680b1c00f53848d4ce92469a65fde4804af5c38
Opcode Fuzzy Hash: fa977efa2274c458942f274ab0861eaf428cd6600d6a7fb0813d7fbd003dfa80
Instruction Fuzzy Hash: 8B417BEB20C120BDBE0AC1916B58AFA576FF6C27303318C67F807D55A2E39C5A8D11B1

Function 0559025C Relevance: 1.7, APIs: 1, Instructions: 232COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05590314

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 36b517d00dd1b4efbc69e9edcb52c51baab1e5902dd46787ba3aa3c2fa4d1fbd
Instruction ID: 600d28e5d53a6b27ecdb0b97fda9edf6e9e7a070bae6991e61f8dad5acddbbd3
Opcode Fuzzy Hash: 36b517d00dd1b4efbc69e9edcb52c51baab1e5902dd46787ba3aa3c2fa4d1fbd
Instruction Fuzzy Hash: 7B41D5E720C250BDFE0AC1912B58AF6676EF6C67303318C67F407CA1A2E39C4A4E51B1

Function 05590225 Relevance: 1.7, APIs: 1, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 988be7de3bf953a421c8c9d1894ba51bd8decce360d334ea78c2fca6155e6bdf
Instruction ID: da7ed5162d491d133a5d48a256589e65426f6f59b09e307bdd27de13dc6c9338
Opcode Fuzzy Hash: 988be7de3bf953a421c8c9d1894ba51bd8decce360d334ea78c2fca6155e6bdf
Instruction Fuzzy Hash: A141B1E710C261ADBE0AC1916B58AFB576FF6C27307318C67F80BD61A2E39C4A4D11B1

Function 055902A2 Relevance: 1.7, APIs: 1, Instructions: 227COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05590314

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e9e48b1933511eac265c549a937a10870a628b09c742426bc8bb983191263b85
Instruction ID: 1d20757b6af6fd494190026cf74d34f216618fd3feb2aea75262a268d20b7231
Opcode Fuzzy Hash: e9e48b1933511eac265c549a937a10870a628b09c742426bc8bb983191263b85
Instruction Fuzzy Hash: 2A419FE724C110BDBE09C1916B58AF66B6FF6C67303318C67F407C51A6E39C4A4D51B1

Function 05590247 Relevance: 1.7, APIs: 1, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d3750207f872a899f49eeb05e63f3ab7971e71bdf1ec4e0f1597c79891e11de7
Instruction ID: 724725c338728eff3381914e18835f39075b2360173190cd76f2c76f9d232ba2
Opcode Fuzzy Hash: d3750207f872a899f49eeb05e63f3ab7971e71bdf1ec4e0f1597c79891e11de7
Instruction Fuzzy Hash: 85418DEB20C120BDBE09C1916B58AF6676FF6C67303318C67F807D51A6E39C4A4D51B1

Function 055902B9 Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7311385b4aeff5c676dae332e1412004df642a0304484aefac9bc46608d1100f
Instruction ID: 93523949de5cb1b4b7600807e586a588f1d09e9302acd6f25e90d33c4615a7b7
Opcode Fuzzy Hash: 7311385b4aeff5c676dae332e1412004df642a0304484aefac9bc46608d1100f
Instruction Fuzzy Hash: ED418FEB20C220BDBA09C1912B58AF7576FF6C67303318C66F807D51A6E39C4A4D51B1

Function 009D9789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 009D990E

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 98d04d375976e5d23f9374b9dc03c7f863c26bf792a204d3e563dcc928f3ebd5
Instruction ID: 8bcb95a30dee7a86918f31d4db9ae617c8f19bac36053ea873055a4d4ca1c2fa
Opcode Fuzzy Hash: 98d04d375976e5d23f9374b9dc03c7f863c26bf792a204d3e563dcc928f3ebd5
Instruction Fuzzy Hash: 3C61E571D44119BFDF11EFA8C884EEEBBB9AF49304F14854AE904A7346D736D901DBA0

Function 055902F6 Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05590314

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3eac281a89de8f355e9cc44d0b9a0e6576242e280a95af906ca7fee6e142a33b
Instruction ID: a640be3af47f3eb1221a75e6ef43c5d631e8ff5b948e3d393797642eb29ade3c
Opcode Fuzzy Hash: 3eac281a89de8f355e9cc44d0b9a0e6576242e280a95af906ca7fee6e142a33b
Instruction Fuzzy Hash: 52315FF720C225FEBA19C5952B18AFB676FF6C17307318C26F807C61A6E3984A4D50B1

Function 055902D7 Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05590314

Memory Dump Source

Source File: 00000000.00000002.3376234565.0000000005590000.00000040.00001000.00020000.00000000.sdmp, Offset: 05590000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5590000_installer.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b4d44827cecfc9dec36629ae80418a66d8e352c7df1cb6e8d62323fde8a703b4
Instruction ID: c082e3f2fe6d53dad4537b43923174e786e9c3ff0bb6ebe85c85aedd3282e1e8
Opcode Fuzzy Hash: b4d44827cecfc9dec36629ae80418a66d8e352c7df1cb6e8d62323fde8a703b4
Instruction Fuzzy Hash: C1313DEB24C120FDBA19C5952B18AFB576FF6C57307318C66F807D61A6E39C4A4D10B1

Function 009D8DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,009D8CE6,00000000,?,00B0A178,0000000C,009D8DA2,?,?,?), ref: 009D8E55

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 215933630944fb5b963a8d88c0b44e4f038e15fc5f332a40a8cfe2eced0512ec
Instruction ID: 94bb3dfbb2ce822271fd39278a52b141694730746955cc92ab4f403cbdb62a2d
Opcode Fuzzy Hash: 215933630944fb5b963a8d88c0b44e4f038e15fc5f332a40a8cfe2eced0512ec
Instruction Fuzzy Hash: 8911483368612056D6253235A845BBF278D4BC2734F298A5FF91C8B3C3DE61CC8145B5

Function 009D251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,009D2626,?,?,?,?,?), ref: 009D2558

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: eca2109980bf72766961a1291373f20fc7a9e6436f2e7c5283f1cc5b5345ad96
Instruction ID: a2c4d08bf22535ffe2f5afa17488b88f6a499ea7a91ba706b1243dce30490b41
Opcode Fuzzy Hash: eca2109980bf72766961a1291373f20fc7a9e6436f2e7c5283f1cc5b5345ad96
Instruction Fuzzy Hash: C0014932644109AFCF09CF19DC15D9E3B59DB95330B34414AF8009B3E0EA71ED428BA0

Function 009932D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0099331F

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: b5d719ddacb418be146bd26da37115ea9ac59d2df76206a46f8fbcbb5b5a1da5
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 28F0BB715401045BDF146F68D416AEAB3ECDF55351790857EE88DC7212DF26DA408791

Function 009DA65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,009D9FE0,00000001,00000364,00000001,00000006,000000FF,?,009C4B3F,?,?,761B23A0,?), ref: 009DA69C

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1fca750eeb406278d7aed6a7f5aff4d19aafee86bfd429cfadeec8412620ef14
Instruction ID: dd33859416f3e56c385a67bca40c3019aa12a77207e7954005f7530fb9c3dc25
Opcode Fuzzy Hash: 1fca750eeb406278d7aed6a7f5aff4d19aafee86bfd429cfadeec8412620ef14
Instruction Fuzzy Hash: C0F0B4321D0521AA9B215E729805B6A374D9F81760F9CC513E804E7380CB34DC2046E6

Function 009DB094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,009C4B3F,?,?,761B23A0,?,?,00993522,?,?), ref: 009DB0C6

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ed2332d919758ce6298243d4240577443c35eb342bc9ef48631a9cb14af0a6a9
Instruction ID: 49afc595495595f4c02db34993b567c8ef49ce6045059458884dff86a766b218
Opcode Fuzzy Hash: ed2332d919758ce6298243d4240577443c35eb342bc9ef48631a9cb14af0a6a9
Instruction Fuzzy Hash: A2E065322C1660A6EA212665DC10B5B764D9F813A0F57C613EC24A67D5DB34DC1082E5

Non-executed Functions

Function 009E47BF Relevance: 10.2, APIs: 1, Strings: 4, Instructions: 1473COMMON

Download Yara Rule

APIs

__floor_pentium4.LIBCMT ref: 009E49D6

Strings

1#INF, xrefs: 009E48F5
1#QNAN, xrefs: 009E48D2
1#SNAN, xrefs: 009E48CB
1#IND, xrefs: 009E48C4

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: __floor_pentium4
String ID: 1#IND$1#INF$1#QNAN$1#SNAN
API String ID: 4168288129-2761157908
Opcode ID: 2da18c6c5db764f9222e2b75d08f3f5d0455ce3ae92597a2fda81cbae48416ac
Instruction ID: 646d99b06877b1266b6540a67301fd0e1a0ea4e2ffbc693244e476db335d59f0
Opcode Fuzzy Hash: 2da18c6c5db764f9222e2b75d08f3f5d0455ce3ae92597a2fda81cbae48416ac
Instruction Fuzzy Hash: 40D26B71E086688FDB66CE29CC407EAB7B9FB44345F1545EAD40DE7240EB78AE818F41

Function 009CC960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 6e88c8eb84ac91f2bdc89f81ebb7f5fd421ab4ae803baab874444b1b69ddc3a6
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: A70219B1E012199BDF14CFA9C880BAEBBB5FF48314F24866DD919A7380D731AD41CB91

Function 009C361D Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,009C3077,?,?,?,?,00A57E2F), ref: 009C3655

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: e34e5aaa084e8e398029aa94e7d4901bd6a981b2ee36182ec42c37ba7417a17f
Instruction ID: 51e91d6087d14a2a7d1d0f9505be657c46587bbee2be42670710d86ef8a3bed6
Opcode Fuzzy Hash: e34e5aaa084e8e398029aa94e7d4901bd6a981b2ee36182ec42c37ba7417a17f
Instruction Fuzzy Hash: 69F0E532A04594EFCB11CF94DC05F99B7A8F708B10F00852AE8129B7D0CB34AA008FC0

Function 00A82FD0 Relevance: .7, Instructions: 735COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b2321322825c713d1db7277d96f9f6abc91b36fff322b7cac637aaa79c551fa
Instruction ID: 3fa4457402dbb26cf86caad965dbf8d710aba24711d1e8127a1fc5571aa77219
Opcode Fuzzy Hash: 7b2321322825c713d1db7277d96f9f6abc91b36fff322b7cac637aaa79c551fa
Instruction Fuzzy Hash: 77627BB1E002159FDF18DF99C5846AEBBB1BF48708F2881ADD814AB342D775DA46CF90

Function 009BF580 Relevance: .4, Instructions: 394COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction ID: ca4ae2a9fb8444fbb8e6c4c966ffada3f095d104528ca9b2d6a6c3758ce9be5b
Opcode Fuzzy Hash: 80b9970b4e61b3a89387c81d03852b8640c12f30169ca405eadcc1892538b820
Instruction Fuzzy Hash: 29E10376E1022A9FCB05CFA8D9916EDFBF1BF88320F1942A9D815B7340D670AD55CB90

Function 009D036F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 967f25fd6bd37da77e2eeca87d2d22f8495f9455976f7b2c87c3ed7e52a9cec0
Instruction ID: 024cd5d89a326ce6a3ef2fb81bf1973a70e0be4d648d289c4182abccac522ab7
Opcode Fuzzy Hash: 967f25fd6bd37da77e2eeca87d2d22f8495f9455976f7b2c87c3ed7e52a9cec0
Instruction Fuzzy Hash: 5EC1E0709806068FCB24CF69C494B7ABBB9AFC5300F14CA1BE996977A1E330ED45CB51

Function 009E2610 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18ec590b116a6aaa3d64a48e4011fc9a647a32bb34cc32551f30ff109a2b13b3
Instruction ID: e8141cf9fdd98df5e92d1c8dd156d19f2e1248ca3791fe2f4824543a05c2c795
Opcode Fuzzy Hash: 18ec590b116a6aaa3d64a48e4011fc9a647a32bb34cc32551f30ff109a2b13b3
Instruction Fuzzy Hash: E5B128356007819BDB39AB66CC92BB7B3ACEF44308F14482DE947C6681EA75FD81CB10

Function 009DDA86 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a290d9439586d40e8a8db221ffa0b78ba20087ab26a3c0c9e8e80709fb1e07c
Instruction ID: 81152ff40fed3c4f4767009a1798e9be06fe41076a64637ddcc1d24aa448daa0
Opcode Fuzzy Hash: 7a290d9439586d40e8a8db221ffa0b78ba20087ab26a3c0c9e8e80709fb1e07c
Instruction Fuzzy Hash: EBB14B351616089FDB15CF28C486B657BE1FF45364F25C65AE89ACF3A1C339E981CB40

Function 009E8BB0 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2c5077d72c8b53aaaf3308efcc952fefdef86bf8ff7e67709d5e740f17ec07dc
Instruction ID: 502a3be964bb13fb02bc225b9be7b9454d7133a12c0e086f3ae8a418a10cdc92
Opcode Fuzzy Hash: 2c5077d72c8b53aaaf3308efcc952fefdef86bf8ff7e67709d5e740f17ec07dc
Instruction Fuzzy Hash: D181E2B1E042859FDB128F99D8917FFBBB9EB1A300F544169D85897382CB349D45C7A0

Function 00A7FC40 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b23ff19fc3ec6e198d05c2047f4e2f74f8bf93716d365229be4352b3610add2
Instruction ID: 67770a6bca0843958a8a5214e23d11dafe05c51f25d81c1619eea5603f43565d
Opcode Fuzzy Hash: 4b23ff19fc3ec6e198d05c2047f4e2f74f8bf93716d365229be4352b3610add2
Instruction Fuzzy Hash: 916156716245644FEB18CFDEECC047A3B52E38A381385866AEA81C7395C535FA27D7E0

Function 009CA928 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction ID: d6c43c826ec8cd2765fec8d89e4ac48a19be7386c8522986bcf0ad6375337a92
Opcode Fuzzy Hash: 46680d0314554fd398ed7fd020ff60bee8df1d437ae882661bd78aeb1168d151
Instruction Fuzzy Hash: 32515B72D00219AFDF04CF99C941BEEBBB6EF88304F19845DE955AB201D735AE40CB92

Function 009C71A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 7176cf93b29c198157ec306e6410edfd320f1ff870e00af4bfc5f1213233e130
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 8A112E77A0D08243D61486BDC8B4FB7E79DEBD933072D437ED0914BB58D122A5459F12

Function 009DBB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 009DBBEC

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: 018194a72749c1de3395512de3dde15099a36030f9c9b8774c8894a1b98a5152
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: C2B15672A40255DFDB128F68CC81BEE7BA9EF95310F168157E944AB382D774DD01CBA0

Function 009C72D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009C7307
___except_validate_context_record.LIBVCRUNTIME ref: 009C730F
_ValidateLocalCookies.LIBCMT ref: 009C7398
__IsNonwritableInCurrentImage.LIBCMT ref: 009C73C3
_ValidateLocalCookies.LIBCMT ref: 009C7418

Strings

csm, xrefs: 009C73AD

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 8cc3409fd66394164e067eb12b743db99c7827951ed08e3a9f2537c82580e500
Instruction ID: 4e901060d5bd71cc2d0319f2750712063c623c2a3bd90c6d8e7535200ba8f50a
Opcode Fuzzy Hash: 8cc3409fd66394164e067eb12b743db99c7827951ed08e3a9f2537c82580e500
Instruction Fuzzy Hash: 7A418334E04249ABCF14DFA8D885F9EBBA9AF44314F148159EC149B351DB35DA01DF92

Function 009AA060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009AA09D
std::_Lockit::_Lockit.LIBCPMT ref: 009AA0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 009AA0E7
__Getctype.LIBCPMT ref: 009AA1C5
std::_Facet_Register.LIBCPMT ref: 009AA1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 009AA223

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: e0919415812dc852378fa85ddaf053081d572da1b98e4130b8d70e4e4f031ab0
Instruction ID: 62d995e8a4b2b3993100ac9cab98b56a900a41077bc46e0c957b1ddac8b52656
Opcode Fuzzy Hash: e0919415812dc852378fa85ddaf053081d572da1b98e4130b8d70e4e4f031ab0
Instruction Fuzzy Hash: 7251C8B0D00249DFCB11CF98C941BAEBBB4BB12714F24815CE854AB391DB75AE04CBD2

Function 009AC430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009AC45A
std::_Lockit::_Lockit.LIBCPMT ref: 009AC47C
std::_Lockit::~_Lockit.LIBCPMT ref: 009AC4A4
std::_Facet_Register.LIBCPMT ref: 009AC59A
std::_Lockit::~_Lockit.LIBCPMT ref: 009AC5C4

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 5730d2ce8094d0c1c9aa73b98653d768c6a52b02bc140c7728339a3a26c18e55
Instruction ID: fbfd08e5754741123077a47f40e8b567721028c7298fb05d6bea10eb1cdf0cb1
Opcode Fuzzy Hash: 5730d2ce8094d0c1c9aa73b98653d768c6a52b02bc140c7728339a3a26c18e55
Instruction Fuzzy Hash: 1B51B9B0900288DBDB11CF98C854BAEBBF4FB02754F24815DE846AF391DB75AA01CBD1

Function 00994900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0099499F

Strings

ios_base::eofbit set, xrefs: 00994946
ios_base::badbit set, xrefs: 00994937, 00994962
ios_base::failbit set, xrefs: 00994828, 00994941

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 4b0794e233199d952d597b5778c20effe731443cbf7c65062d625b48dfd100d9
Instruction ID: 3e8b7a56e719fbcf7ebe661e59a0b1c743465df9e17652975e4a24d1663dc2b4
Opcode Fuzzy Hash: 4b0794e233199d952d597b5778c20effe731443cbf7c65062d625b48dfd100d9
Instruction Fuzzy Hash: 0D112C72D04A48ABCB15DF6C8C47F6673DCD745B10F04466DFA54872C1EB75A901C792

Function 009C2729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 009C2730
std::_Lockit::_Lockit.LIBCPMT ref: 009C273B
std::_Lockit::~_Lockit.LIBCPMT ref: 009C27A9

Part of subcall function 009C288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 009C28A4

std::locale::_Setgloballocale.LIBCPMT ref: 009C2756

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 7719195eedc4118ebd124755c6eb94ad32166ad730c1b05b2ce8bcb132dfdaa0
Instruction ID: 934da4bfde5eb9a03e1007908a67223be1cf9d623394050566d21e95d3195078
Opcode Fuzzy Hash: 7719195eedc4118ebd124755c6eb94ad32166ad730c1b05b2ce8bcb132dfdaa0
Instruction Fuzzy Hash: DC01BC75E002119BC70AEB60D891B7D7BB1BFC4750B18800DE8111B391CF34AE02CBC6

Function 00997350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0099750C
___std_exception_destroy.LIBVCRUNTIME ref: 00997522

Strings

[json.exception., xrefs: 009973A1

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 08dab8892d963d36d99beac1a307d9b20161fd4da1af500000fe968c2914c6ad
Instruction ID: afbd20281fbc39a6848ee62c7c2acfdbc3616296656dfdf8c6b67d70b02c09b6
Opcode Fuzzy Hash: 08dab8892d963d36d99beac1a307d9b20161fd4da1af500000fe968c2914c6ad
Instruction Fuzzy Hash: FE51D1B0D04648AFDB00DFA8C905BAEFBB4EF55314F148269E850A7392E7B45A44C7E2

Function 009947F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0099499F

Strings

ios_base::badbit set, xrefs: 00994937, 00994962
ios_base::failbit set, xrefs: 00994828

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: ef465c964d6bce59b1b4dbc1014ab1162f395c708527762505d69ca99530462a
Instruction ID: ccfe706f8798d29b961b408adacf1361fcf41662a0a930d342e3ebd09681b1d1
Opcode Fuzzy Hash: ef465c964d6bce59b1b4dbc1014ab1162f395c708527762505d69ca99530462a
Instruction Fuzzy Hash: F841F4B1D04248ABCB05DF5CCC46FAEBBB8EB49720F14825DF554AB381D775AA01CBA1

Function 00994040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00994061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009940C4

Strings

bad locale name, xrefs: 009940E6

Memory Dump Source

Source File: 00000000.00000002.3353671863.0000000000991000.00000040.00000001.01000000.00000003.sdmp, Offset: 00990000, based on PE: true

Associated: 00000000.00000002.3353383320.0000000000990000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3353671863.0000000000B15000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3355103090.0000000000B1A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000B1D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000C9F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000D7C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DC2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3357876371.0000000000DD1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3364298408.0000000000DD2000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365076516.0000000000F6B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3365925569.0000000000F6D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_990000_installer.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 8996a589f30cd3f8593063f6a58847a45fc7ddf0cfab2e3007fddcffee4fbac9
Instruction ID: 0deee7feb27f25386d80656e12230f982fa087268eaab6f969de176eb3af1d0f
Opcode Fuzzy Hash: 8996a589f30cd3f8593063f6a58847a45fc7ddf0cfab2e3007fddcffee4fbac9
Instruction Fuzzy Hash: 6C11D370805B84EED721CFA8C504B4BBFF4AF15714F148A9DE09597782D3B55604C7A2

Analysis Process: MPGPH131.exePID: 3896, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	1.3%
Signature Coverage:	0%
Total number of Nodes:	1843
Total number of Limit Nodes:	26

Executed Functions

Function 00207B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000338,0000FFFF,00001006,?,00000008), ref: 00207BA7
recv.WS2_32(?,00000004,00000002), ref: 00207BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00207C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00207C64

Part of subcall function 00208590: WSAStartup.WS2_32 ref: 002085BB
Part of subcall function 00208590: socket.WS2_32(?,?,?,?,?,?,002C9328,?,?), ref: 0020865E
Part of subcall function 00208590: connect.WS2_32(00000000,00299BFC,?,?,?,?,002C9328,?,?), ref: 00208672
Part of subcall function 00208590: closesocket.WS2_32(00000000), ref: 0020867D

recv.WS2_32(00000000,?,00000008), ref: 00207D1B
recv.WS2_32(?,00000004,00000008), ref: 00207E23
__Xtime_get_ticks.LIBCPMT ref: 00207E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00207E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00207EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00207EB9

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: 759dcae5a4d2076922d07ca199f8105081644d64df61292e608efcf314d5e253
Instruction ID: 292cab343ffb5cd66b6ef10ff6928837bc6a42c85d52263d5fbf5d81698e2e7c
Opcode Fuzzy Hash: 759dcae5a4d2076922d07ca199f8105081644d64df61292e608efcf314d5e253
Instruction Fuzzy Hash: 54B1ABB0D14348DBEB10DFA8DC89BADBBB1BF44304F204259E454AB2E2D7B06D94CB91

Function 00208590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 002085BB
socket.WS2_32(?,?,?,?,?,?,002C9328,?,?), ref: 0020865E
connect.WS2_32(00000000,00299BFC,?,?,?,?,002C9328,?,?), ref: 00208672
closesocket.WS2_32(00000000), ref: 0020867D

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: be8b15bfb22c6d0f9d0b6d2535469edd3fe2db6a5cf10008bd9f4572d8e9e728
Instruction ID: cfa8d782611f4cc4ae631df03062e45310ac79173d778f68d1cc4bd29bbaf59c
Opcode Fuzzy Hash: be8b15bfb22c6d0f9d0b6d2535469edd3fe2db6a5cf10008bd9f4572d8e9e728
Instruction Fuzzy Hash: 793104725107016BC7209F248C49A2BB7E8FFC9334F025F19FAE8922D1EB719C548B96

Function 00149280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0028D15C,00000000,761B23A0,-002C9880), ref: 001496C9

Strings

Ws2_32.dll, xrefs: 0014969A

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: edff7f6ce6f2e22a4a0baf01060cfd03c64880b1dae595c9f0b88ff3ed392cd8
Instruction ID: ba1ebaf09396a1451581948f42f75e42670bfc440dc455e77178653d8d1faa15
Opcode Fuzzy Hash: edff7f6ce6f2e22a4a0baf01060cfd03c64880b1dae595c9f0b88ff3ed392cd8
Instruction Fuzzy Hash: DF02DEB0D14298DFDF25CFA4C8907ADBBB0FF55314F244289E4896B686D7B01986CF92

Function 00189789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018990E

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 48b19d62dacf7455705ff915f5c891e6999cdb04cd0a54aeb85161c8d073c13e
Instruction ID: 8ef41b7bf968209073ce5ad0684c65d3ecbb6df1f165b7c93cdf7d229e14df37
Opcode Fuzzy Hash: 48b19d62dacf7455705ff915f5c891e6999cdb04cd0a54aeb85161c8d073c13e
Instruction Fuzzy Hash: C5619371D0411AAFDF15AFA8CC44AFE7BB9AF5A308F180149E904A7256D731DB11CFA0

Function 054D09D6 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7811f990a74fb20f4dc4571e728c4f41bbcb4889ee88ea2769ed78ab1de4878a
Instruction ID: a0a906bb2e6d78e0627eef8b1e27655479858ce388cab5f4a75d40c11003c177
Opcode Fuzzy Hash: 7811f990a74fb20f4dc4571e728c4f41bbcb4889ee88ea2769ed78ab1de4878a
Instruction Fuzzy Hash: 172160E720E1256DB712C5812778AF66B1EE5E3730B348467F44EC7602F2884D474131

Function 054D099F Relevance: 1.6, APIs: 1, Instructions: 105
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d6da41a25f03db339105d052fcfba8604bb7c9838c903959b726af420e75ea0f
Instruction ID: cab73b1e4de24711a6e8dc98dc9821c7cee75dc9eacc7345ccb1cd90984427fe
Opcode Fuzzy Hash: d6da41a25f03db339105d052fcfba8604bb7c9838c903959b726af420e75ea0f
Instruction Fuzzy Hash: AE11DDEB20E1257DB611D5C56B68AF6675ED5D6730B348067F40AD7602F2884D874131

Function 054D09C1 Relevance: 1.6, APIs: 1, Instructions: 92
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 27d3eb9b5e0a44fc273589e3c09d35097504a341c93dd9eae485fd5e5719b822
Instruction ID: 32c253d7db2f87fc32c9fb1c724b8655bc3a9985ee0ca718bc5ffa4184f32ff4
Opcode Fuzzy Hash: 27d3eb9b5e0a44fc273589e3c09d35097504a341c93dd9eae485fd5e5719b822
Instruction Fuzzy Hash: 71113DEB20E0256DB611D5812AB8AF6A75EE5E6730B348467F40ECB602F28C498B4130

Function 054D0A27 Relevance: 1.6, APIs: 1, Instructions: 74
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1b008a31367f87e2fb7128c330f18a378189ffe9ee58baec381501a8fb8f41aa
Instruction ID: a4609230596f8aaf89ef979523667f21c08571b2014b5b2ebb14851d460e8b0e
Opcode Fuzzy Hash: 1b008a31367f87e2fb7128c330f18a378189ffe9ee58baec381501a8fb8f41aa
Instruction Fuzzy Hash: 6801D8DB21E0316CA211D08516BC5FA975EE5F6730B348467F40EC7702F18C4E870171

Function 054D0A11 Relevance: 1.6, APIs: 1, Instructions: 70
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0936c147260bf0f52a45a539fca70a776835e496a81847e1300a555b95540313
Instruction ID: 9ef074985b02d8137f6249e307ae07cdac2a4bcf3c8e7ef18323e63650ca23af
Opcode Fuzzy Hash: 0936c147260bf0f52a45a539fca70a776835e496a81847e1300a555b95540313
Instruction Fuzzy Hash: 4E01A2EB20E1216D6622C1862AB89FA979ED5E67307308067F80ECB702F18C4E875170

Function 00188DFF Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00188CE6,00000000,?,002BA178,0000000C,00188DA2,?,?,?), ref: 00188E55

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b578bb82ec18bb05f3fdc9f21a2f4d4e5f86dba2f0d451479f785dbf60d1b61e
Instruction ID: 6d884c1ddc45adb95807f5769599ff53ac216ee60f4254267e3324143f8540a7
Opcode Fuzzy Hash: b578bb82ec18bb05f3fdc9f21a2f4d4e5f86dba2f0d451479f785dbf60d1b61e
Instruction Fuzzy Hash: CC114E33A051141AD62532356C89BBE27894B9373CF79065DF9188B1D3DFB18E814B55

Function 054D0AC1 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 89fea3ef330d42a6952b0192a871ab8f839202d16fe04bf6ea0fe2f296b2c163
Instruction ID: 0568f970e2bbf287815a8b9ec6c96369a1e8fcb046c8ea02136fc19a0c7bd8eb
Opcode Fuzzy Hash: 89fea3ef330d42a6952b0192a871ab8f839202d16fe04bf6ea0fe2f296b2c163
Instruction Fuzzy Hash: 2501D69B24F2212DA612D1A6167C5FAAF8ED8D76307244157E88ACB703F14D4D878171

Function 054D0A39 Relevance: 1.6, APIs: 1, Instructions: 61
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 56b4f028b167fcae553d8e1e4fbae969260a12a6a8ce5bdf83581faa07cd5d4b
Instruction ID: 3794eb7a73092c8697532ddd749bd1e2508d8088ea7f16d176a07a0ea724e611
Opcode Fuzzy Hash: 56b4f028b167fcae553d8e1e4fbae969260a12a6a8ce5bdf83581faa07cd5d4b
Instruction Fuzzy Hash: 05F0C2DB20E2257C6212D5851AA89FBA75EE8E7731734801BB84EC7702F28C0E8B0171

Function 054D0A49 Relevance: 1.6, APIs: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 88c8bf7c45c4dc70aeeb20ff0883e43e5730ea65f2449bac66b7078f719b1c73
Instruction ID: e741ebb07519131977c0cd9b987656182c2f2ac9fa8aa2c4d88adb2e57befb40
Opcode Fuzzy Hash: 88c8bf7c45c4dc70aeeb20ff0883e43e5730ea65f2449bac66b7078f719b1c73
Instruction Fuzzy Hash: 78F096DB20E1316C6212D18626A85FA9B5ED4E76307744067B84EDB702F18D4E871171

Function 054D0A4E Relevance: 1.6, APIs: 1, Instructions: 56
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 40d63fda58228c71833b5ee3fbe1a496ff38503b5c6387d7573cc2e7593242be
Instruction ID: 7f76e2df3fabe71c56ac7edfc62d2cb5c05615d3083be6d61d9012f757c4b908
Opcode Fuzzy Hash: 40d63fda58228c71833b5ee3fbe1a496ff38503b5c6387d7573cc2e7593242be
Instruction Fuzzy Hash: EBF02BDB21E1317C6113C68617A85F6A75ED8E37303344417F44EC7A02F18D0E870171

Function 0018251C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00182626,?,?,?,?,?), ref: 00182558

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 260e2505f5d3edb8ed205da105a7e5a4a2ba379b911cf35f6a4d8c33ef584747
Instruction ID: 8854389700a8ba7c6e59884a4ff45f13a79652cc4124c775f9aac05b1a6b5a13
Opcode Fuzzy Hash: 260e2505f5d3edb8ed205da105a7e5a4a2ba379b911cf35f6a4d8c33ef584747
Instruction Fuzzy Hash: 81010032640208AECF0AAF29DC55CDE3B699B85320B340209F8109B2A0EB71EE418F90

Function 054D0A66 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 96cb9bfa17beac491dfdb866bafe3ca3be5dcce5b3cbb84ff23fb553e36249ec
Instruction ID: 916c16c6cd5a893015cf35dcb388442becc1da7e58420ab2c27e7d09513503aa
Opcode Fuzzy Hash: 96cb9bfa17beac491dfdb866bafe3ca3be5dcce5b3cbb84ff23fb553e36249ec
Instruction Fuzzy Hash: 1DF0E9EB30E1217C6112C58627E45FAA74EE9967313304457F88EC7A42F5890DC741B1

Function 001432D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0014331F

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: f8015ea12c3cb0a3f2d286390471fe919a22c48b7f799b1e866e3e4ade7aa4ce
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: B4F0B4721001049BDB146F64D8154E9B3F8EF24361750097AF8ADC7222EB26DA80C790

Function 0018A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00189FE0,00000001,00000364,00000001,00000006,000000FF,?,00174B3F,?,?,761B23A0,?), ref: 0018A69C

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a3f4352e6c5e569768b5fe2ce6778baae7fb9f921c4d3596a788a2b883499e6
Instruction ID: 3929b7fb9cac1416fa6e4a298f057975afb4121aa73741cc9b1673a11447878f
Opcode Fuzzy Hash: 6a3f4352e6c5e569768b5fe2ce6778baae7fb9f921c4d3596a788a2b883499e6
Instruction Fuzzy Hash: 7EF0B4325105216BBB217A629815B6A774AAF41370FBD8113F804E6088FB20EA018FE6

Function 054D0A8C Relevance: 1.5, APIs: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0fc6a850d51f7c0a4c45205810caf5ec5d65b13c0967bd15bf1d25cbf4296bae
Instruction ID: 7d96cebe0291dd062ebd3dd6312fd9fb00d1bf9096f395be0909148608dbe9b6
Opcode Fuzzy Hash: 0fc6a850d51f7c0a4c45205810caf5ec5d65b13c0967bd15bf1d25cbf4296bae
Instruction Fuzzy Hash: 0EF05C9374D620AE8613C68990D84F6BF9AAE6B524324008FF44A8B302F29D048282B2

Function 054D0AA7 Relevance: 1.5, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054D0AB1

Memory Dump Source

Source File: 00000006.00000002.3374517989.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54d0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: cd4dd707c2de3d320ee215dc31d16cf190ef8a653234ae2478a56e11e1907b26
Instruction ID: b8077a369a74e50ac172e800e6f68a8a4cd24dd2ddd54342f8c8d4cb59f1b289
Opcode Fuzzy Hash: cd4dd707c2de3d320ee215dc31d16cf190ef8a653234ae2478a56e11e1907b26
Instruction Fuzzy Hash: 41E09BC2709571694253D19505EC5F66B8A9967532314019BE4499B706F58E09834171

Function 0018B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00174B3F,?,?,761B23A0,?,?,00143522,?,?), ref: 0018B0C7

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b588e0939f623fed66c625f80fe0daf99209b514b813dc6dcf5aee0d638cac61
Instruction ID: 029bc0bf1831830b0233f8e36987ac28b790c8248b27694225a9b29780041f02
Opcode Fuzzy Hash: b588e0939f623fed66c625f80fe0daf99209b514b813dc6dcf5aee0d638cac61
Instruction Fuzzy Hash: 42E092322186256AEB313A659C94B5F766ADF423B0F5D0311FC24A61C1DB64DE108FE5

Function 054E01A4 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03d092df6a402eeed6bbe470c0943496633274d23c25c92c90ee9055238a433f
Instruction ID: cf7eaac3230aee8dcf2cfb666938220e964c16bdf16e7f3d26445a58980746e3
Opcode Fuzzy Hash: 03d092df6a402eeed6bbe470c0943496633274d23c25c92c90ee9055238a433f
Instruction Fuzzy Hash: ED0126B2408350EFE206CB5159685F77BFAE9872313308897F05BCB102D6E8AD0B9632

Function 054E0204 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43536aec3816802f11f360334dbf0b2237b6fdbab5a1afb1ac2c6230ed2adb5f
Instruction ID: d7cbd49795e86505a33df9d7d093cdf67722cca01a7a2776e8addc86536f87a7
Opcode Fuzzy Hash: 43536aec3816802f11f360334dbf0b2237b6fdbab5a1afb1ac2c6230ed2adb5f
Instruction Fuzzy Hash: C7017B92D0D1916EC3168670199C5F23FF26D0312372849E7D06ACF692D7D66C079273

Function 054E01B6 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976b17f7e35f3ec0bbcb2992bf475be95a21e78d66552afc7e1ce8abe575097d
Instruction ID: 7e18023a7ce7b1080846e476a6de1b76c7b16bcb67f2095cd3c5928582cac9ee
Opcode Fuzzy Hash: 976b17f7e35f3ec0bbcb2992bf475be95a21e78d66552afc7e1ce8abe575097d
Instruction Fuzzy Hash: 5BF0C2E6548121BEA049C5516A5C6FB6BFFE5C62327308867F42BCA541D2E8AE0B6132

Function 054E01D8 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0318ea30cbf29eb4733e8c223d02dcfed7e150586d39e054a164912b43c74c90
Instruction ID: 7f60657e0c21e5e5a33fbe2cf3f61a17fc0cdde27757c6e5947a9c42d0c48d2d
Opcode Fuzzy Hash: 0318ea30cbf29eb4733e8c223d02dcfed7e150586d39e054a164912b43c74c90
Instruction Fuzzy Hash: 44F0E1B3948214BF4009D295226C2F67BF76A4B1337308C67F41BDF501E2D89D035172

Function 054E025F Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35fdf44f8b9cbc77090b88557c03491b2c48364a36cf8d6cdba426d5971ee2ea
Instruction ID: 2f83ffbe7e6285996321204e1b723620bb674f77de05439705b4ddd885d8842e
Opcode Fuzzy Hash: 35fdf44f8b9cbc77090b88557c03491b2c48364a36cf8d6cdba426d5971ee2ea
Instruction Fuzzy Hash: DBE06882088035AEC40CA8A2699C2F33FF7968B2777719947E09FC651AD9D6EC479072

Function 054E022E Relevance: .0, Instructions: 31COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6370bad9da52328fc38c8dba2b7934a77d2803abe886f2892d98e72784581aa
Instruction ID: b53b84de6ea320a03ec32f84646c8a9fe825f2b9e74c48ab6ed1606e032ccf7d
Opcode Fuzzy Hash: c6370bad9da52328fc38c8dba2b7934a77d2803abe886f2892d98e72784581aa
Instruction Fuzzy Hash: 29E02655844061AE90099462299C2F73EEA95C7073B708857A05BC6005D9C5DC47A072

Function 054E024D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f91267c55423c1e87e8603028fb366e628f807fd56ae65c6ff07810fe5bdd82c
Instruction ID: 8ab2c27fab4e184fd68caee5cc3134eb35be1c4728d1c498a4b0f1f53175ed29
Opcode Fuzzy Hash: f91267c55423c1e87e8603028fb366e628f807fd56ae65c6ff07810fe5bdd82c
Instruction Fuzzy Hash: 87E02B57580135AAD0196092395C3F33BF65743173B704C53F057CA581E6D9AD437472

Non-executed Functions

Function 0017C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 6f8c365b0eeb6de038b757ee73403f9b402818835f6c6d0b4b601da5a4c4b3a2
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: F9021B71E012199BDF24CFA9D9806AEBBF1FF48314F25826DE919E7340D731AA41CB90

Function 054E010D Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3374575484.00000000054E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_54e0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2619d2e0c68dc845c10a529eee03d42ba9b41fe2da5351b6e17b46cf1991970
Instruction ID: 9b91ef89ce300771fdb3afa8766167c0ce7da7ba38ccf1875a3fd286660c4838
Opcode Fuzzy Hash: f2619d2e0c68dc845c10a529eee03d42ba9b41fe2da5351b6e17b46cf1991970
Instruction Fuzzy Hash: B921006714C254AEDB02D5606D1CAF37F6BA6137713214827E4DECF422E296480B84A1

Function 0018BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0018BBEC

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: ed19df2125f878baf23917e156006fff781fe2278b3d181a31af70b5de0cf1b5
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 8FB16932908255AFDB15AF68CCC2BFE7BA5EF66310F144155E904AF282D7749A01CFA0

Function 001772D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00177307
___except_validate_context_record.LIBVCRUNTIME ref: 0017730F
_ValidateLocalCookies.LIBCMT ref: 00177398
__IsNonwritableInCurrentImage.LIBCMT ref: 001773C3
_ValidateLocalCookies.LIBCMT ref: 00177418

Strings

csm, xrefs: 001773AD

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 663b33c57d2fd0e17ae08ef3afd74bb8b7d3939adb2806c101e375e99d1faeaf
Instruction ID: 8271bf3f5e93b0847c899b6cd9caaec96a7c756d859c2ee81ec5c10ec86ba777
Opcode Fuzzy Hash: 663b33c57d2fd0e17ae08ef3afd74bb8b7d3939adb2806c101e375e99d1faeaf
Instruction Fuzzy Hash: 0941AD30A04209ABCF10DF68C889A9EBBB5BF05318F14C155EC19AB392DB71EA51DB91

Function 0015A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0015A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0015A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0015A0E7
__Getctype.LIBCPMT ref: 0015A1C5
std::_Facet_Register.LIBCPMT ref: 0015A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0015A223

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 5f31e7674861dcb90efda49e00787d3029dd29237b60a69ba1893fd5cd9edf30
Instruction ID: 37c4d83058ad5ec1f3801663a0a588a355a786ce94e779b274cb0e9a197984f1
Opcode Fuzzy Hash: 5f31e7674861dcb90efda49e00787d3029dd29237b60a69ba1893fd5cd9edf30
Instruction Fuzzy Hash: DE51B8B1D00245CFCB11CF58C945BAEBBF0BF10710F148299E865AB391DB74AA49CBD2

Function 0015C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0015C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0015C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0015C4A4
std::_Facet_Register.LIBCPMT ref: 0015C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0015C5C4

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: fb4ce07b8277cd41176dc26b277cf50af6fd2bbe7743e0b03dc771e3ca6bba77
Instruction ID: 742f2e8abb0faf4e6a5c1d03743fe669e370ff2f803653cc6da5b04374590df8
Opcode Fuzzy Hash: fb4ce07b8277cd41176dc26b277cf50af6fd2bbe7743e0b03dc771e3ca6bba77
Instruction Fuzzy Hash: D751CBB0A00244DFDB11CF98D858BAEBBF0FB11314F248198E856AF381D775AA49CBD0

Function 00144900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0014499F

Strings

ios_base::badbit set, xrefs: 00144937, 00144962
ios_base::failbit set, xrefs: 00144828, 00144941
ios_base::eofbit set, xrefs: 00144946

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 2f2c256f0a5cbf90e32aa95de66238ac68fc04a46422953bf4c195ee12b13c74
Instruction ID: 5636d6f09daedf0317b23af3c3caedb7e44ceaebfd94d93915718da8dba8b6f5
Opcode Fuzzy Hash: 2f2c256f0a5cbf90e32aa95de66238ac68fc04a46422953bf4c195ee12b13c74
Instruction Fuzzy Hash: C51140729147446BCB14DF58DC03F977398DB19714F044629FE588B2D2EB75A910C7D2

Function 00172729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00172730
std::_Lockit::_Lockit.LIBCPMT ref: 0017273B
std::_Lockit::~_Lockit.LIBCPMT ref: 001727A9

Part of subcall function 0017288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001728A4

std::locale::_Setgloballocale.LIBCPMT ref: 00172756

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 1f8db720e8ba288dcea0248d34e9598e68bc04c40554bc34e9ad4a83dc9b8969
Instruction ID: ceff2f356d2787f312810369a73d4687fd69214b1816197632031b02c5f77c22
Opcode Fuzzy Hash: 1f8db720e8ba288dcea0248d34e9598e68bc04c40554bc34e9ad4a83dc9b8969
Instruction Fuzzy Hash: 1D01DF75A002219BCB0AEB20E84993D7BB1FFE4790B148049E81A57381CF74AE02DBC6

Function 00147350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0014750C
___std_exception_destroy.LIBVCRUNTIME ref: 00147522

Strings

[json.exception., xrefs: 001473A1

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 9b44dc5286fa25ff49679bf5ac29efc523906518b6f15346309d37e97ad7e0a0
Instruction ID: 86e8beb0c88c1be6293698f3a50db716bfa3951f214d27aedb6efff06fca84cb
Opcode Fuzzy Hash: 9b44dc5286fa25ff49679bf5ac29efc523906518b6f15346309d37e97ad7e0a0
Instruction Fuzzy Hash: B351DFB1C04648DBDB00DFA8C906BAEFBB4EF25314F148259E854AB292E7B45A44C7A1

Function 001447F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0014499F

Strings

ios_base::badbit set, xrefs: 00144937, 00144962
ios_base::failbit set, xrefs: 00144828

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: afc5cb8b31e4e4134f0f62082c03b2b87830af2a56d7332587e102ae1a03876d
Instruction ID: f2564e996e4e7d5f0074ac9c8af82fc0af666627abd5910782926bdd45a7779d
Opcode Fuzzy Hash: afc5cb8b31e4e4134f0f62082c03b2b87830af2a56d7332587e102ae1a03876d
Instruction Fuzzy Hash: 734126B1C00248ABCB04DF58CC45BAEBBB8EF09710F14825DF554AB391D7755A00CBA1

Function 00144040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00144061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001440C4

Strings

bad locale name, xrefs: 001440E6

Memory Dump Source

Source File: 00000006.00000002.3353733620.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000006.00000002.3353387813.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3353733620.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3355120428.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3357879539.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3362966805.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364367854.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.3364488303.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_140000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 638d6e1da498ef285348dfaef29783001ebd6f600a3dd8b3791c6830c7372ba7
Instruction ID: 2808c66df419158689960e53a3c700a522ba75cb4b10d83e8af05b32f2e17cc9
Opcode Fuzzy Hash: 638d6e1da498ef285348dfaef29783001ebd6f600a3dd8b3791c6830c7372ba7
Instruction Fuzzy Hash: 6D119370805B84EFD721CFA8C50474BBFF4AF26714F14869DE49997781D3B55A04CBA1

Analysis Process: MPGPH131.exePID: 5040, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	2.5%
Signature Coverage:	0%
Total number of Nodes:	1861
Total number of Limit Nodes:	28

Executed Functions

Function 00207B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003E0,0000FFFF,00001006,?,00000008), ref: 00207BA6
recv.WS2_32(?,00000004,00000002), ref: 00207BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 00207C43
recv.WS2_32(00000000,0000000C,00000008), ref: 00207C64

Part of subcall function 00208590: WSAStartup.WS2_32 ref: 002085BB
Part of subcall function 00208590: socket.WS2_32(?,?,?,?,?,?,002C9328,?,?), ref: 0020865E
Part of subcall function 00208590: connect.WS2_32(00000000,00299BFC,?,?,?,?,002C9328,?,?), ref: 00208672
Part of subcall function 00208590: closesocket.WS2_32(00000000), ref: 0020867D

recv.WS2_32(00000000,?,00000008), ref: 00207D1B
recv.WS2_32(?,00000004,00000008), ref: 00207E23
__Xtime_get_ticks.LIBCPMT ref: 00207E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00207E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 00207EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 00207EB9

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: b0ada02130e3625bd2a139468aa763fcfcda6b9ee5f8ecc4cf4fb84e769f926c
Instruction ID: 74bff91aacfb178d2008532da8348a4ba58d5ec6817cee3ceb805c39dc2c549f
Opcode Fuzzy Hash: b0ada02130e3625bd2a139468aa763fcfcda6b9ee5f8ecc4cf4fb84e769f926c
Instruction Fuzzy Hash: D5B1AAB0D14348DBEB10DFA8DC89BADBBB1BF54304F204259E454AB2E2D7B06D94CB91

Function 00208590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 002085BB
socket.WS2_32(?,?,?,?,?,?,002C9328,?,?), ref: 0020865E
connect.WS2_32(00000000,00299BFC,?,?,?,?,002C9328,?,?), ref: 00208672
closesocket.WS2_32(00000000), ref: 0020867D

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 9b007b9958d8c6abb6efa22e680811fee46dc7306c0b79ee90d1df80c9738508
Instruction ID: b100a413e53ca68233a512a2378b76214116267d48c10f6d67ef39308441749a
Opcode Fuzzy Hash: 9b007b9958d8c6abb6efa22e680811fee46dc7306c0b79ee90d1df80c9738508
Instruction Fuzzy Hash: 0A31F3725107016BC7209F248C49A2BB7E8FFC5334F015F19FAE8922D1EB7198548A96

Function 00149280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0028D15C,00000000,761B23A0,-002C9880), ref: 001496C9

Strings

Ws2_32.dll, xrefs: 0014969A

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: b82bdebb7e46ef1b537885c9b434fdfb033718c3ffdc5aaf066d0a3472038256
Instruction ID: d372a728f8a5de39e9d89a8c9ac16d07e07cdf54ac70e7502c7571c5ef980ca1
Opcode Fuzzy Hash: b82bdebb7e46ef1b537885c9b434fdfb033718c3ffdc5aaf066d0a3472038256
Instruction Fuzzy Hash: 3F02DEB0D14298DFDF25CFA4C8907ADBBB0FF55314F244289E4896B686D7B01986CF92

Function 04CA0855 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6caed366ed0977c8b5a2e83305feeab128c01b2d2edf48a9996d59cf332bf4f7
Instruction ID: bdb8a0e5b352b4faa92571ecc925ea344ddc1f851a45a1f67a5c168191bf74fb
Opcode Fuzzy Hash: 6caed366ed0977c8b5a2e83305feeab128c01b2d2edf48a9996d59cf332bf4f7
Instruction Fuzzy Hash: 2B4148E330C2026EF201D8A71B956FB67AFD6C77B8738853AF403C6102F2815E5A6172

Function 04CA083C Relevance: 1.7, APIs: 1, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617c78ad5871362860ea1b259ed6c9c126acbcda2d6cee0edf8c3267b3f203fa
Instruction ID: fa000ed96c691478b92b194298c7fe8653a7a93cb935c2a74faf2a41c173a49f
Opcode Fuzzy Hash: 617c78ad5871362860ea1b259ed6c9c126acbcda2d6cee0edf8c3267b3f203fa
Instruction Fuzzy Hash: 9F415BE730C2127DB201D8A31B95AFB6BAFD6C37B4738843AF403C6502F2845E5A6172

Function 04CA089F Relevance: 1.7, APIs: 1, Instructions: 200
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f3881b31f053b9f84ed374719c246e5f7576b1f4a5d77c2b4c7eaff5b61f193
Instruction ID: 8608a4bc38dce11624e1ad6876efcaa5d52c0d50750a8f3c3239279c0f02c4f0
Opcode Fuzzy Hash: 4f3881b31f053b9f84ed374719c246e5f7576b1f4a5d77c2b4c7eaff5b61f193
Instruction Fuzzy Hash: FE4138E73082127DB201D8972B94AFB67AFD6C77B4738853AF403C6502F2855E5A6072

Function 00189789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 0018990E

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1c71f9eeba68a584ad56dd86c4b20466a5a26e5cd8d456ef366976f7a5676feb
Instruction ID: 73d77ca2728b4c3457da1ec77d5e02876e4d4e5ed840b23f849a4a1efd8b5bb3
Opcode Fuzzy Hash: 1c71f9eeba68a584ad56dd86c4b20466a5a26e5cd8d456ef366976f7a5676feb
Instruction Fuzzy Hash: 4961A471D0411AAFDF15EFA8CC84ABE7BB9AF5A308F180149E900A7246D731DB11DFA0

Function 04CA08AB Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5f364af4bd5c4804e0563dcf2906590aa490dfbe1a5b9c02d776138ef5f605a
Instruction ID: c3a82d2768e1ba2d0a5b0f33de394253608cdef63b2a1e14e9b705339b4e3a13
Opcode Fuzzy Hash: a5f364af4bd5c4804e0563dcf2906590aa490dfbe1a5b9c02d776138ef5f605a
Instruction Fuzzy Hash: 4E413BE73082127DF202D8971B94AFB679FD6D77B4738853AF403C6502F2855E5A6132

Function 04CA08D8 Relevance: 1.7, APIs: 1, Instructions: 179
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18fdb81544e14937099854d915f8da96d24543cbaf4e66272d40bda55a489f8e
Instruction ID: 8956b81a59d2c56808497e9ea1af23382b068c847413882daf5f84043b21af90
Opcode Fuzzy Hash: 18fdb81544e14937099854d915f8da96d24543cbaf4e66272d40bda55a489f8e
Instruction Fuzzy Hash: 0331C4E73082127DB202D8A72B65AFB6B9FD6D77B4738853AF507C6102F2815E5A6031

Function 04CA08E2 Relevance: 1.7, APIs: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9db037fe0a98192dba76314fcfc3ca37d818bd89a228b071340b1c1ccd1701b0
Instruction ID: 6ad7cd65631af0e4d36de4c2035473ef74cf13e55ac38734f6adb83d79716dd2
Opcode Fuzzy Hash: 9db037fe0a98192dba76314fcfc3ca37d818bd89a228b071340b1c1ccd1701b0
Instruction Fuzzy Hash: 1E3108E73082027EF202C4A71B95AF76B9FD6C7774738453AF407C6506F2815E5A6031

Function 04CA0903 Relevance: 1.7, APIs: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5d9bc4bc5df6adaa611b86988c03d91e727339d4af2c7152209687b6fc369ab8
Instruction ID: 9f1b00348e1d8bd24b7b687cca3be7fb6e7a19393415f5d5e12839d731304269
Opcode Fuzzy Hash: 5d9bc4bc5df6adaa611b86988c03d91e727339d4af2c7152209687b6fc369ab8
Instruction Fuzzy Hash: 7631B2E73082127DB202C8972B64AFB5BAFD6D77B4738853AF907C6106F2C55E5A2031

Function 04CA092D Relevance: 1.6, APIs: 1, Instructions: 149
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce356deca980c99a02e7697dfa2877225afd6a86e73d6bc653f43c648760adc1
Instruction ID: d90da0919168597039f40020386277c10d3cc475b49a6cd6a566fa1ab28ea0af
Opcode Fuzzy Hash: ce356deca980c99a02e7697dfa2877225afd6a86e73d6bc653f43c648760adc1
Instruction Fuzzy Hash: 8331E2E73082027DB211C4A72B54AFB5BAFD2D77B4738853AF803C6506F2C15E5A2031

Function 04CA0923 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0e8f29e37c0fe8e6716593f60e642d3b893b9fc44b898336806d810a49b6cdca
Instruction ID: 38ad73f91ac79a0912f7fdbbbf607fa806adac2c63e26f00ece7c1f0f9be0bb7
Opcode Fuzzy Hash: 0e8f29e37c0fe8e6716593f60e642d3b893b9fc44b898336806d810a49b6cdca
Instruction Fuzzy Hash: 2631C0E73082027DB202C4A72B64BFB5BAFD6D67B4738853AF803C6106F2C15E5A2031

Function 04CA0932 Relevance: 1.6, APIs: 1, Instructions: 147
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 25931b46c08e247de1f0d7a9450b5a143b1c656f3e3411173353aa3593dcae9c
Instruction ID: f750ecc023c7a90dc1f30e2a11f191ab69ef5d065e6c4a5a6c703316f0dd2855
Opcode Fuzzy Hash: 25931b46c08e247de1f0d7a9450b5a143b1c656f3e3411173353aa3593dcae9c
Instruction Fuzzy Hash: 1E31C2E73082127DF202C9A72B64AFB5BAFD6D67B4738853AF403C6506F2C55E5A2131

Function 04CA09A0 Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CA0A6D

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c1467ade84d67d59383372fbc0b40b75868f3ff1349f9146e12b1ac03241e570
Instruction ID: 552ac7c276e211d7594c117f5556bd0cc1196f2b3e5e9ba66e149e80eb1ee5ef
Opcode Fuzzy Hash: c1467ade84d67d59383372fbc0b40b75868f3ff1349f9146e12b1ac03241e570
Instruction Fuzzy Hash: AC2186A720C2522DF302C8631A546F66BEEE6D73B8738457AF402C6503F2815F2B5272

Function 04CA0967 Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CA0A6D

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 05dc64984f0f92fc02101b89a31654df2a3b31550608517579ce34b5e1f6f148
Instruction ID: a41f27dd63642174491c09ee89af3c3a6320a2ced0b373dce751154b89aa6056
Opcode Fuzzy Hash: 05dc64984f0f92fc02101b89a31654df2a3b31550608517579ce34b5e1f6f148
Instruction Fuzzy Hash: 8D216DEB20C2127DF211C8972B54AFB57AEE2D67B4739853AF407C6146F3C45E5A2132

Function 04CA0993 Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CA0A6D

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dd3f60f572b31a80168a2ed3ce51b411a0bfefeb47a20d692a58e2b2bb23682b
Instruction ID: 5f6bd6b2ab2f371f278a6b5777d71c48bf81ccb7ad50decf9d540439666a7914
Opcode Fuzzy Hash: dd3f60f572b31a80168a2ed3ce51b411a0bfefeb47a20d692a58e2b2bb23682b
Instruction Fuzzy Hash: 9B118EEB3081126DF202C8971B55AF666AFE6D67B4738853AF807C6142F2845E5A2131

Function 04CA09EB Relevance: 1.6, APIs: 1, Instructions: 99COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CA0A6D

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 46285bb4ea6c17d3f12376f46c3e36c667f03960b868d75e7e99375c62871cf4
Instruction ID: 3bb073540dac77b36a5704e379af1d13455ca4112a4f62d6ab53edffcb5b5b27
Opcode Fuzzy Hash: 46285bb4ea6c17d3f12376f46c3e36c667f03960b868d75e7e99375c62871cf4
Instruction Fuzzy Hash: 4C11BFEB3481126CF202C8972B54AF66BAFE2D77B87398536F407C5502F2816E5A6131

Function 04CA09FE Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CA0A6D

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dbf6f0d18eea11efd65176be00f6e1f0f10e63314e0feb5fe2ea2813bbe9dc20
Instruction ID: 8d8ea9a1d1defd607df1d44206f66177433443d8f152b2a0ee64cbe2213f0578
Opcode Fuzzy Hash: dbf6f0d18eea11efd65176be00f6e1f0f10e63314e0feb5fe2ea2813bbe9dc20
Instruction Fuzzy Hash: 74118CA630D2432ED302CDA709956E57BDAD9C36B872D0176E446CB103F2415E6753A1

Function 00188DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00188CE6,00000000,?,002BA178,0000000C,00188DA2,?,?,?), ref: 00188E55

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b174f92d5f3ea6184b04097df36d91e8ad55779ba282831c7c6948c906115694
Instruction ID: 402e979a0802c9c1816277fce8c95b92725691a1e8d53ee7a4a9553a3b57bb09
Opcode Fuzzy Hash: b174f92d5f3ea6184b04097df36d91e8ad55779ba282831c7c6948c906115694
Instruction Fuzzy Hash: A9114E33A051241AD62532346CC5B7E27C94B9373CF79069DF9188B1C2DFA19E814B51

Function 0018251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00182626,?,?,?,?,?), ref: 00182558

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e2eb2de86e61a7e94306eaaf19432d7ea6ee7ba541e6d184cf08ed3290a52217
Instruction ID: a2551f3f067590891fbb76474420bd11d80da66aa7ad94c8820e928d359fbfbf
Opcode Fuzzy Hash: e2eb2de86e61a7e94306eaaf19432d7ea6ee7ba541e6d184cf08ed3290a52217
Instruction Fuzzy Hash: F60126326402086FCF0AEF19DC51CDE3B59DB85334B340148F8009B2A0E771EE418F90

Function 04CA0A3F Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CA0A6D

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c0f323985b2cd2a0670b831a5c92f14b75489abff70ef1f5344f91ec134e0957
Instruction ID: 9c5b925b14b5e8b67479cc1a1e2c82f12effa6fdc323c23e55c35d56a43cd0a3
Opcode Fuzzy Hash: c0f323985b2cd2a0670b831a5c92f14b75489abff70ef1f5344f91ec134e0957
Instruction Fuzzy Hash: D8F0F6A23182036EE360DCAB46546B637DFE6D73B8B294535E442CB142F681AE521250

Function 001432D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0014331F

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: f8015ea12c3cb0a3f2d286390471fe919a22c48b7f799b1e866e3e4ade7aa4ce
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: B4F0B4721001049BDB146F64D8154E9B3F8EF24361750097AF8ADC7222EB26DA80C790

Function 04CA0A5A Relevance: 1.5, APIs: 1, Instructions: 42COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04CA0A6D

Memory Dump Source

Source File: 00000007.00000002.3374244425.0000000004CA0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4ca0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3d86c50182b0bb433d015bbda97bb5c5752945abce9a779438224efe10232da5
Instruction ID: 0c1d09d029fa8d478422c40172b2a42f4984dcebdbceac6792f5094d114b5b3a
Opcode Fuzzy Hash: 3d86c50182b0bb433d015bbda97bb5c5752945abce9a779438224efe10232da5
Instruction Fuzzy Hash: 11F05C923181032DE310D8EB06547B617CFD6D73F8B394536A453CB242F740DD535145

Function 0018A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00189FE0,00000001,00000364,00000001,00000006,000000FF,?,00174B3F,?,?,761B23A0,?), ref: 0018A69C

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6a3f4352e6c5e569768b5fe2ce6778baae7fb9f921c4d3596a788a2b883499e6
Instruction ID: 3929b7fb9cac1416fa6e4a298f057975afb4121aa73741cc9b1673a11447878f
Opcode Fuzzy Hash: 6a3f4352e6c5e569768b5fe2ce6778baae7fb9f921c4d3596a788a2b883499e6
Instruction Fuzzy Hash: 7EF0B4325105216BBB217A629815B6A774AAF41370FBD8113F804E6088FB20EA018FE6

Function 0018B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00174B3F,?,?,761B23A0,?,?,00143522,?,?), ref: 0018B0C7

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b588e0939f623fed66c625f80fe0daf99209b514b813dc6dcf5aee0d638cac61
Instruction ID: 029bc0bf1831830b0233f8e36987ac28b790c8248b27694225a9b29780041f02
Opcode Fuzzy Hash: b588e0939f623fed66c625f80fe0daf99209b514b813dc6dcf5aee0d638cac61
Instruction Fuzzy Hash: 42E092322186256AEB313A659C94B5F766ADF423B0F5D0311FC24A61C1DB64DE108FE5

Function 04CB01CB Relevance: 1.3, Strings: 1, Instructions: 77COMMON

Download Yara Rule

Strings

op6), xrefs: 04CB022B

Memory Dump Source

Source File: 00000007.00000002.3374301264.0000000004CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4cb0000_MPGPH131.jbxd

Similarity

API ID:
String ID: op6)
API String ID: 0-3713947904
Opcode ID: ddd6032d4d5edbaf1bf1af17c1095040647ff896e3a09efb5d8e4228a6fb3337
Instruction ID: 8bec395a22fa36f6b9ec7ce80bc758bfc3c45c9899364bf8b6cb4c7bf11680ec
Opcode Fuzzy Hash: ddd6032d4d5edbaf1bf1af17c1095040647ff896e3a09efb5d8e4228a6fb3337
Instruction Fuzzy Hash: 9D0126AB24C212BDA15384432A005F72A1FE5E2230B394567B4C3C6A03F681260E71F7

Function 04CB0150 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

op6), xrefs: 04CB022B

Memory Dump Source

Source File: 00000007.00000002.3374301264.0000000004CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4cb0000_MPGPH131.jbxd

Similarity

API ID:
String ID: op6)
API String ID: 0-3713947904
Opcode ID: 37ba1c562516a73208d5a361061cb9215d68519c2f95385da89a863833e1a0a4
Instruction ID: 4c36f744cd92c20c0a74754417d9375bee0301c2efa50ea637a9a0577d4911c8
Opcode Fuzzy Hash: 37ba1c562516a73208d5a361061cb9215d68519c2f95385da89a863833e1a0a4
Instruction Fuzzy Hash: 4F018EAF28C210AEAA0F099366112F77E2BB747330F384156F48785B13F290661975E0

Function 04CB0163 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

op6), xrefs: 04CB022B

Memory Dump Source

Source File: 00000007.00000002.3374301264.0000000004CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4cb0000_MPGPH131.jbxd

Similarity

API ID:
String ID: op6)
API String ID: 0-3713947904
Opcode ID: 657021b94a4b6a8784251faaa547fafb561150fcbb6fb05d542186bc449b56f5
Instruction ID: 2344ab8aba44d48ee7b53234b11fce613dcd2e00bf93cac605a55c170aab3cbb
Opcode Fuzzy Hash: 657021b94a4b6a8784251faaa547fafb561150fcbb6fb05d542186bc449b56f5
Instruction Fuzzy Hash: 0B0145AF248204AED687096352512FB7F22BB43230F3C4089F4C68A603F291270A72B1

Function 04CB0140 Relevance: 1.3, Strings: 1, Instructions: 55COMMON

Download Yara Rule

Strings

op6), xrefs: 04CB022B

Memory Dump Source

Source File: 00000007.00000002.3374301264.0000000004CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4cb0000_MPGPH131.jbxd

Similarity

API ID:
String ID: op6)
API String ID: 0-3713947904
Opcode ID: eaa204fe822e1cde2a05ca1497cdaa730f0148cdb7c8cf168dcd256b460ca5ee
Instruction ID: c7bddcfe2a63dae8d43726163be1cb1e60611d18f60038f948d8ef092a0ee1de
Opcode Fuzzy Hash: eaa204fe822e1cde2a05ca1497cdaa730f0148cdb7c8cf168dcd256b460ca5ee
Instruction Fuzzy Hash: 29F028AF24C304BEA55B088356111F73A1BB787330F3C4196F48786B52F6A02A1875A1

Function 04CB0182 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

op6), xrefs: 04CB022B

Memory Dump Source

Source File: 00000007.00000002.3374301264.0000000004CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4cb0000_MPGPH131.jbxd

Similarity

API ID:
String ID: op6)
API String ID: 0-3713947904
Opcode ID: 24f46e0358f7ee04613894cf7b200f607dd9c3512436cae9c45a5740373a1d1d
Instruction ID: 92b5041fcc4b8b55494648d6b04c75c4851c3c6ebb5efbdc883939c5747738ef
Opcode Fuzzy Hash: 24f46e0358f7ee04613894cf7b200f607dd9c3512436cae9c45a5740373a1d1d
Instruction Fuzzy Hash: D8F027AF348304FEE68B0543A5212F73A17B747230F3C0096F4C795B02F6A03A1976A6

Function 04CB01BB Relevance: 1.3, Strings: 1, Instructions: 34COMMON

Download Yara Rule

Strings

op6), xrefs: 04CB022B

Memory Dump Source

Source File: 00000007.00000002.3374301264.0000000004CB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4cb0000_MPGPH131.jbxd

Similarity

API ID:
String ID: op6)
API String ID: 0-3713947904
Opcode ID: 1923aef8eb9ed1ac2ae616eedd2a9d1de69ad976acbaf712738b90d311dcc5cb
Instruction ID: 40244d8fbb50bdf0fff34f12a08f6d81ec01919dce0e845450e48f75fd5291a0
Opcode Fuzzy Hash: 1923aef8eb9ed1ac2ae616eedd2a9d1de69ad976acbaf712738b90d311dcc5cb
Instruction Fuzzy Hash: ECE0687F288304E99587048366112F77A1ABA03230F780097F48796E02B5A0275CBAB6

Non-executed Functions

Function 0017C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: 6f8c365b0eeb6de038b757ee73403f9b402818835f6c6d0b4b601da5a4c4b3a2
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: F9021B71E012199BDF24CFA9D9806AEBBF1FF48314F25826DE919E7340D731AA41CB90

Function 0018BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 0018BBEC

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: ed19df2125f878baf23917e156006fff781fe2278b3d181a31af70b5de0cf1b5
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: 8FB16932908255AFDB15AF68CCC2BFE7BA5EF66310F144155E904AF282D7749A01CFA0

Function 001772D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00177307
___except_validate_context_record.LIBVCRUNTIME ref: 0017730F
_ValidateLocalCookies.LIBCMT ref: 00177398
__IsNonwritableInCurrentImage.LIBCMT ref: 001773C3
_ValidateLocalCookies.LIBCMT ref: 00177418

Strings

csm, xrefs: 001773AD

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 663b33c57d2fd0e17ae08ef3afd74bb8b7d3939adb2806c101e375e99d1faeaf
Instruction ID: 8271bf3f5e93b0847c899b6cd9caaec96a7c756d859c2ee81ec5c10ec86ba777
Opcode Fuzzy Hash: 663b33c57d2fd0e17ae08ef3afd74bb8b7d3939adb2806c101e375e99d1faeaf
Instruction Fuzzy Hash: 0941AD30A04209ABCF10DF68C889A9EBBB5BF05318F14C155EC19AB392DB71EA51DB91

Function 0015A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0015A09D
std::_Lockit::_Lockit.LIBCPMT ref: 0015A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 0015A0E7
__Getctype.LIBCPMT ref: 0015A1C5
std::_Facet_Register.LIBCPMT ref: 0015A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 0015A223

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 5f31e7674861dcb90efda49e00787d3029dd29237b60a69ba1893fd5cd9edf30
Instruction ID: 37c4d83058ad5ec1f3801663a0a588a355a786ce94e779b274cb0e9a197984f1
Opcode Fuzzy Hash: 5f31e7674861dcb90efda49e00787d3029dd29237b60a69ba1893fd5cd9edf30
Instruction Fuzzy Hash: DE51B8B1D00245CFCB11CF58C945BAEBBF0BF10710F148299E865AB391DB74AA49CBD2

Function 0015C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0015C45A
std::_Lockit::_Lockit.LIBCPMT ref: 0015C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 0015C4A4
std::_Facet_Register.LIBCPMT ref: 0015C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 0015C5C4

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: fb4ce07b8277cd41176dc26b277cf50af6fd2bbe7743e0b03dc771e3ca6bba77
Instruction ID: 742f2e8abb0faf4e6a5c1d03743fe669e370ff2f803653cc6da5b04374590df8
Opcode Fuzzy Hash: fb4ce07b8277cd41176dc26b277cf50af6fd2bbe7743e0b03dc771e3ca6bba77
Instruction Fuzzy Hash: D751CBB0A00244DFDB11CF98D858BAEBBF0FB11314F248198E856AF381D775AA49CBD0

Function 00144900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0014499F

Strings

ios_base::badbit set, xrefs: 00144937, 00144962
ios_base::failbit set, xrefs: 00144828, 00144941
ios_base::eofbit set, xrefs: 00144946

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: 2f2c256f0a5cbf90e32aa95de66238ac68fc04a46422953bf4c195ee12b13c74
Instruction ID: 5636d6f09daedf0317b23af3c3caedb7e44ceaebfd94d93915718da8dba8b6f5
Opcode Fuzzy Hash: 2f2c256f0a5cbf90e32aa95de66238ac68fc04a46422953bf4c195ee12b13c74
Instruction Fuzzy Hash: C51140729147446BCB14DF58DC03F977398DB19714F044629FE588B2D2EB75A910C7D2

Function 00172729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00172730
std::_Lockit::_Lockit.LIBCPMT ref: 0017273B
std::_Lockit::~_Lockit.LIBCPMT ref: 001727A9

Part of subcall function 0017288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 001728A4

std::locale::_Setgloballocale.LIBCPMT ref: 00172756

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 1f8db720e8ba288dcea0248d34e9598e68bc04c40554bc34e9ad4a83dc9b8969
Instruction ID: ceff2f356d2787f312810369a73d4687fd69214b1816197632031b02c5f77c22
Opcode Fuzzy Hash: 1f8db720e8ba288dcea0248d34e9598e68bc04c40554bc34e9ad4a83dc9b8969
Instruction Fuzzy Hash: 1D01DF75A002219BCB0AEB20E84993D7BB1FFE4790B148049E81A57381CF74AE02DBC6

Function 00147350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0014750C
___std_exception_destroy.LIBVCRUNTIME ref: 00147522

Strings

[json.exception., xrefs: 001473A1

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 9b44dc5286fa25ff49679bf5ac29efc523906518b6f15346309d37e97ad7e0a0
Instruction ID: 86e8beb0c88c1be6293698f3a50db716bfa3951f214d27aedb6efff06fca84cb
Opcode Fuzzy Hash: 9b44dc5286fa25ff49679bf5ac29efc523906518b6f15346309d37e97ad7e0a0
Instruction Fuzzy Hash: B351DFB1C04648DBDB00DFA8C906BAEFBB4EF25314F148259E854AB292E7B45A44C7A1

Function 001447F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 0014499F

Strings

ios_base::badbit set, xrefs: 00144937, 00144962
ios_base::failbit set, xrefs: 00144828

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: afc5cb8b31e4e4134f0f62082c03b2b87830af2a56d7332587e102ae1a03876d
Instruction ID: f2564e996e4e7d5f0074ac9c8af82fc0af666627abd5910782926bdd45a7779d
Opcode Fuzzy Hash: afc5cb8b31e4e4134f0f62082c03b2b87830af2a56d7332587e102ae1a03876d
Instruction Fuzzy Hash: 734126B1C00248ABCB04DF58CC45BAEBBB8EF09710F14825DF554AB391D7755A00CBA1

Function 00144040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00144061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001440C4

Strings

bad locale name, xrefs: 001440E6

Memory Dump Source

Source File: 00000007.00000002.3353611302.0000000000141000.00000040.00000001.01000000.00000005.sdmp, Offset: 00140000, based on PE: true

Associated: 00000007.00000002.3353380213.0000000000140000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3353611302.00000000002C5000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3355825099.00000000002CA000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.00000000002CD000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000044F000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000052C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.000000000056B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000572000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3357930710.0000000000581000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3364371124.0000000000582000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3365897546.000000000071B000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.3366003571.000000000071D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_140000_MPGPH131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 638d6e1da498ef285348dfaef29783001ebd6f600a3dd8b3791c6830c7372ba7
Instruction ID: 2808c66df419158689960e53a3c700a522ba75cb4b10d83e8af05b32f2e17cc9
Opcode Fuzzy Hash: 638d6e1da498ef285348dfaef29783001ebd6f600a3dd8b3791c6830c7372ba7
Instruction Fuzzy Hash: 6D119370805B84EFD721CFA8C50474BBFF4AF26714F14869DE49997781D3B55A04CBA1

Analysis Process: RageMP131.exePID: 4828, Parent PID: 4004COMMON

Executed Functions

Function 01017B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000404,0000FFFF,00001006,?,00000008), ref: 01017BA7
recv.WS2_32(?,00000004,00000002), ref: 01017BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 01017C43
recv.WS2_32(00000000,0000000C,00000008), ref: 01017C64

Part of subcall function 01018590: WSAStartup.WS2_32 ref: 010185BA
Part of subcall function 01018590: socket.WS2_32(?,?,?,?,?,?,010D9328,?,?), ref: 0101865E
Part of subcall function 01018590: connect.WS2_32(00000000,010A9BFC,?,?,?,?,010D9328,?,?), ref: 01018672
Part of subcall function 01018590: closesocket.WS2_32(00000000), ref: 0101867D

recv.WS2_32(00000000,?,00000008), ref: 01017D1B
recv.WS2_32(?,00000004,00000008), ref: 01017E23
__Xtime_get_ticks.LIBCPMT ref: 01017E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01017E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 01017EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 01017EB9

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: cd809cb36100311be51a18912b3d021abf1398d3b2adaaa6f50964f9cd0feda7
Instruction ID: 748d60e0b35b49dffd5ef21974d154f7e42d000f832f4aa50bcf6116987e7fcc
Opcode Fuzzy Hash: cd809cb36100311be51a18912b3d021abf1398d3b2adaaa6f50964f9cd0feda7
Instruction Fuzzy Hash: 69B1D071D00308DFEB20EBA8CC49BADBBF1FB49314F104259E984AB2D6D7795944CB91

Function 01018590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 010185BA
socket.WS2_32(?,?,?,?,?,?,010D9328,?,?), ref: 0101865E
connect.WS2_32(00000000,010A9BFC,?,?,?,?,010D9328,?,?), ref: 01018672
closesocket.WS2_32(00000000), ref: 0101867D

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 723d35d60bf27976fa9a030c2dd80abc297f500d1c08082e60406882eca698b1
Instruction ID: f8e6c5dca087ce4b7fc70da2f0852a2165eafae796e3046b31a6cbe8b31eb683
Opcode Fuzzy Hash: 723d35d60bf27976fa9a030c2dd80abc297f500d1c08082e60406882eca698b1
Instruction Fuzzy Hash: 4231F5729003015FD7608E288C4866BB7E4FFC9738F019F5AFAE8932D0D77499048792

Function 00F59280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0109D15C,00000000,761B23A0,-010D9880), ref: 00F596C9

Strings

Ws2_32.dll, xrefs: 00F5969A

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 22d969c05f2aa974c0975e92b829f278fd2cdd95051a7deafacba48a0a27bdce
Instruction ID: 37ce38a5d3388f0a0f4bd904c21e5167f636941f88499e2a0cbf8d1169377ea1
Opcode Fuzzy Hash: 22d969c05f2aa974c0975e92b829f278fd2cdd95051a7deafacba48a0a27bdce
Instruction Fuzzy Hash: 7A02E270D08298DFDF25CFA4C8907EDBBB0EF55314F24428DE8856B286D7B41986DB92

Function 04DE0000 Relevance: 1.8, APIs: 1, Instructions: 343
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1ed0075d7ebcfed7d06e566ccb1bd55c245c43449d9b46282d7e1c4e8751b2c8
Instruction ID: 68979e294259ae42ea26329aeefaf688f673f12cc33a172bc8e855e0d7f802e4
Opcode Fuzzy Hash: 1ed0075d7ebcfed7d06e566ccb1bd55c245c43449d9b46282d7e1c4e8751b2c8
Instruction Fuzzy Hash: 3661C5EB34C131BDB603A5936B54AFB676EE6D27307308426F487D6502F2D89A4DB031

Function 04DE001E Relevance: 1.8, APIs: 1, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 927c725078d7650ed077a821e5d01171a56185c6b5d713a2c880d7042a5b0497
Instruction ID: f332132af397f9e993fb7f767d457261142c314ce5a1e15474d584a18286ef3f
Opcode Fuzzy Hash: 927c725078d7650ed077a821e5d01171a56185c6b5d713a2c880d7042a5b0497
Instruction Fuzzy Hash: 8151E6EB34C131BDB503A5936B54AFB676EE6C27307308426F487D6502F3D4AA4EA031

Function 04DE0063 Relevance: 1.8, APIs: 1, Instructions: 301
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d91fb5ee3c06192c2f9e67902e6d43ada16576a5827c36e5afdef3cb99362b97
Instruction ID: b11270bdab47660ffb64688c02a6cf570b7dd9b2545f3e20d29515543d4a8f05
Opcode Fuzzy Hash: d91fb5ee3c06192c2f9e67902e6d43ada16576a5827c36e5afdef3cb99362b97
Instruction Fuzzy Hash: 7851F5EB30C131BDB603A5936B54AFB676EE6D67307308426F487D6502F3D4AA89B031

Function 04DE007A Relevance: 1.8, APIs: 1, Instructions: 294
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 19d4291fe299975fca75df03f0f167aff1cfd274d89d342b6fcafb69823273f8
Instruction ID: 69fe9a9ddf45af2b89e5bb5b13a298575cdfcd26824b2102e7eef9eb5238b5e3
Opcode Fuzzy Hash: 19d4291fe299975fca75df03f0f167aff1cfd274d89d342b6fcafb69823273f8
Instruction Fuzzy Hash: 6851F6EB30C131BDB603A5936B54AFB676EE6D27307308426F487D6502F3D4AA49B031

Function 04DE0090 Relevance: 1.8, APIs: 1, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3900711adde8904c55b6ccdf442f6c2c01fbc63b2c0c6bca43980402f0ceede2
Instruction ID: 999995bc1ca936213f4ba4199398b980d2785331f18b67008b431588ceb61855
Opcode Fuzzy Hash: 3900711adde8904c55b6ccdf442f6c2c01fbc63b2c0c6bca43980402f0ceede2
Instruction Fuzzy Hash: 1251F7EB30C230BDB603A5936B54AFB676EE6D67307308427F447DA502F2D4AA49B031

Function 04DE00D5 Relevance: 1.8, APIs: 1, Instructions: 288
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de7dc37eb57e126b3dc346aee157cf063dcb87c5d355afe5cc747a95aade6530
Instruction ID: 670d9931ffd7009a87ea160c299d15a469ca29422138b4ea8742df546517528c
Opcode Fuzzy Hash: de7dc37eb57e126b3dc346aee157cf063dcb87c5d355afe5cc747a95aade6530
Instruction Fuzzy Hash: 4E51E4EB34C130BDB603A4936B54AFB27AEE6C67307308426F487D6506F2D4AA49B031

Function 04DE00B2 Relevance: 1.8, APIs: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6315df998900d4ca0cf47acedef32b1d087be40107322d27084e29213cabc620
Instruction ID: 637113b8b50fbc8c712b868e2c525fb6f2d13f892478a4745aa38bdd2717ec53
Opcode Fuzzy Hash: 6315df998900d4ca0cf47acedef32b1d087be40107322d27084e29213cabc620
Instruction Fuzzy Hash: 3851D5EB34C130BDB643A5936B54AFB676EE6D27307308426F447D6502F3D4AA49B031

Function 04DE00EC Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9f63044f0eb86decb47c74d6b67733deba779d8565da81c15e6180b202676f6a
Instruction ID: 5439a457551b47dc17d22674405384e7be36253aa4f73ec8f19c51bcfd55b04f
Opcode Fuzzy Hash: 9f63044f0eb86decb47c74d6b67733deba779d8565da81c15e6180b202676f6a
Instruction Fuzzy Hash: CB51E6EB34C131BDB253A4932B546FB67AEE6D27307308426F447DA506F2D49B4AB031

Function 04DE010A Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c1f4163ee2cf6ef34d0fad66d00fecd4b5b48a4dac3145d07b6c071288935646
Instruction ID: 38437239957e0a4c64436b10c9137478faa1c90d71db9716a2d37d9e646fe77c
Opcode Fuzzy Hash: c1f4163ee2cf6ef34d0fad66d00fecd4b5b48a4dac3145d07b6c071288935646
Instruction Fuzzy Hash: 3941A4EB34C131BDB643A5832B54AFB666EE6D27307308426F447D6502F3D4AE49B031

Function 04DE0120 Relevance: 1.8, APIs: 1, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 95c405dc195e206e1d4d5fb18bb5f3e85f44d9926d877b4ae0891026ea9fa487
Instruction ID: 4a976be6153779cfdce9de47b76ce1bfd6919aa07ad2770af2ec97cd8f9df4e6
Opcode Fuzzy Hash: 95c405dc195e206e1d4d5fb18bb5f3e85f44d9926d877b4ae0891026ea9fa487
Instruction Fuzzy Hash: B641B3EB24C231BDB653A5832B54AFB67BEE6D27307308426F447D6506F3D4AB49A031

Function 04DE015D Relevance: 1.8, APIs: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a83007c6c28783c444b8fa322124fc2e3cb56b423b5c7875e47e2138e76fa50d
Instruction ID: 9552b3103667490a1b941b3a12c2e3dab7a5c41993d42f801bf23b2d2fbcf79b
Opcode Fuzzy Hash: a83007c6c28783c444b8fa322124fc2e3cb56b423b5c7875e47e2138e76fa50d
Instruction Fuzzy Hash: DC41A4EB24C231BDB653A5832B54AFB676EE5D27303308426F487D6507F2D89E4AA031

Function 04DE013C Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f720fb06254fefaf26a465a99bc6f28414b57a701183a2f0f0ef6e85bb9a6726
Instruction ID: 7256a5fccc10483f5e1f1c7d168383139b02312638cc5693a45d9303035a51b7
Opcode Fuzzy Hash: f720fb06254fefaf26a465a99bc6f28414b57a701183a2f0f0ef6e85bb9a6726
Instruction Fuzzy Hash: 7E41A4EB34C231BDB553A1932B54AFB67AEE5D27307308426F487DA507F2D4AA49B031

Function 04DE01C4 Relevance: 1.7, APIs: 1, Instructions: 241COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ff426e8aba19352bab0103a7ca0f2f74c65206a7d571471c3c7b4104735751b5
Instruction ID: 1be8bf5d0a0236ff96aeac830a807dd056eeced2784f7c3b2841635c9a470a82
Opcode Fuzzy Hash: ff426e8aba19352bab0103a7ca0f2f74c65206a7d571471c3c7b4104735751b5
Instruction Fuzzy Hash: 6541A2EB34C131BDB653A1836B54AFB67AEE6D27307308426F447D6502F2D49A4AA031

Function 04DE0153 Relevance: 1.7, APIs: 1, Instructions: 239COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 550026db4eac3ca71edf523946ac82e901f252b6f5cbae8432cb444c3b75c308
Instruction ID: 98da4c113fa94d576de742e3e100f0e4f99cf60a4cd4ac961e653cf03d01a9bf
Opcode Fuzzy Hash: 550026db4eac3ca71edf523946ac82e901f252b6f5cbae8432cb444c3b75c308
Instruction Fuzzy Hash: A04190EB34C235BDB553A1832B54AFB66AEE5D27307308427F847D6502F2D4AE89B031

Function 04DE020A Relevance: 1.7, APIs: 1, Instructions: 231COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 218fd8a088810f021f3d8588f9d4696196f153a128655a6cd1efc72d07063b8e
Instruction ID: c6e777ecebcaad62433d3f5fdfd41859eeaa75b98e502b8c26a0db0723c76494
Opcode Fuzzy Hash: 218fd8a088810f021f3d8588f9d4696196f153a128655a6cd1efc72d07063b8e
Instruction Fuzzy Hash: EC4160EB24C131BDB553A1936B54AFB67AEE5D2730330C426F847D5507F2D4AE8AA031

Function 04DE01DF Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0665abdd12764dee7f91971d8c201c5da530fe75b11af82c22ba74c5db89288f
Instruction ID: c649dfd1dedc2f38bf32dc37121edb6d0728e95926515c94d81170050b80b6fe
Opcode Fuzzy Hash: 0665abdd12764dee7f91971d8c201c5da530fe75b11af82c22ba74c5db89288f
Instruction Fuzzy Hash: 43417CEB34C131BDB653A1836B54AFB676EE5D2730331C426F847C6506F2D89E8AA031

Function 04DE01F2 Relevance: 1.7, APIs: 1, Instructions: 220COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 08f4f17699bebc565a18d33566bb66d37ee4fe9fe5a7b21ead5d72854db4de0b
Instruction ID: d06e57b436aadc5036fb58f2351b643da3dddcc5a46abf2e75fee6754db94085
Opcode Fuzzy Hash: 08f4f17699bebc565a18d33566bb66d37ee4fe9fe5a7b21ead5d72854db4de0b
Instruction Fuzzy Hash: 5E417EEB34C1317DB613A1832B54AFB67AEE6D27307308426F847D6506F2D49A4AA031

Function 00F99789 Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F9990E

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6d2e73e14f004a1ff9d2e084f12b4405e72a66be7c1ae686b551cb18f73e4600
Instruction ID: 3356028c33c9297b443ac7fdf3778fd0f636e03b8d114ab348b7ad2f9e23eb6b
Opcode Fuzzy Hash: 6d2e73e14f004a1ff9d2e084f12b4405e72a66be7c1ae686b551cb18f73e4600
Instruction Fuzzy Hash: DF61C372D08109BFEF11DFACC884AEE7BB9AF49314F15014DE904A7246D7B6D901EBA1

Function 04DE0243 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ccb7510a5875f6b31adb1ff8fbea7ec626abc2c34e079e939449ad45f48c8249
Instruction ID: 59d4c22f571d1c32bb32a369faae58c6a83d9096c11ade307cc02b4ebfca1bd8
Opcode Fuzzy Hash: ccb7510a5875f6b31adb1ff8fbea7ec626abc2c34e079e939449ad45f48c8249
Instruction Fuzzy Hash: 70318FFB34C231BDB653A1936B50AFB67AEE5D27303308426F447C6506F3D49A8AA031

Function 04DE026B Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7beebef7ed9fec7a52e53339ffc09d0c16aae4f2fb2db35b06eb06705d524954
Instruction ID: 43c8c7844d1e34941b780d1d94642d863f7631eabc17be2fa3818154eb83f3cc
Opcode Fuzzy Hash: 7beebef7ed9fec7a52e53339ffc09d0c16aae4f2fb2db35b06eb06705d524954
Instruction Fuzzy Hash: 423190EB34C2317DB653A1836B50AFB276EE6D2730330C427F847C6502F2D49A8AA031

Function 04DE027D Relevance: 1.7, APIs: 1, Instructions: 178COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0282

Memory Dump Source

Source File: 00000008.00000002.3374856555.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 148e27151fd1181e675492a074a4b80e403e480b45d1d08aa45164d882a37af5
Instruction ID: 1f2b580101abc2f1ee9cf17158b2aed409481574ead5eb4c35b64e98b1a5e2fe
Opcode Fuzzy Hash: 148e27151fd1181e675492a074a4b80e403e480b45d1d08aa45164d882a37af5
Instruction Fuzzy Hash: 5E317EEB34C2317DB653A1936B54AFB676EE6D2730330C427F847C6506F2D49A8AA031

Function 00F98DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F98CE6,00000000,?,010CA178,0000000C,00F98DA2,?,?,?), ref: 00F98E55

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8e5a570c356d4eefdbf80817dc52b0d1e32d8b76718427a6c63aed778438f014
Instruction ID: f1f6d9254857130faaa61870ed2dabbe992133239f63b569153186d0b35e6cef
Opcode Fuzzy Hash: 8e5a570c356d4eefdbf80817dc52b0d1e32d8b76718427a6c63aed778438f014
Instruction Fuzzy Hash: 62116B33E0212456FE3573B4AC55B7E37894BC37B4F290619F9188B1C2EE799C83A255

Function 00F9251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00F92626,?,?,?,?,?), ref: 00F92558

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5d8a1f60e07bfe4d1f3b6e7c2f83c2241e4346aa4a852c26efc204e30824426f
Instruction ID: 8798dd719b0217dafb2c302c94b0a09964cd9fff24dcfe68dbaa152d7ba08622
Opcode Fuzzy Hash: 5d8a1f60e07bfe4d1f3b6e7c2f83c2241e4346aa4a852c26efc204e30824426f
Instruction Fuzzy Hash: 32012632A00215BFEF09DF18CC11D9E3B59DB85330B390108FC009B291E671ED419B90

Function 00F532D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00F5331F

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 6d2ae0047a4148310f0b6b12516d032169d98fc93c9a9037459437aec8a28d9a
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 96F0B4725001049BDB147F68D8158E9B3E8DF243A2750097AEE8DC7222EB2ADA59A790

Function 00F9B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00F84B3F,?,?,761B23A0,?,?,00F53522,?,?), ref: 00F9B0C6

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 0661767f5766ea1aa61a108cef838215102bb11753d5ad45d92dcab8c265886e
Instruction ID: fb1ccc187ebc8a706a439ead32b3ab8b0239d21f2169d8f9aff4e18a19dffa5d
Opcode Fuzzy Hash: 0661767f5766ea1aa61a108cef838215102bb11753d5ad45d92dcab8c265886e
Instruction Fuzzy Hash: F6E02B32A013201AFF3126A5BD00B5B76499F813B0F150220FD29A61E0CB24DC00B2A5

Non-executed Functions

Function 00F8C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: c5b41566cfdde02848cd8a4224886613f4c64437f6dabb9503a930f4d4bf03ee
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: C4022A71E012199BDF14DFA9D8806EEBBF1FF48324F258269E919E7380D731A941DB90

Function 00F9BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F9BBEC

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: b3b029c729aaa1684603917594f22f5e12f570c0b9a7d1764eb26c7a59002044
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: A4B18872E002559FFF158F24DD82BEE7BA9EF55360F144166E904AF382D7749801EBA0

Function 00F872D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F87307
___except_validate_context_record.LIBVCRUNTIME ref: 00F8730F
_ValidateLocalCookies.LIBCMT ref: 00F87398
__IsNonwritableInCurrentImage.LIBCMT ref: 00F873C3
_ValidateLocalCookies.LIBCMT ref: 00F87418

Strings

csm, xrefs: 00F873AD

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b916359818be52cadd852ba1a65f1144f7b3636a092d5d2838edfb7818938de8
Instruction ID: 4f7524c69198bb9a055aa5308b8025d66207ebca9d759d6dd1716f5efe99509c
Opcode Fuzzy Hash: b916359818be52cadd852ba1a65f1144f7b3636a092d5d2838edfb7818938de8
Instruction Fuzzy Hash: F141A031E043099BCF10FF68C885BDEBBA5AF05364F648055EC199B352DB35E901EB92

Function 00F6A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F6A09D
std::_Lockit::_Lockit.LIBCPMT ref: 00F6A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6A0E7
__Getctype.LIBCPMT ref: 00F6A1C5
std::_Facet_Register.LIBCPMT ref: 00F6A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6A223

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 9d740a6ab856070d26d960c9e7bc02329af67587182d4655c3a135580047f548
Instruction ID: 45756babcbb03cf2e39a4ef8299c1b5cb7cbc32f497fbd1e6c5d3d65e9a57f45
Opcode Fuzzy Hash: 9d740a6ab856070d26d960c9e7bc02329af67587182d4655c3a135580047f548
Instruction Fuzzy Hash: A0519BB0D01245DFCB21DF98C9417AEBBF0BB11324F148159D895AB391E739AE44DF92

Function 00F6C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F6C45A
std::_Lockit::_Lockit.LIBCPMT ref: 00F6C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6C4A4
std::_Facet_Register.LIBCPMT ref: 00F6C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6C5C4

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 2be6194bdea988a23fb2b7f99cdffca9057abc1dd94c8adda4495bcbda64794c
Instruction ID: 04c6d4a23bf3b688adf3adea3a783d02e2ac540d94af8687721b1f683187c904
Opcode Fuzzy Hash: 2be6194bdea988a23fb2b7f99cdffca9057abc1dd94c8adda4495bcbda64794c
Instruction Fuzzy Hash: 5A518E70901244DBDB21DF98C855BAEBBF0FB00728F248159E8866B381D779AE05DBD1

Function 00F54900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5499F

Strings

ios_base::badbit set, xrefs: 00F54937, 00F54962
ios_base::failbit set, xrefs: 00F54828, 00F54941
ios_base::eofbit set, xrefs: 00F54946

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: ccdbe11d4a24a362e2ef977840ab081ac8635f51752bb2f6d24ef25f4027f5f7
Instruction ID: b0945168ec7421633c7c02754eedeb0a2673db3124373712422eb53654170d45
Opcode Fuzzy Hash: ccdbe11d4a24a362e2ef977840ab081ac8635f51752bb2f6d24ef25f4027f5f7
Instruction Fuzzy Hash: 751136729046486BCB10EB58DC43FAA7398A705B25F04465DFE988B2C1EA39B9449792

Function 00F82729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F82730
std::_Lockit::_Lockit.LIBCPMT ref: 00F8273B
std::_Lockit::~_Lockit.LIBCPMT ref: 00F827A9

Part of subcall function 00F8288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F828A4

std::locale::_Setgloballocale.LIBCPMT ref: 00F82756

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 59dbd0b34f4c15b19a9b5b69a8ffb453d126d1b6147eb32880d782e1b489de74
Instruction ID: 4ad959e3f2299531c940319bfe23572c0203b1f8b07092cf79525a104e8c68b3
Opcode Fuzzy Hash: 59dbd0b34f4c15b19a9b5b69a8ffb453d126d1b6147eb32880d782e1b489de74
Instruction Fuzzy Hash: 7A01BC76A012109BCB0AFB64CC425BD7BB1BF84750B14800AE85217386CF3DAE02EBD1

Function 00F57350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00F5750C
___std_exception_destroy.LIBVCRUNTIME ref: 00F57522

Strings

[json.exception., xrefs: 00F573A1

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 526d44382c5c4c2e1de771d0872a998011e53f91a81d16597fefe6965ad02553
Instruction ID: 341cece7779e34df8844daa7e96e1b0b7e5dfc70cbdcb0872362e24cd818ba9b
Opcode Fuzzy Hash: 526d44382c5c4c2e1de771d0872a998011e53f91a81d16597fefe6965ad02553
Instruction Fuzzy Hash: 3851D1B1C043489BDB00EFA8CD05B9EBBB4EF11314F144259E850AB292D7B95A48EBE1

Function 00F547F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5499F

Strings

ios_base::badbit set, xrefs: 00F54937, 00F54962
ios_base::failbit set, xrefs: 00F54828

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 83b0cb563eb5a69c337f8d86990d7125367289b477a22704151097f99c12da90
Instruction ID: e6aaf219a0fa4072a1b079d6917b8676530c6aca057a3e49951cffd532885409
Opcode Fuzzy Hash: 83b0cb563eb5a69c337f8d86990d7125367289b477a22704151097f99c12da90
Instruction Fuzzy Hash: AC415A71D00244AFCB04DF58CC46BAEB7B4EF05724F14821DFA54A7381D775AA44DBA1

Function 00F54040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F54061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F540C4

Strings

bad locale name, xrefs: 00F540E6

Memory Dump Source

Source File: 00000008.00000002.3363611949.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 00000008.00000002.3363384316.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3363611949.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364695090.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3364829451.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3366817625.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367196806.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.3367244410.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_f50000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 5a278ad72a31b6b4ed3bcb4294401783d8dda4007b745a46944e74f37c0417c3
Instruction ID: 4050444781e82d3ffbb5730a9cf68c6514410606e2f431d730b8102ee8ebd497
Opcode Fuzzy Hash: 5a278ad72a31b6b4ed3bcb4294401783d8dda4007b745a46944e74f37c0417c3
Instruction Fuzzy Hash: 4211E670805B84EED721CF68C90478BBFF4AF15714F14868DD4959B782D3B9A604D7A1

Analysis Process: RageMP131.exePID: 6108, Parent PID: 4004COMMON

Executed Functions

Function 052E0235 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 052E0363

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f69b8f67edff91873da4a5b36eef2a9e465fbfdf405108977648fd3036f27f07
Instruction ID: 399689c31123fb567a75ab84395fb9fd92d0e86af61997843c2ac5cb1140c6ba
Opcode Fuzzy Hash: f69b8f67edff91873da4a5b36eef2a9e465fbfdf405108977648fd3036f27f07
Instruction Fuzzy Hash: 203199E362C304AFE302D1911A5C7F77BAEEFC2230BB084A6F842DA106E2D14D4B4231

Function 01017B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000003E8,0000FFFF,00001006,?,00000008), ref: 01017BA6
recv.WS2_32(?,00000004,00000002), ref: 01017BC1
recv.WS2_32(00000000,0000000C,00000002,00000000), ref: 01017C43
recv.WS2_32(00000000,0000000C,00000008), ref: 01017C64

Part of subcall function 01018590: WSAStartup.WS2_32 ref: 010185BB
Part of subcall function 01018590: socket.WS2_32(?,?,?,?,?,?,010D9328,?,?), ref: 0101865E
Part of subcall function 01018590: connect.WS2_32(00000000,010A9BFC,?,?,?,?,010D9328,?,?), ref: 01018672
Part of subcall function 01018590: closesocket.WS2_32(00000000), ref: 0101867D

recv.WS2_32(00000000,?,00000008), ref: 01017D1B
recv.WS2_32(?,00000004,00000008), ref: 01017E23
__Xtime_get_ticks.LIBCPMT ref: 01017E2A
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 01017E38
Sleep.KERNELBASE(00000001,00000000,?,00002710,00000000), ref: 01017EB1
Sleep.KERNELBASE(00000064,?,00002710,00000000), ref: 01017EB9

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: recv$Sleep$StartupUnothrow_t@std@@@Xtime_get_ticks__ehfuncinfo$??2@closesocketconnectsetsockoptsocket
String ID:
API String ID: 56803616-0
Opcode ID: f1f7ca2bc86691546f7f57c844cd6fb077fc8f54e51284c4afd4aca3288fda39
Instruction ID: 31152d4c2fb7094baaeef6ddbfcb81c45227bafc2c2937e32e3979e2dd15b333
Opcode Fuzzy Hash: f1f7ca2bc86691546f7f57c844cd6fb077fc8f54e51284c4afd4aca3288fda39
Instruction Fuzzy Hash: E4B1CE71D00308DFEB20EBA8CC89BADBBF1BB49314F104259E994AB2D6D7795944CB91

Function 01018590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 010185BB
socket.WS2_32(?,?,?,?,?,?,010D9328,?,?), ref: 0101865E
connect.WS2_32(00000000,010A9BFC,?,?,?,?,010D9328,?,?), ref: 01018672
closesocket.WS2_32(00000000), ref: 0101867D

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 21ead7dc6f94a1989e664a05a725783d1c2e25d960dcf0fcadff3471ebf2ecc2
Instruction ID: 93570b54cf343b3de45bb48e518b9501bb43998c4bcf9f89450a092100a79985
Opcode Fuzzy Hash: 21ead7dc6f94a1989e664a05a725783d1c2e25d960dcf0fcadff3471ebf2ecc2
Instruction Fuzzy Hash: 4931F5729003005FD7208E288C4866BB7E4FFC9738F119F5AFAE8A32D0D77499048792

Function 00F59280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,0109D15C,00000000,761B23A0,-010D9880), ref: 00F596C9

Strings

Ws2_32.dll, xrefs: 00F5969A

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: Send
String ID: Ws2_32.dll
API String ID: 121738739-3093949381
Opcode ID: 196bf51b9763acf6c54cc3c0b54848f8397bfdc15de1dc2985eb43e248d783dd
Instruction ID: 251054fb17327d10036a0f7c9fbf420968f53122d70440d20e3f867fff12aa6c
Opcode Fuzzy Hash: 196bf51b9763acf6c54cc3c0b54848f8397bfdc15de1dc2985eb43e248d783dd
Instruction Fuzzy Hash: 7E02E270D08298DFDF25CF94C8907EDBBB0EF55310F24428DE8856B286D7B41986DB92

Function 052E0000 Relevance: 1.8, APIs: 1, Instructions: 286
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 97906bf3570c089d637416d03bd44dd32c1973000f833c4d1dac7a526a73da6d
Instruction ID: ff5f58fdb4c884ee881ac3ef146256bd0a9099bc51af0305001fcd407a926fa7
Opcode Fuzzy Hash: 97906bf3570c089d637416d03bd44dd32c1973000f833c4d1dac7a526a73da6d
Instruction Fuzzy Hash: D451E2E723C210BEA202D1956B6CAF76BAFEEC67303B08466F407DA506E2D40E4F5131

Function 052E0067 Relevance: 1.8, APIs: 1, Instructions: 276COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 167058d5621ab2d19dc75ba892a28556d16b7b1ad5260672f5bc8381080c40b9
Instruction ID: bf8206f0c8c5d528bb0e3bf1bf360c5a2f111be645cb74ec984d5221024ceaf5
Opcode Fuzzy Hash: 167058d5621ab2d19dc75ba892a28556d16b7b1ad5260672f5bc8381080c40b9
Instruction Fuzzy Hash: 4B5126E727C250BEA243D1956B6CAF66BAFEEC66303708466F407DA502E2D40E4F5231

Function 052E003B Relevance: 1.8, APIs: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 896ea2bee0ab41324eeef8d82ab90624cb52450dff054478b9fb32a8064e0c7a
Instruction ID: c9e71d81a607731ac2aa864f5a98a25a6b968085b5ab557174b05953aae96376
Opcode Fuzzy Hash: 896ea2bee0ab41324eeef8d82ab90624cb52450dff054478b9fb32a8064e0c7a
Instruction Fuzzy Hash: F45115E727C250BEA243D1956B6CAF66BAFEEC67303708466F407DA606E2D40E4F5131

Function 052E001C Relevance: 1.8, APIs: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa96efcf04cafac9b5176a3b94fea92952329d34b176a77eef20b31a3be39d85
Instruction ID: ac7d7c8a56b9d7f53a6cfc0a96b7a8acaf3735e96dd2a4678ee99ea379d84add
Opcode Fuzzy Hash: fa96efcf04cafac9b5176a3b94fea92952329d34b176a77eef20b31a3be39d85
Instruction Fuzzy Hash: 5F51E3E723C250BEE202D1956B6CAF66BAFEEC67307708466F447DA502E2D40E4B5231

Function 052E0074 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 057bcc724fb4631157bf3885d60e0d8d8fd52c9498d563b3eeac374997cce1ee
Instruction ID: e270bd7acff5596e5ca207d9cbc3a76894b5dbeb4ac3253a17aabf52ef72dba4
Opcode Fuzzy Hash: 057bcc724fb4631157bf3885d60e0d8d8fd52c9498d563b3eeac374997cce1ee
Instruction Fuzzy Hash: 404190E727C214BEB242C1856F68AFB57AFEAC67307B08426F807D9602E2D44E4F1131

Function 052E00AF Relevance: 1.7, APIs: 1, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3601d78087803f96849cadc2c519125b5caa7ffb16b752887153e5473863b47a
Instruction ID: 6bea071ea09d8bb9ba8b5842760bdcac9a8a3d8b4a45de424b3f248a890fc1b8
Opcode Fuzzy Hash: 3601d78087803f96849cadc2c519125b5caa7ffb16b752887153e5473863b47a
Instruction Fuzzy Hash: 6041C4E723C214BEA242C1852B68AFB57AFEEC67307B08426F807D9602E2D44E4F1131

Function 00F99789 Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,?,?,?,00000000,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00F9990E

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e138364b1a8e89909f1ad75a926647a3f3e17248564f004573fd2389b9bc8d76
Instruction ID: 53b15b16ee7db8fc507a6ca89e0c2511f0de6336094e3b9a65d6c9cbd82a5839
Opcode Fuzzy Hash: e138364b1a8e89909f1ad75a926647a3f3e17248564f004573fd2389b9bc8d76
Instruction Fuzzy Hash: 3961C272D08109AEEF11DFACCC84AEE7BB9AF49314F16014DE900A7246D7B6D901EB91

Function 052E00E1 Relevance: 1.7, APIs: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a1433e2e8b17215f22fbd0927b7b3996e83e4637a9becc883fad815769b6c712
Instruction ID: 242fd48cffc3976444a661b655882fe041d97c28d178063444d8dc28e14a32d3
Opcode Fuzzy Hash: a1433e2e8b17215f22fbd0927b7b3996e83e4637a9becc883fad815769b6c712
Instruction Fuzzy Hash: D641C4E727C214BEA242C1852B686FB67AFDEC67307B08467F807DA602E2D50E4F1131

Function 052E00F6 Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 270cfb7ca184a794dff9dba6718971fe41ab74fa49359852687e1714c9879448
Instruction ID: 29d3cd76ca788c1434485fce775dc9b15d53ed2ea6089112ec7924c90dae574e
Opcode Fuzzy Hash: 270cfb7ca184a794dff9dba6718971fe41ab74fa49359852687e1714c9879448
Instruction Fuzzy Hash: C141F5E723C214BEA246C1852B6C6F75BAFEEC63307B05426B807DD602E2D41E4B1131

Function 052E0167 Relevance: 1.7, APIs: 1, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af6679bd817d70cdc4bdfa7f4064e9c859d81232d1cfcd3ba14954f5439bbdb7
Instruction ID: 59335bd454e490040a5aeb78e41e471e8c3a580902dfa9eb684ade64a62c92da
Opcode Fuzzy Hash: af6679bd817d70cdc4bdfa7f4064e9c859d81232d1cfcd3ba14954f5439bbdb7
Instruction Fuzzy Hash: 744123E757C214AEE246C1911B6C7FA6BAFAFC72307B04066B403EE642E2D40A4B5131

Function 052E0188 Relevance: 1.7, APIs: 1, Instructions: 171
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa992b9332ae7992cabb610176ed355bdbda1dbbdeffedb29be39bb79725d926
Instruction ID: b545d5335e4c2bf9f832cc7e8db3359006765d8f55386e34795575be81a082a8
Opcode Fuzzy Hash: aa992b9332ae7992cabb610176ed355bdbda1dbbdeffedb29be39bb79725d926
Instruction Fuzzy Hash: BB3139E757C214BE9242D1851BAC7F65B9FEFC62307B05016B807DE602E2D50E4B5131

Function 052E011E Relevance: 1.7, APIs: 1, Instructions: 167
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bd9461a48f55d8e66cc07e9299b43fd0c7b9265abf6e24cc74026bc4f9cfc92a
Instruction ID: 5cba846ea32321be88170c979b429a30da4caf35337e1d2db971749993b0594f
Opcode Fuzzy Hash: bd9461a48f55d8e66cc07e9299b43fd0c7b9265abf6e24cc74026bc4f9cfc92a
Instruction Fuzzy Hash: 263137E727C214BEA246C1851B6C7FA5BAFEFC63307B04066B807EE602E2D40E4B5131

Function 052E0130 Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bc239b90bd738f464139b1a739b36aefc15be51ce385de445bd94e25b95236f5
Instruction ID: 3336219d150f000dd85fd1519ff467898d77650f330ed29a356bf3d83126adc2
Opcode Fuzzy Hash: bc239b90bd738f464139b1a739b36aefc15be51ce385de445bd94e25b95236f5
Instruction Fuzzy Hash: F73124E753C214BEA242D1811BAC7F66BAFEFC72307B05066B803EE602E2D50E4B5131

Function 052E0157 Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: eb2dc90b0a14208adc6d8e35702fb1d025e245caf0bb440230eb75fe220b249e
Instruction ID: 97ffb30afe4e49db7cac032c78cce7ab58138a58fb0e07c4a4cda7f3b5110503
Opcode Fuzzy Hash: eb2dc90b0a14208adc6d8e35702fb1d025e245caf0bb440230eb75fe220b249e
Instruction Fuzzy Hash: C831F4E763C214AEA242D1951B6C7F66BAFEFD72307B04066B803DA642E2D40E4B5131

Function 052E01B7 Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19eb69b33ee10789dd76286dbdc8b01d2a17c206edceceb70f393eb59fbdbf96
Instruction ID: a47c5be6ae6875c153c5fc51d759ec8b0676df1542e12e1e3a2f2f668a1899f4
Opcode Fuzzy Hash: 19eb69b33ee10789dd76286dbdc8b01d2a17c206edceceb70f393eb59fbdbf96
Instruction Fuzzy Hash: B43102E767C214AEA646D0851B6C7F76BAFEFD73307B05066B803DA642E2D40E4B1135

Function 052E019B Relevance: 1.6, APIs: 1, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d38119e41f90dc5bf4a6ec77f6be5ad29186ea123b917ab1c9ba9d0333216efe
Instruction ID: a09443d1a0c97b331e927773ff9941384cd1f5ba456f9ebce154eed16badc2cf
Opcode Fuzzy Hash: d38119e41f90dc5bf4a6ec77f6be5ad29186ea123b917ab1c9ba9d0333216efe
Instruction Fuzzy Hash: C031F3E763C214AEE242D1951B5C7F76BAFAFD63307B05166B803EA642E2E44E4F1121

Function 052E01C9 Relevance: 1.6, APIs: 1, Instructions: 144COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 052E0363

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7388673886e35257c448577b523d71f85991236b9a5bc1c82c91c66a862ed232
Instruction ID: 201aa5c01544fc59570d1959f2e5795e9c18621340dd64b2b487e66f8e5a95eb
Opcode Fuzzy Hash: 7388673886e35257c448577b523d71f85991236b9a5bc1c82c91c66a862ed232
Instruction Fuzzy Hash: 4D3146E367C214AEE652D1911B9C6FA6BAFEFD23307B05166F803DA246E2D50E4F1131

Function 052E01E3 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 754b190bfaeb78e20e97af1bc9de80f602bfe9cf04453fe2fd5e20fa0587e3a5
Instruction ID: 547ef2f4d69441ceb93c93a0981e851623d04cc19fbe37bd471f6354924f658d
Opcode Fuzzy Hash: 754b190bfaeb78e20e97af1bc9de80f602bfe9cf04453fe2fd5e20fa0587e3a5
Instruction Fuzzy Hash: DA31F4A723C214AEE746D1911A6C6FA6BAFEFC67307745066F803E6602E2D40E4F5131

Function 052E0225 Relevance: 1.6, APIs: 1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9c2209fea1f09061496f28bee1747bca39b4a9284aa8d0fef354234b9e2fcb23
Instruction ID: 3e80705614f994c77d6521c4fc5b359935928c1c07b58890ea91303c760704a6
Opcode Fuzzy Hash: 9c2209fea1f09061496f28bee1747bca39b4a9284aa8d0fef354234b9e2fcb23
Instruction Fuzzy Hash: 222106E663C214AEE242D1811B687FB67AFDF82230BB05066B803EA202E2D44E4B1135

Function 052E024E Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1a20beb2e345c1ac8ca7808ab8c16c238614be3b743b12c7fb1b2dadb2eb5755
Instruction ID: b4ac085e1cc8f21bb6a97f31c07cedcb14b2a1e1d7a3c9d074e0eb153e82ec62
Opcode Fuzzy Hash: 1a20beb2e345c1ac8ca7808ab8c16c238614be3b743b12c7fb1b2dadb2eb5755
Instruction Fuzzy Hash: EC2148E362C2546FE752D2911E686FB6BAEDFC23307744066F842D6246E2D40E4B5131

Function 052E027C Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3fec8880c748054cd8e747869b5a198b27126461347b7b4281eaa09f32e3b5e7
Instruction ID: dba64247a9e2bdbd0a8a30aa12b572edff2b9e7cac1b6f2ca4f0a5accb3b6d3c
Opcode Fuzzy Hash: 3fec8880c748054cd8e747869b5a198b27126461347b7b4281eaa09f32e3b5e7
Instruction Fuzzy Hash: CD1102F262C214AFA612D2812BA86FB67AEEFC233077040A6F842D6106E3E44D4B5131

Function 052E0293 Relevance: 1.6, APIs: 1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e9761e5d63732ba951746c1ef15aff1995c0f3f1211b89e8f1c7c7246d1c4425
Instruction ID: b86d2756d0815492f3fade6df3f027414d49c75a99ab8eb8d5070727b8b6a695
Opcode Fuzzy Hash: e9761e5d63732ba951746c1ef15aff1995c0f3f1211b89e8f1c7c7246d1c4425
Instruction Fuzzy Hash: 2811E2E772C2546FE616D2912BA86FB67AFDEC23307704466F842D6106E2D54E4B1132

Function 052E02ED Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 052E0363

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0bd81405f324cddad57c6611e89a19a628fd5723ec63eacce489deb27459075b
Instruction ID: d6b3a28b607e9d0a3266efaa834ee0362b2d031777af4570373bef6a9250a827
Opcode Fuzzy Hash: 0bd81405f324cddad57c6611e89a19a628fd5723ec63eacce489deb27459075b
Instruction Fuzzy Hash: 010184F762C2156FB216D1812B589FAA76EDAC63307744467FC02D5106E2C14D4B1132

Function 052E0307 Relevance: 1.6, APIs: 1, Instructions: 67COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 052E0363

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b10554d970a2e515b6f97a01ca073ea012ecc3480e6d564051bb4dbcf385c380
Instruction ID: 94662cfdc7bda223666e57d4e5d8ec1b7b946105894a6db07a30ac7f0e0bbd41
Opcode Fuzzy Hash: b10554d970a2e515b6f97a01ca073ea012ecc3480e6d564051bb4dbcf385c380
Instruction Fuzzy Hash: D901D4E772C2507FA706D291265C5FA6B5EDDC323137444B7FD02CA50AD2C60D0B5232

Function 00F98DFF Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,?,?,00F98CE6,00000000,?,010CA178,0000000C,00F98DA2,?,?,?), ref: 00F98E55

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: b2540c401efb84d11e4791904acf33e21e333ea9428cfe927c21fed3b69dab49
Instruction ID: 740962c0a6704c72f4b76fcb519590832f8cf223cc77a76864476bae02e792a0
Opcode Fuzzy Hash: b2540c401efb84d11e4791904acf33e21e333ea9428cfe927c21fed3b69dab49
Instruction Fuzzy Hash: 35114833E0216459FE2572B4AC59B7E37894BC37B4F290619F9188B1C2EE698C82A255

Function 052E02FB Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 052E0363

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6ea6ecd83ea53d8e6473541d24b562e120e8586f4d12c67bf0febc6039f47cd7
Instruction ID: 40b1387e77688e10360cd92b53149fccbb65f4ed3d72c07633f3e41857fc7f39
Opcode Fuzzy Hash: 6ea6ecd83ea53d8e6473541d24b562e120e8586f4d12c67bf0febc6039f47cd7
Instruction Fuzzy Hash: 9401D1E762C2657FB206D2812B6CAFBA76ED9C62307758477FC02D6106E2C10D4F1032

Function 00F9251C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,?,?,?,?,?,00000000,?,?,?,00F92626,?,?,?,?,?), ref: 00F92558

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 88d9d9155ca011ec7cedd5273f6162b48940be8025c9a1adc5b374fddcf3b003
Instruction ID: 98691e83b1d66a204f6b6fabb277a8feaefbe39d665ce8532b160ff4ba01e0d1
Opcode Fuzzy Hash: 88d9d9155ca011ec7cedd5273f6162b48940be8025c9a1adc5b374fddcf3b003
Instruction Fuzzy Hash: FF012632A10219BFEF09CF18CC5599E3B59DF85330B290108F8109B2A1E671EE419B90

Function 052E0345 Relevance: 1.5, APIs: 1, Instructions: 48COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 052E0363

Memory Dump Source

Source File: 0000000C.00000002.3374657681.00000000052E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 052E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_52e0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 41428e518b4e5ae12e1ddaea50784027776bfd3a8072ca85d351a6060c6214d9
Instruction ID: 3b2396b037ec106c98065dad51d6362b5ee2d6c6262b4c5f627cffae564f2ff3
Opcode Fuzzy Hash: 41428e518b4e5ae12e1ddaea50784027776bfd3a8072ca85d351a6060c6214d9
Instruction Fuzzy Hash: 8CF02BE3B2C2555FD706E2A017AC1FA67AAEEC6230BB44876ED02C6109E2C14D071172

Function 00F532D0 Relevance: 1.5, APIs: 1, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00F5331F

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction ID: 6d2ae0047a4148310f0b6b12516d032169d98fc93c9a9037459437aec8a28d9a
Opcode Fuzzy Hash: 0fd589d96c9d07b1efa01aec19e4ff46bb0766daf2056f60d33bc81ca57302d3
Instruction Fuzzy Hash: 96F0B4725001049BDB147F68D8158E9B3E8DF243A2750097AEE8DC7222EB2ADA59A790

Function 00F9A65A Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000001,?,00F99FE0,00000001,00000364,00000001,00000006,000000FF,?,00F84B3F,?,?,761B23A0,?), ref: 00F9A69C

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7076f200ed19fc2739e901bbc23b2a0f0ac3b19820c93dc390f7810cecb9b6e0
Instruction ID: deb5970d7d4bb23b63d84d908631d98d21bdc7e846ffea7ca3676a5306395565
Opcode Fuzzy Hash: 7076f200ed19fc2739e901bbc23b2a0f0ac3b19820c93dc390f7810cecb9b6e0
Instruction Fuzzy Hash: 4CF0E9329106256EFF665E76DC11B6A3749AF41770F1C8111FD44DA180DA34DC00A6E6

Function 00F9B094 Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00F84B3F,?,?,761B23A0,?,?,00F53522,?,?), ref: 00F9B0C7

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa7499793404f47338189940e1b3190b7ad814e28078c6417bbbb8a52b52784b
Instruction ID: aff17a7554127afd2a0aed0a388f0b2027461c6b10a7604f5ec00b66e768fccd
Opcode Fuzzy Hash: fa7499793404f47338189940e1b3190b7ad814e28078c6417bbbb8a52b52784b
Instruction Fuzzy Hash: 8FE02B32A003211AFF3126A5BE10B5B76499F823B0F040210FD29961E0DB24DC00B2E5

Non-executed Functions

Function 00F8C960 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction ID: c5b41566cfdde02848cd8a4224886613f4c64437f6dabb9503a930f4d4bf03ee
Opcode Fuzzy Hash: 333d4b6d5425d6f9d03797ee82114c3711da98524c03317fffdb5ec62fb2b380
Instruction Fuzzy Hash: C4022A71E012199BDF14DFA9D8806EEBBF1FF48324F258269E919E7380D731A941DB90

Function 00F9BB66 Relevance: 10.8, APIs: 7, Instructions: 329COMMON

Download Yara Rule

APIs

_strrchr.LIBCMT ref: 00F9BBEC

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: _strrchr
String ID:
API String ID: 3213747228-0
Opcode ID: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction ID: b3b029c729aaa1684603917594f22f5e12f570c0b9a7d1764eb26c7a59002044
Opcode Fuzzy Hash: 785c90e8ff89e0f1a3d98e37725974d6f6ea20f06d45e48120c47f1ca5a82ffe
Instruction Fuzzy Hash: A4B18872E002559FFF158F24DD82BEE7BA9EF55360F144166E904AF382D7749801EBA0

Function 00F872D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F87307
___except_validate_context_record.LIBVCRUNTIME ref: 00F8730F
_ValidateLocalCookies.LIBCMT ref: 00F87398
__IsNonwritableInCurrentImage.LIBCMT ref: 00F873C3
_ValidateLocalCookies.LIBCMT ref: 00F87418

Strings

csm, xrefs: 00F873AD

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b916359818be52cadd852ba1a65f1144f7b3636a092d5d2838edfb7818938de8
Instruction ID: 4f7524c69198bb9a055aa5308b8025d66207ebca9d759d6dd1716f5efe99509c
Opcode Fuzzy Hash: b916359818be52cadd852ba1a65f1144f7b3636a092d5d2838edfb7818938de8
Instruction Fuzzy Hash: F141A031E043099BCF10FF68C885BDEBBA5AF05364F648055EC199B352DB35E901EB92

Function 00F6A060 Relevance: 9.1, APIs: 6, Instructions: 136COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F6A09D
std::_Lockit::_Lockit.LIBCPMT ref: 00F6A0BF
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6A0E7
__Getctype.LIBCPMT ref: 00F6A1C5
std::_Facet_Register.LIBCPMT ref: 00F6A1F9
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6A223

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_GetctypeRegister
String ID:
API String ID: 1102183713-0
Opcode ID: 9d740a6ab856070d26d960c9e7bc02329af67587182d4655c3a135580047f548
Instruction ID: 45756babcbb03cf2e39a4ef8299c1b5cb7cbc32f497fbd1e6c5d3d65e9a57f45
Opcode Fuzzy Hash: 9d740a6ab856070d26d960c9e7bc02329af67587182d4655c3a135580047f548
Instruction Fuzzy Hash: A0519BB0D01245DFCB21DF98C9417AEBBF0BB11324F148159D895AB391E739AE44DF92

Function 00F6C430 Relevance: 7.6, APIs: 5, Instructions: 119COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F6C45A
std::_Lockit::_Lockit.LIBCPMT ref: 00F6C47C
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6C4A4
std::_Facet_Register.LIBCPMT ref: 00F6C59A
std::_Lockit::~_Lockit.LIBCPMT ref: 00F6C5C4

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Facet_Register
String ID:
API String ID: 459529453-0
Opcode ID: 2be6194bdea988a23fb2b7f99cdffca9057abc1dd94c8adda4495bcbda64794c
Instruction ID: 04c6d4a23bf3b688adf3adea3a783d02e2ac540d94af8687721b1f683187c904
Opcode Fuzzy Hash: 2be6194bdea988a23fb2b7f99cdffca9057abc1dd94c8adda4495bcbda64794c
Instruction Fuzzy Hash: 5A518E70901244DBDB21DF98C855BAEBBF0FB00728F248159E8866B381D779AE05DBD1

Function 00F54900 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 67COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5499F

Strings

ios_base::failbit set, xrefs: 00F54828, 00F54941
ios_base::eofbit set, xrefs: 00F54946
ios_base::badbit set, xrefs: 00F54937, 00F54962

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 323602529-1866435925
Opcode ID: ccdbe11d4a24a362e2ef977840ab081ac8635f51752bb2f6d24ef25f4027f5f7
Instruction ID: b0945168ec7421633c7c02754eedeb0a2673db3124373712422eb53654170d45
Opcode Fuzzy Hash: ccdbe11d4a24a362e2ef977840ab081ac8635f51752bb2f6d24ef25f4027f5f7
Instruction Fuzzy Hash: 751136729046486BCB10EB58DC43FAA7398A705B25F04465DFE988B2C1EA39B9449792

Function 00F82729 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00F82730
std::_Lockit::_Lockit.LIBCPMT ref: 00F8273B
std::_Lockit::~_Lockit.LIBCPMT ref: 00F827A9

Part of subcall function 00F8288C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00F828A4

std::locale::_Setgloballocale.LIBCPMT ref: 00F82756

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 59dbd0b34f4c15b19a9b5b69a8ffb453d126d1b6147eb32880d782e1b489de74
Instruction ID: 4ad959e3f2299531c940319bfe23572c0203b1f8b07092cf79525a104e8c68b3
Opcode Fuzzy Hash: 59dbd0b34f4c15b19a9b5b69a8ffb453d126d1b6147eb32880d782e1b489de74
Instruction Fuzzy Hash: 7A01BC76A012109BCB0AFB64CC425BD7BB1BF84750B14800AE85217386CF3DAE02EBD1

Function 00F57350 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 158COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00F5750C
___std_exception_destroy.LIBVCRUNTIME ref: 00F57522

Strings

[json.exception., xrefs: 00F573A1

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 526d44382c5c4c2e1de771d0872a998011e53f91a81d16597fefe6965ad02553
Instruction ID: 341cece7779e34df8844daa7e96e1b0b7e5dfc70cbdcb0872362e24cd818ba9b
Opcode Fuzzy Hash: 526d44382c5c4c2e1de771d0872a998011e53f91a81d16597fefe6965ad02553
Instruction Fuzzy Hash: 3851D1B1C043489BDB00EFA8CD05B9EBBB4EF11314F144259E850AB292D7B95A48EBE1

Function 00F547F0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 153COMMONLIBRARYCODE

Download Yara Rule

APIs

std::ios_base::_Ios_base_dtor.LIBCPMT ref: 00F5499F

Strings

ios_base::failbit set, xrefs: 00F54828
ios_base::badbit set, xrefs: 00F54937, 00F54962

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: Ios_base_dtorstd::ios_base::_
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 323602529-1240500531
Opcode ID: 83b0cb563eb5a69c337f8d86990d7125367289b477a22704151097f99c12da90
Instruction ID: e6aaf219a0fa4072a1b079d6917b8676530c6aca057a3e49951cffd532885409
Opcode Fuzzy Hash: 83b0cb563eb5a69c337f8d86990d7125367289b477a22704151097f99c12da90
Instruction Fuzzy Hash: AC415A71D00244AFCB04DF58CC46BAEB7B4EF05724F14821DFA54A7381D775AA44DBA1

Function 00F54040 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00F54061
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00F540C4

Strings

bad locale name, xrefs: 00F540E6

Memory Dump Source

Source File: 0000000C.00000002.3363481001.0000000000F51000.00000040.00000001.01000000.00000006.sdmp, Offset: 00F50000, based on PE: true

Associated: 0000000C.00000002.3363332796.0000000000F50000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3363481001.00000000010D5000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364704612.00000000010DA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.00000000010DD000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000125F000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000133C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.000000000137B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001382000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3364831991.0000000001391000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3366836996.0000000001392000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367196845.000000000152B000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000C.00000002.3367242663.000000000152D000.00000080.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_f50000_RageMP131.jbxd

Similarity

API ID: std::_$Locinfo::_Locinfo_ctorLockitLockit::_
String ID: bad locale name
API String ID: 3988782225-1405518554
Opcode ID: 5a278ad72a31b6b4ed3bcb4294401783d8dda4007b745a46944e74f37c0417c3
Instruction ID: 4050444781e82d3ffbb5730a9cf68c6514410606e2f431d730b8102ee8ebd497
Opcode Fuzzy Hash: 5a278ad72a31b6b4ed3bcb4294401783d8dda4007b745a46944e74f37c0417c3
Instruction Fuzzy Hash: 4211E670805B84EED721CF68C90478BBFF4AF15714F14868DD4959B782D3B9A604D7A1

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report installer.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Snort IDS Alerts

Network Port Distribution

Windows Analysis Report
installer.exe

Function 00999280 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 383
networkCOMMON

Function 00A57B00 Relevance: 15.3, APIs: 10, Instructions: 284
networksleepCOMMON

Function 00A58590 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Function 05590009 Relevance: 1.9, APIs: 1, Instructions: 372
COMMON

Function 05590057 Relevance: 1.9, APIs: 1, Instructions: 370
COMMON

Function 0559001B Relevance: 1.9, APIs: 1, Instructions: 370
COMMON

Function 05590031 Relevance: 1.9, APIs: 1, Instructions: 361
COMMON

Function 05590043 Relevance: 1.9, APIs: 1, Instructions: 359
COMMON

Function 05590066 Relevance: 1.9, APIs: 1, Instructions: 353
COMMON

Function 0559008F Relevance: 1.8, APIs: 1, Instructions: 344
COMMON

Function 0559007D Relevance: 1.8, APIs: 1, Instructions: 343
COMMON

Function 055900D9 Relevance: 1.8, APIs: 1, Instructions: 326
COMMON

Function 055900C1 Relevance: 1.8, APIs: 1, Instructions: 325
COMMON

Function 055900C6 Relevance: 1.8, APIs: 1, Instructions: 323
COMMON

Function 05590106 Relevance: 1.8, APIs: 1, Instructions: 313
COMMON