Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_224.exe

Overview

General Information

Sample name:LisectAVT_2403002A_224.exe
Analysis ID:1481004
MD5:cc4a3a36d266e313523feb9146c56df6
SHA1:094ef8de8465d13ea82a0f9daf13474f4f11bc17
SHA256:721a20928239475312d70ee30d402768348d81e72f67363a92e34ed087a545e7
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Potentially malicious time measurement code found
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_224.exe (PID: 6816 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_224.exe" MD5: CC4A3A36D266E313523FEB9146C56DF6)
    • schtasks.exe (PID: 6892 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7100 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 6240 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 7188 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: CC4A3A36D266E313523FEB9146C56DF6)
  • MPGPH131.exe (PID: 7196 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: CC4A3A36D266E313523FEB9146C56DF6)
  • RageMP131.exe (PID: 7512 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: CC4A3A36D266E313523FEB9146C56DF6)
  • RageMP131.exe (PID: 7820 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: CC4A3A36D266E313523FEB9146C56DF6)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe, ProcessId: 6816, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T02:46:49.373342+0200
            SID:2046269
            Source Port:49731
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:46:46.402445+0200
            SID:2049060
            Source Port:49731
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:46:49.373471+0200
            SID:2046269
            Source Port:49732
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:46:39.895152+0200
            SID:2049060
            Source Port:49730
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:47:04.634108+0200
            SID:2046269
            Source Port:49740
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:46:57.571611+0200
            SID:2046269
            Source Port:49734
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:46:56.137355+0200
            SID:2022930
            Source Port:443
            Destination Port:49733
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:47:34.333582+0200
            SID:2022930
            Source Port:443
            Destination Port:49741
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T02:46:42.884945+0200
            SID:2046269
            Source Port:49730
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002A_224.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeAvira: detection malicious, Label: TR/Scar.vkkgx
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: TR/Scar.vkkgx
            Multi AV Scanner detection for dropped file
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeReversingLabs: Detection: 66%
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeVirustotal: Detection: 63%Perma Link
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeReversingLabs: Detection: 66%
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeVirustotal: Detection: 63%Perma Link
            Multi AV Scanner detection for submitted file
            Source: LisectAVT_2403002A_224.exeReversingLabs: Detection: 66%
            Source: LisectAVT_2403002A_224.exeVirustotal: Detection: 63%Perma Link
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: LisectAVT_2403002A_224.exeJoe Sandbox ML: detected
            Source: LisectAVT_2403002A_224.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.4:49730 -> 193.233.132.74:58709
            Source: Joe Sandbox ViewIP Address: 193.233.132.74 193.233.132.74
            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0018E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,0_2_0018E0A0
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_224.exe, 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_224.exe, 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4115340739.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4115259179.000000000148D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4115189261.000000000166A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4115609037.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4115337931.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4115340739.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTX
            Source: RageMP131.exe, 00000009.00000002.4115337931.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTbYE

            System Summary

            barindex
            PE file contains section with special chars
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_002698240_2_00269824
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001F98800_2_001F9880
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001E50B00_2_001E50B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001791A00_2_001791A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001E73F00_2_001E73F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0025646A0_2_0025646A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_002584A00_2_002584A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_00252CE00_2_00252CE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001724F00_2_001724F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001F65500_2_001F6550
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_00178D700_2_00178D70
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001F55B00_2_001F55B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0025BEAF0_2_0025BEAF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_00189F500_2_00189F50
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0026F7710_2_0026F771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00AE50B05_2_00AE50B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00AF98805_2_00AF9880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00B698245_2_00B69824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00A791A05_2_00A791A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00AE73F05_2_00AE73F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00B584A05_2_00B584A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00B52CE05_2_00B52CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00A724F05_2_00A724F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00B5646A5_2_00B5646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00AF55B05_2_00AF55B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00A78D705_2_00A78D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00AF65505_2_00AF6550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00B5BEAF5_2_00B5BEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00B6F7715_2_00B6F771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00A89F505_2_00A89F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AE50B06_2_00AE50B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AF98806_2_00AF9880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B698246_2_00B69824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00A791A06_2_00A791A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AE73F06_2_00AE73F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B584A06_2_00B584A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B52CE06_2_00B52CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00A724F06_2_00A724F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B5646A6_2_00B5646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AF55B06_2_00AF55B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00A78D706_2_00A78D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AF65506_2_00AF6550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B5BEAF6_2_00B5BEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B6F7716_2_00B6F771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00A89F506_2_00A89F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_003198247_2_00319824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_002950B07_2_002950B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_002A98807_2_002A9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_002291A07_2_002291A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_002973F07_2_002973F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_0030646A7_2_0030646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_003084A07_2_003084A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00302CE07_2_00302CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_002224F07_2_002224F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00228D707_2_00228D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_002A65507_2_002A6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_002A55B07_2_002A55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_0030BEAF7_2_0030BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_0031F7717_2_0031F771
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00239F507_2_00239F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_003198249_2_00319824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_002950B09_2_002950B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_002A98809_2_002A9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_002291A09_2_002291A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_002973F09_2_002973F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_0030646A9_2_0030646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_003084A09_2_003084A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_00302CE09_2_00302CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_002224F09_2_002224F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_00228D709_2_00228D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_002A65509_2_002A6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_002A55B09_2_002A55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_0030BEAF9_2_0030BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_0031F7719_2_0031F771
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_00239F509_2_00239F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: String function: 002FFED0 appears 52 times
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00B4FED0 appears 52 times
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4118399424.0000000004A30000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_224.exe
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_224.exe
            Source: LisectAVT_2403002A_224.exeBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_224.exe
            Source: LisectAVT_2403002A_224.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: LisectAVT_2403002A_224.exeStatic PE information: Section: ZLIB complexity 0.9991950757575757
            Source: LisectAVT_2403002A_224.exeStatic PE information: Section: eyjsffgc ZLIB complexity 0.9903292147954679
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9991950757575757
            Source: RageMP131.exe.0.drStatic PE information: Section: eyjsffgc ZLIB complexity 0.9903292147954679
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9991950757575757
            Source: MPGPH131.exe.0.drStatic PE information: Section: eyjsffgc ZLIB complexity 0.9903292147954679
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@0/1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7100:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5448:120:WilError_03
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCommand line argument: nI'0_2_002748C0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCommand line argument: nI27_2_003248C0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCommand line argument: nI29_2_003248C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_224.exe, 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_224.exe, 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: LisectAVT_2403002A_224.exeReversingLabs: Detection: 66%
            Source: LisectAVT_2403002A_224.exeVirustotal: Detection: 63%
            Source: LisectAVT_2403002A_224.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe "C:\Users\user\Desktop\LisectAVT_2403002A_224.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: LisectAVT_2403002A_224.exeStatic file information: File size 2340360 > 1048576
            Source: LisectAVT_2403002A_224.exeStatic PE information: Raw size of eyjsffgc is bigger than: 0x100000 < 0x1a8c00

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeUnpacked PE file: 0.2.LisectAVT_2403002A_224.exe.170000.0.unpack :EW;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW; vs :ER;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 5.2.MPGPH131.exe.a70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW; vs :ER;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.a70000.0.unpack :EW;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW; vs :ER;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 7.2.RageMP131.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW; vs :ER;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 9.2.RageMP131.exe.220000.0.unpack :EW;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW; vs :ER;.rsrc:W;.idata :W; :EW;eyjsffgc:EW;qbcnvswu:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: qbcnvswu
            Source: LisectAVT_2403002A_224.exeStatic PE information: real checksum: 0x24a8d6 should be: 0x24a8de
            Source: RageMP131.exe.0.drStatic PE information: real checksum: 0x24a8d6 should be: 0x24a8de
            Source: MPGPH131.exe.0.drStatic PE information: real checksum: 0x24a8d6 should be: 0x24a8de
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name: eyjsffgc
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name: qbcnvswu
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: eyjsffgc
            Source: RageMP131.exe.0.drStatic PE information: section name: qbcnvswu
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: eyjsffgc
            Source: MPGPH131.exe.0.drStatic PE information: section name: qbcnvswu
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B03C push 3651A27Bh; mov dword ptr [esp], esi0_2_0071B058
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B03C push ebp; mov dword ptr [esp], edx0_2_0071B0B3
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B03C push eax; mov dword ptr [esp], 75F68864h0_2_0071B0E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B03C push esi; mov dword ptr [esp], 5EEF8401h0_2_0071B100
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B03C push eax; mov dword ptr [esp], 23930DA3h0_2_0071B137
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B000 push ecx; mov dword ptr [esp], 0A515175h0_2_0071B01A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B000 push 3651A27Bh; mov dword ptr [esp], esi0_2_0071B058
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B000 push ebp; mov dword ptr [esp], edx0_2_0071B0B3
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B000 push eax; mov dword ptr [esp], 75F68864h0_2_0071B0E0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B000 push esi; mov dword ptr [esp], 5EEF8401h0_2_0071B100
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B000 push eax; mov dword ptr [esp], 23930DA3h0_2_0071B137
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B184 push 11979A72h; mov dword ptr [esp], ecx0_2_0071B199
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B184 push ebx; mov dword ptr [esp], 4C77469Ch0_2_0071B1BE
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B184 push 5E21318Bh; mov dword ptr [esp], eax0_2_0071B20C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0071B184 push 520D17D8h; mov dword ptr [esp], edi0_2_0071B29B
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0024FA97 push ecx; ret 0_2_0024FAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B184 push 11979A72h; mov dword ptr [esp], ecx5_2_0101B199
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B184 push ebx; mov dword ptr [esp], 4C77469Ch5_2_0101B1BE
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B184 push 5E21318Bh; mov dword ptr [esp], eax5_2_0101B20C
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B184 push 520D17D8h; mov dword ptr [esp], edi5_2_0101B29B
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B000 push ecx; mov dword ptr [esp], 0A515175h5_2_0101B01A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B000 push 3651A27Bh; mov dword ptr [esp], esi5_2_0101B058
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B000 push ebp; mov dword ptr [esp], edx5_2_0101B0B3
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B000 push eax; mov dword ptr [esp], 75F68864h5_2_0101B0E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B000 push esi; mov dword ptr [esp], 5EEF8401h5_2_0101B100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B000 push eax; mov dword ptr [esp], 23930DA3h5_2_0101B137
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B03C push 3651A27Bh; mov dword ptr [esp], esi5_2_0101B058
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B03C push ebp; mov dword ptr [esp], edx5_2_0101B0B3
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B03C push eax; mov dword ptr [esp], 75F68864h5_2_0101B0E0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B03C push esi; mov dword ptr [esp], 5EEF8401h5_2_0101B100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_0101B03C push eax; mov dword ptr [esp], 23930DA3h5_2_0101B137
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name: entropy: 7.988529889235953
            Source: LisectAVT_2403002A_224.exeStatic PE information: section name: eyjsffgc entropy: 7.951534972159276
            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.988529889235953
            Source: RageMP131.exe.0.drStatic PE information: section name: eyjsffgc entropy: 7.951534972159276
            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.988529889235953
            Source: MPGPH131.exe.0.drStatic PE information: section name: eyjsffgc entropy: 7.951534972159276
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior

            Malware Analysis System Evasion

            barindex
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-21353
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_5-18546
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_7-19002
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 2B04AC second address: 2AFD47 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c jne 00007F59E0FE79CEh 0x00000012 push dword ptr [ebp+122D0751h] 0x00000018 add dword ptr [ebp+122D1997h], edi 0x0000001e call dword ptr [ebp+122D1879h] 0x00000024 pushad 0x00000025 pushad 0x00000026 mov eax, dword ptr [ebp+122D3A16h] 0x0000002c mov dword ptr [ebp+122D1ADCh], ebx 0x00000032 popad 0x00000033 xor eax, eax 0x00000035 jnl 00007F59E0FE79D0h 0x0000003b mov edx, dword ptr [esp+28h] 0x0000003f sub dword ptr [ebp+122D1DE3h], ebx 0x00000045 jc 00007F59E0FE79D2h 0x0000004b jmp 00007F59E0FE79CCh 0x00000050 mov dword ptr [ebp+122D3A32h], eax 0x00000056 sub dword ptr [ebp+122D19C2h], ecx 0x0000005c mov esi, 0000003Ch 0x00000061 sub dword ptr [ebp+122D18D5h], eax 0x00000067 add esi, dword ptr [esp+24h] 0x0000006b sub dword ptr [ebp+122D18D5h], ebx 0x00000071 lodsw 0x00000073 pushad 0x00000074 mov ebx, dword ptr [ebp+122D397Ah] 0x0000007a mov edx, dword ptr [ebp+122D39B2h] 0x00000080 popad 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 mov dword ptr [ebp+122D198Bh], edi 0x0000008b mov dword ptr [ebp+122D1B2Ch], edi 0x00000091 mov ebx, dword ptr [esp+24h] 0x00000095 cmc 0x00000096 nop 0x00000097 push ecx 0x00000098 push eax 0x00000099 push edx 0x0000009a push eax 0x0000009b push edx 0x0000009c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 2AFD47 second address: 2AFD4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 42D2E6 second address: 42D318 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59E0FE79D4h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F59E0FE79D6h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4372BC second address: 4372C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4372C2 second address: 4372D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F59E0FE79CDh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 437441 second address: 437446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43798A second address: 4379AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F59E0FE79D8h 0x0000000b popad 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43A812 second address: 2AFD47 instructions: 0x00000000 rdtsc 0x00000002 js 00007F59E0FDFAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d pop esi 0x0000000e popad 0x0000000f xor dword ptr [esp], 09E90BBAh 0x00000016 mov dword ptr [ebp+122D188Dh], edx 0x0000001c push dword ptr [ebp+122D0751h] 0x00000022 mov ecx, dword ptr [ebp+122D3C0Ah] 0x00000028 call dword ptr [ebp+122D1879h] 0x0000002e pushad 0x0000002f pushad 0x00000030 mov eax, dword ptr [ebp+122D3A16h] 0x00000036 mov dword ptr [ebp+122D1ADCh], ebx 0x0000003c popad 0x0000003d xor eax, eax 0x0000003f jnl 00007F59E0FDFAC0h 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 sub dword ptr [ebp+122D1DE3h], ebx 0x0000004f jc 00007F59E0FDFAC2h 0x00000055 mov dword ptr [ebp+122D3A32h], eax 0x0000005b sub dword ptr [ebp+122D19C2h], ecx 0x00000061 mov esi, 0000003Ch 0x00000066 sub dword ptr [ebp+122D18D5h], eax 0x0000006c add esi, dword ptr [esp+24h] 0x00000070 sub dword ptr [ebp+122D18D5h], ebx 0x00000076 lodsw 0x00000078 pushad 0x00000079 mov ebx, dword ptr [ebp+122D397Ah] 0x0000007f mov edx, dword ptr [ebp+122D39B2h] 0x00000085 popad 0x00000086 add eax, dword ptr [esp+24h] 0x0000008a mov dword ptr [ebp+122D198Bh], edi 0x00000090 mov dword ptr [ebp+122D1B2Ch], edi 0x00000096 mov ebx, dword ptr [esp+24h] 0x0000009a cmc 0x0000009b nop 0x0000009c push ecx 0x0000009d push eax 0x0000009e push edx 0x0000009f push eax 0x000000a0 push edx 0x000000a1 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43A8C0 second address: 43A8CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F59E0FE79C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43A8CB second address: 43A8E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b jmp 00007F59E0FDFABBh 0x00000010 pop ebx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43A8E2 second address: 43A9B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [esp+04h] 0x0000000d jmp 00007F59E0FE79D0h 0x00000012 mov eax, dword ptr [eax] 0x00000014 jl 00007F59E0FE79CAh 0x0000001a mov dword ptr [esp+04h], eax 0x0000001e jmp 00007F59E0FE79D0h 0x00000023 pop eax 0x00000024 push 00000000h 0x00000026 push ecx 0x00000027 call 00007F59E0FE79C8h 0x0000002c pop ecx 0x0000002d mov dword ptr [esp+04h], ecx 0x00000031 add dword ptr [esp+04h], 00000018h 0x00000039 inc ecx 0x0000003a push ecx 0x0000003b ret 0x0000003c pop ecx 0x0000003d ret 0x0000003e call 00007F59E0FE79D0h 0x00000043 pop edi 0x00000044 jc 00007F59E0FE79DBh 0x0000004a jl 00007F59E0FE79D5h 0x00000050 jmp 00007F59E0FE79CFh 0x00000055 push 00000003h 0x00000057 xor esi, dword ptr [ebp+122D3C4Eh] 0x0000005d push 00000000h 0x0000005f push edi 0x00000060 sub dword ptr [ebp+122D1BAAh], esi 0x00000066 pop ecx 0x00000067 push 00000003h 0x00000069 add dword ptr [ebp+122D1B2Ch], edx 0x0000006f call 00007F59E0FE79C9h 0x00000074 push eax 0x00000075 push edx 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007F59E0FE79D8h 0x0000007d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43A9B0 second address: 43A9B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43A9B6 second address: 43AA34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007F59E0FE79C6h 0x00000009 jmp 00007F59E0FE79D5h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007F59E0FE79D2h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push ecx 0x0000001c jmp 00007F59E0FE79D8h 0x00000021 pop ecx 0x00000022 mov eax, dword ptr [eax] 0x00000024 jnp 00007F59E0FE79D8h 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e push eax 0x0000002f push edx 0x00000030 jng 00007F59E0FE79CCh 0x00000036 jbe 00007F59E0FE79C6h 0x0000003c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43AA34 second address: 43AA87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a xor dword ptr [ebp+122D1820h], ebx 0x00000010 lea ebx, dword ptr [ebp+1245E73Ch] 0x00000016 call 00007F59E0FDFAC7h 0x0000001b mov edi, dword ptr [ebp+122D3C5Eh] 0x00000021 pop edi 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 jmp 00007F59E0FDFABAh 0x0000002b push edi 0x0000002c pop edi 0x0000002d popad 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43AB39 second address: 43AB5E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jp 00007F59E0FE79D4h 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43AB5E second address: 43AB8F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F59E0FDFAB8h 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f jmp 00007F59E0FDFABBh 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F59E0FDFABFh 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43ACB5 second address: 43ACBF instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 43ACBF second address: 43AD8D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c mov esi, ebx 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F59E0FDFAB8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a sub dword ptr [ebp+122D20C7h], edi 0x00000030 jnp 00007F59E0FDFABCh 0x00000036 push 6658276Fh 0x0000003b jnc 00007F59E0FDFAC1h 0x00000041 jmp 00007F59E0FDFABBh 0x00000046 xor dword ptr [esp], 665827EFh 0x0000004d mov edi, dword ptr [ebp+122D3C7Ah] 0x00000053 push 00000003h 0x00000055 mov edi, dword ptr [ebp+122D2C9Ah] 0x0000005b push 00000000h 0x0000005d add dword ptr [ebp+122D1C4Dh], esi 0x00000063 push 00000003h 0x00000065 push 00000000h 0x00000067 push eax 0x00000068 call 00007F59E0FDFAB8h 0x0000006d pop eax 0x0000006e mov dword ptr [esp+04h], eax 0x00000072 add dword ptr [esp+04h], 0000001Ch 0x0000007a inc eax 0x0000007b push eax 0x0000007c ret 0x0000007d pop eax 0x0000007e ret 0x0000007f sbb edx, 6C2D5A01h 0x00000085 push FD4A3680h 0x0000008a push eax 0x0000008b push edx 0x0000008c jmp 00007F59E0FDFAC3h 0x00000091 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 45AB1C second address: 45AB30 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jl 00007F59E0FE79CAh 0x00000010 pushad 0x00000011 popad 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 424D6C second address: 424DB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push edi 0x00000009 pop edi 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F59E0FDFABFh 0x00000011 popad 0x00000012 jmp 00007F59E0FDFAC8h 0x00000017 jmp 00007F59E0FDFABEh 0x0000001c popad 0x0000001d push ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push esi 0x00000021 pop esi 0x00000022 push esi 0x00000023 pop esi 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 458A30 second address: 458A50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CFh 0x00000007 jp 00007F59E0FE79C8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 458A50 second address: 458A61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jbe 00007F59E0FDFABCh 0x0000000b jl 00007F59E0FDFAB6h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 458A61 second address: 458A66 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4590FD second address: 45911B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F59E0FDFAC5h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4596D5 second address: 4596DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 459B01 second address: 459B16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F59E0FDFAB6h 0x0000000a jmp 00007F59E0FDFABBh 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 459B16 second address: 459B1F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 429DA6 second address: 429DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 429DAC second address: 429DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 je 00007F59E0FE79D6h 0x0000000c push edi 0x0000000d jp 00007F59E0FE79C6h 0x00000013 pop edi 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 459C58 second address: 459C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 459C5C second address: 459C6E instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 459C6E second address: 459C72 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 45A3A3 second address: 45A3A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 45A3A7 second address: 45A3C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F59E0FDFAB6h 0x0000000a jmp 00007F59E0FDFAC3h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 45A3C4 second address: 45A3CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 45A3CA second address: 45A3E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59E0FDFAC3h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 45F36A second address: 45F38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F59E0FE79E1h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 461593 second address: 461599 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 461599 second address: 46159E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 462464 second address: 462472 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 462472 second address: 462478 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 462478 second address: 462486 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 462486 second address: 46248A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46248A second address: 4624C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F59E0FDFABCh 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F59E0FDFAC7h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4624C5 second address: 4624CA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4624CA second address: 4624D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4624D7 second address: 4624F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FE79D0h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4624F0 second address: 4624F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4624F4 second address: 4624F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46264A second address: 462661 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007F59E0FDFAC4h 0x0000000f push eax 0x00000010 push edx 0x00000011 jp 00007F59E0FDFAB6h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 465C05 second address: 465C09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 465C09 second address: 465C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pushad 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 465D55 second address: 465D59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 465D59 second address: 465D65 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F59E0FDFAB6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 465F06 second address: 465F16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F59E0FE79C6h 0x0000000a js 00007F59E0FE79C6h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46638D second address: 466391 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 467DBE second address: 467DC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 467DC3 second address: 467DC9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 467DC9 second address: 467DCD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 467DCD second address: 467DFD instructions: 0x00000000 rdtsc 0x00000002 jno 00007F59E0FDFAB6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f je 00007F59E0FDFAB6h 0x00000015 push edx 0x00000016 pop edx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push edx 0x0000001c jl 00007F59E0FDFABAh 0x00000022 push ebx 0x00000023 pop ebx 0x00000024 pushad 0x00000025 popad 0x00000026 push edx 0x00000027 jnc 00007F59E0FDFAB6h 0x0000002d push ecx 0x0000002e pop ecx 0x0000002f pop edx 0x00000030 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 467DFD second address: 467E05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 467E05 second address: 467E09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 467E09 second address: 467E1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F59E0FE79C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F59E0FE79C6h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46A4A7 second address: 46A4AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46A4AB second address: 46A4B1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46A4B1 second address: 46A51D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 2A941C6Eh 0x00000010 push 00000000h 0x00000012 push edx 0x00000013 call 00007F59E0FDFAB8h 0x00000018 pop edx 0x00000019 mov dword ptr [esp+04h], edx 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc edx 0x00000026 push edx 0x00000027 ret 0x00000028 pop edx 0x00000029 ret 0x0000002a movzx edi, ax 0x0000002d jmp 00007F59E0FDFABFh 0x00000032 jmp 00007F59E0FDFAC1h 0x00000037 push 53997933h 0x0000003c push eax 0x0000003d push edx 0x0000003e push ecx 0x0000003f pushad 0x00000040 popad 0x00000041 pop ecx 0x00000042 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46A51D second address: 46A522 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46A5C6 second address: 46A5CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46A5CB second address: 46A5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46B1DE second address: 46B1E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46BC38 second address: 46BC4B instructions: 0x00000000 rdtsc 0x00000002 jg 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46BC4B second address: 46BC50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46BC50 second address: 46BC56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46BC56 second address: 46BC5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46C3F3 second address: 46C3F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46F5F2 second address: 46F602 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59E0FDFABBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 470A9E second address: 470AA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46FE35 second address: 46FE39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 470844 second address: 470857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pop edi 0x00000008 push eax 0x00000009 push esi 0x0000000a pushad 0x0000000b jg 00007F59E0FE79C6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 471384 second address: 471395 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFABDh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 472A6B second address: 472A6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4760E7 second address: 47611F instructions: 0x00000000 rdtsc 0x00000002 js 00007F59E0FDFAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007F59E0FDFAC9h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F59E0FDFAC0h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4776E9 second address: 4776F4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F59E0FE79C6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4776F4 second address: 47775A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push edi 0x00000009 jmp 00007F59E0FDFAC9h 0x0000000e pop edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push ebx 0x00000016 call 00007F59E0FDFAB8h 0x0000001b pop ebx 0x0000001c mov dword ptr [esp+04h], ebx 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc ebx 0x00000029 push ebx 0x0000002a ret 0x0000002b pop ebx 0x0000002c ret 0x0000002d or ebx, dword ptr [ebp+122D3039h] 0x00000033 xor di, 6636h 0x00000038 push eax 0x00000039 pushad 0x0000003a jng 00007F59E0FDFAB8h 0x00000040 push edx 0x00000041 pop edx 0x00000042 jng 00007F59E0FDFABCh 0x00000048 push eax 0x00000049 push edx 0x0000004a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 478962 second address: 478968 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 479911 second address: 479930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F59E0FDFAC8h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 479930 second address: 47994C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007F59E0FE79D0h 0x00000010 pop ecx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47A95F second address: 47A964 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47B729 second address: 47B73C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59E0FE79CEh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47A964 second address: 47A97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFAC6h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47C64D second address: 47C658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edi 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47C6E8 second address: 47C6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47C6EC second address: 47C6F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47C6F0 second address: 47C711 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F59E0FDFAC9h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47D5E0 second address: 47D5E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47C8DB second address: 47C8F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47D5E4 second address: 47D606 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F59E0FE79D0h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47C8F8 second address: 47C902 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F59E0FDFAB6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47E587 second address: 47E597 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FE79CCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47D7AA second address: 47D7AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47D7AE second address: 47D7B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47D7B4 second address: 47D7B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 480620 second address: 480626 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 480626 second address: 48062A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4815E4 second address: 4815F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4815F5 second address: 48165D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a jne 00007F59E0FDFAB7h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007F59E0FDFAB8h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c push 00000000h 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F59E0FDFAB8h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 stc 0x00000049 or bl, FFFFFF91h 0x0000004c xchg eax, esi 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 48165D second address: 481662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 481662 second address: 481695 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b jmp 00007F59E0FDFABFh 0x00000010 jp 00007F59E0FDFABCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47F5CD second address: 47F5E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FE79D5h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 47F5E6 second address: 47F5EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 48337F second address: 483384 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 480776 second address: 48077B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 483384 second address: 4833CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+12461E2Dh], ecx 0x00000010 push 00000000h 0x00000012 mov edi, dword ptr [ebp+122D3912h] 0x00000018 push 00000000h 0x0000001a mov dword ptr [ebp+122D30DBh], edx 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 pushad 0x00000023 pushad 0x00000024 popad 0x00000025 jns 00007F59E0FE79C6h 0x0000002b popad 0x0000002c push ecx 0x0000002d push edi 0x0000002e pop edi 0x0000002f pop ecx 0x00000030 popad 0x00000031 push eax 0x00000032 pushad 0x00000033 pushad 0x00000034 push eax 0x00000035 pop eax 0x00000036 ja 00007F59E0FE79C6h 0x0000003c popad 0x0000003d push eax 0x0000003e push edx 0x0000003f jmp 00007F59E0FE79CAh 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4817DC second address: 481812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jmp 00007F59E0FDFAC8h 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 jmp 00007F59E0FDFAC1h 0x00000016 pop edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 48077B second address: 480834 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnc 00007F59E0FE79C6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d pushad 0x0000000e jc 00007F59E0FE79C8h 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F59E0FE79D7h 0x0000001b popad 0x0000001c nop 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007F59E0FE79C8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 0000001Dh 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 jmp 00007F59E0FE79D8h 0x0000003c push dword ptr fs:[00000000h] 0x00000043 mov di, 014Dh 0x00000047 mov dword ptr fs:[00000000h], esp 0x0000004e mov edi, dword ptr [ebp+122D2FDDh] 0x00000054 mov eax, dword ptr [ebp+122D06ADh] 0x0000005a push ecx 0x0000005b or ebx, dword ptr [ebp+122D3B9Ah] 0x00000061 pop ebx 0x00000062 push FFFFFFFFh 0x00000064 mov bh, EEh 0x00000066 adc ebx, 37F7968Ah 0x0000006c nop 0x0000006d push ebx 0x0000006e jmp 00007F59E0FE79CFh 0x00000073 pop ebx 0x00000074 push eax 0x00000075 jnp 00007F59E0FE79E0h 0x0000007b push eax 0x0000007c push edx 0x0000007d push eax 0x0000007e push edx 0x0000007f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 480834 second address: 480838 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 482692 second address: 482696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 482696 second address: 4826FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 jmp 00007F59E0FDFAC1h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 add dword ptr [ebp+122D1AD7h], ecx 0x0000001a mov edi, dword ptr [ebp+122D39BAh] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push ebp 0x0000002a call 00007F59E0FDFAB8h 0x0000002f pop ebp 0x00000030 mov dword ptr [esp+04h], ebp 0x00000034 add dword ptr [esp+04h], 00000015h 0x0000003c inc ebp 0x0000003d push ebp 0x0000003e ret 0x0000003f pop ebp 0x00000040 ret 0x00000041 mov eax, dword ptr [ebp+122D0F71h] 0x00000047 cmc 0x00000048 push FFFFFFFFh 0x0000004a movzx edi, di 0x0000004d nop 0x0000004e pushad 0x0000004f pushad 0x00000050 pushad 0x00000051 popad 0x00000052 pushad 0x00000053 popad 0x00000054 popad 0x00000055 push eax 0x00000056 push edx 0x00000057 push edi 0x00000058 pop edi 0x00000059 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4855AA second address: 4855B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 484541 second address: 48454A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 484635 second address: 484639 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 48572E second address: 4857E9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F59E0FDFABCh 0x00000008 jbe 00007F59E0FDFAB6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 jmp 00007F59E0FDFAC1h 0x00000016 nop 0x00000017 push 00000000h 0x00000019 push ecx 0x0000001a call 00007F59E0FDFAB8h 0x0000001f pop ecx 0x00000020 mov dword ptr [esp+04h], ecx 0x00000024 add dword ptr [esp+04h], 0000001Bh 0x0000002c inc ecx 0x0000002d push ecx 0x0000002e ret 0x0000002f pop ecx 0x00000030 ret 0x00000031 push dword ptr fs:[00000000h] 0x00000038 push 00000000h 0x0000003a push ebx 0x0000003b call 00007F59E0FDFAB8h 0x00000040 pop ebx 0x00000041 mov dword ptr [esp+04h], ebx 0x00000045 add dword ptr [esp+04h], 00000016h 0x0000004d inc ebx 0x0000004e push ebx 0x0000004f ret 0x00000050 pop ebx 0x00000051 ret 0x00000052 mov dword ptr [ebp+12461E2Dh], ecx 0x00000058 mov dword ptr fs:[00000000h], esp 0x0000005f mov ebx, edi 0x00000061 mov eax, dword ptr [ebp+122D06CDh] 0x00000067 jmp 00007F59E0FDFAC3h 0x0000006c push FFFFFFFFh 0x0000006e or dword ptr [ebp+122D2AE5h], edx 0x00000074 mov ebx, dword ptr [ebp+122D186Dh] 0x0000007a nop 0x0000007b push eax 0x0000007c push edx 0x0000007d pushad 0x0000007e jmp 00007F59E0FDFAC3h 0x00000083 push esi 0x00000084 pop esi 0x00000085 popad 0x00000086 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4857E9 second address: 4857F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F59E0FE79C6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 48CCB3 second address: 48CCBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 48CCBB second address: 48CCBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 491DE3 second address: 491DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 491DE7 second address: 491DF6 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 491E9D second address: 491EA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 491EA1 second address: 491EA7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 491EA7 second address: 491EB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFABCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 41E132 second address: 41E148 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FE79D0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 41E148 second address: 41E153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 41E153 second address: 41E16E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D7h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 497A8B second address: 497A91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 497A91 second address: 497AA2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59E0FE79CBh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 497AA2 second address: 497AA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 497AA7 second address: 497AAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 497AAF second address: 497ACA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F59E0FDFAC2h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4982A7 second address: 4982AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49859A second address: 4985A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F59E0FDFAB6h 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4985A7 second address: 4985AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 498705 second address: 498709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49884D second address: 498858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F59E0FE79C6h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 498AB8 second address: 498AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F59E0FDFABEh 0x0000000b popad 0x0000000c pushad 0x0000000d ja 00007F59E0FDFAB6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 498AD6 second address: 498AF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F59E0FE79C6h 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F59E0FE79CEh 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 498AF2 second address: 498AF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 498C4F second address: 498C5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 jp 00007F59E0FE79C6h 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 498C5E second address: 498C75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFAC3h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49EF5B second address: 49EF61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49DCF1 second address: 49DCF6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49DCF6 second address: 49DCFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49DCFC second address: 49DD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F59E0FDFABDh 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 468CEF second address: 468CF3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 468CF3 second address: 468CF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4691ED second address: 4691F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 469425 second address: 46942E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46942E second address: 469432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4695FE second address: 469645 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F59E0FDFAB8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e ja 00007F59E0FDFAC5h 0x00000014 mov eax, dword ptr [eax] 0x00000016 pushad 0x00000017 jbe 00007F59E0FDFAB8h 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f jo 00007F59E0FDFAB8h 0x00000025 push eax 0x00000026 pop eax 0x00000027 popad 0x00000028 mov dword ptr [esp+04h], eax 0x0000002c push eax 0x0000002d push edx 0x0000002e jg 00007F59E0FDFAB8h 0x00000034 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 469645 second address: 46964F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F59E0FE79C6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46970D second address: 469711 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4697E8 second address: 46983C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ecx 0x0000000a call 00007F59E0FE79C8h 0x0000000f pop ecx 0x00000010 mov dword ptr [esp+04h], ecx 0x00000014 add dword ptr [esp+04h], 0000001Ch 0x0000001c inc ecx 0x0000001d push ecx 0x0000001e ret 0x0000001f pop ecx 0x00000020 ret 0x00000021 push edi 0x00000022 or dword ptr [ebp+122D1DE3h], edx 0x00000028 pop edx 0x00000029 mov ecx, dword ptr [ebp+122D3A8Eh] 0x0000002f push 00000004h 0x00000031 nop 0x00000032 push ebx 0x00000033 jnc 00007F59E0FE79CCh 0x00000039 pop ebx 0x0000003a push eax 0x0000003b pushad 0x0000003c push eax 0x0000003d push edx 0x0000003e ja 00007F59E0FE79C6h 0x00000044 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49E00F second address: 49E016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49E30A second address: 49E310 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49E768 second address: 49E775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F59E0FDFAB8h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49E775 second address: 49E77F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F59E0FE79C6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49E77F second address: 49E783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49E783 second address: 49E78D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49E78D second address: 49E793 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49EA6D second address: 49EA98 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59E0FE79E3h 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49EA98 second address: 49EA9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49EA9C second address: 49EAC0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d jp 00007F59E0FE79C6h 0x00000013 pop esi 0x00000014 pushad 0x00000015 jng 00007F59E0FE79C6h 0x0000001b push esi 0x0000001c pop esi 0x0000001d jg 00007F59E0FE79C6h 0x00000023 popad 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49EAC0 second address: 49EAE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59E0FDFABAh 0x00000008 jmp 00007F59E0FDFAC2h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 49EAE1 second address: 49EAE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4A3664 second address: 4A368F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jns 00007F59E0FDFAB6h 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F59E0FDFAC7h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4A310B second address: 4A311A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4A311A second address: 4A311E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4A311E second address: 4A312E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F59E0FE79C6h 0x00000008 jns 00007F59E0FE79C6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4A4158 second address: 4A4164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4A4454 second address: 4A4466 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jne 00007F59E0FE79C6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 41FB6A second address: 41FB6E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 41FB6E second address: 41FB76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4AD26B second address: 4AD298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007F59E0FDFAB6h 0x0000000c jmp 00007F59E0FDFAC2h 0x00000011 popad 0x00000012 push edi 0x00000013 pushad 0x00000014 popad 0x00000015 pop edi 0x00000016 js 00007F59E0FDFABEh 0x0000001c push eax 0x0000001d pop eax 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ADAB1 second address: 4ADAF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F59E0FE79D0h 0x0000000b pushad 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F59E0FE79CDh 0x00000014 jg 00007F59E0FE79C6h 0x0000001a popad 0x0000001b jg 00007F59E0FE79D2h 0x00000021 push edx 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ADD8E second address: 4ADD9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F59E0FDFABAh 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ADD9F second address: 4ADDA3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ADDA3 second address: 4ADDA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ADDA9 second address: 4ADDEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F59E0FE79D0h 0x0000000a jno 00007F59E0FE79C6h 0x00000010 popad 0x00000011 jl 00007F59E0FE79C8h 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c jmp 00007F59E0FE79D6h 0x00000021 push eax 0x00000022 push edx 0x00000023 push ebx 0x00000024 pop ebx 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4AE21D second address: 4AE223 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4AE223 second address: 4AE22E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4AE22E second address: 4AE234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B1C1B second address: 4B1C5D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F59E0FE79D7h 0x0000000f jmp 00007F59E0FE79CCh 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B1C5D second address: 4B1C63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B1C63 second address: 4B1C69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B1C69 second address: 4B1C6D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B1C6D second address: 4B1C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59E0FE79C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F59E0FE79D2h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 push esi 0x00000015 pushad 0x00000016 popad 0x00000017 pop esi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B4894 second address: 4B48B0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABAh 0x00000007 je 00007F59E0FDFAB6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007F59E0FDFAB6h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B48B0 second address: 4B48D7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F59E0FE79C6h 0x00000008 jmp 00007F59E0FE79D9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B48D7 second address: 4B48DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B4A24 second address: 4B4A3C instructions: 0x00000000 rdtsc 0x00000002 js 00007F59E0FE79DAh 0x00000008 jmp 00007F59E0FE79CEh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B4A3C second address: 4B4A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F59E0FDFABBh 0x0000000a jmp 00007F59E0FDFABCh 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 jo 00007F59E0FDFACCh 0x00000018 push esi 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop esi 0x0000001c js 00007F59E0FDFAC2h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B4A6D second address: 4B4A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B6C48 second address: 4B6C4E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4B6C4E second address: 4B6C53 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BC985 second address: 4BC996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jnl 00007F59E0FDFAB6h 0x0000000c popad 0x0000000d push edi 0x0000000e push edx 0x0000000f pop edx 0x00000010 pop edi 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 430765 second address: 430797 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 popad 0x0000000a ja 00007F59E0FE79CCh 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F59E0FE79D8h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BBC4E second address: 4BBC54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BBC54 second address: 4BBC58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BBC58 second address: 4BBC5C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BBC5C second address: 4BBC62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BBC62 second address: 4BBC95 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC2h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jl 00007F59E0FDFAB6h 0x00000010 jmp 00007F59E0FDFAC4h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BC1F6 second address: 4BC205 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 js 00007F59E0FE79C6h 0x0000000c push eax 0x0000000d pop eax 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BE052 second address: 4BE058 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4BE058 second address: 4BE064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C38B8 second address: 4C38BE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C3D5E second address: 4C3D63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C3D63 second address: 4C3D69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C3EF2 second address: 4C3EF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C3EF6 second address: 4C3F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C3F00 second address: 4C3F04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C3F04 second address: 4C3F18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C4084 second address: 4C40A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D8h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C40A2 second address: 4C40A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C422E second address: 4C4232 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C4232 second address: 4C4238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C75BB second address: 4C75BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C75BF second address: 4C75CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C7705 second address: 4C773F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jp 00007F59E0FE79D2h 0x00000011 jg 00007F59E0FE79C6h 0x00000017 ja 00007F59E0FE79C6h 0x0000001d jmp 00007F59E0FE79D2h 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C773F second address: 4C7745 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C7745 second address: 4C774B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD2D6 second address: 4CD2E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 jnc 00007F59E0FDFAB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD44D second address: 4CD462 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F59E0FE79CFh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD58D second address: 4CD591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD591 second address: 4CD5A1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD5A1 second address: 4CD5BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD5BD second address: 4CD5C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD5C2 second address: 4CD5C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD8A5 second address: 4CD8BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F59E0FE79CCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD8BD second address: 4CD8CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CD8CE second address: 4CD8D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CDBA9 second address: 4CDBC2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC5h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CDBC2 second address: 4CDBD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F59E0FE79CCh 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CDBD4 second address: 4CDBDA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CDBDA second address: 4CDBEA instructions: 0x00000000 rdtsc 0x00000002 jo 00007F59E0FE79C6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CDBEA second address: 4CDBEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE212 second address: 4CE216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE216 second address: 4CE21C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE21C second address: 4CE226 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE226 second address: 4CE22A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE22A second address: 4CE22E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE22E second address: 4CE237 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE237 second address: 4CE23F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE4CA second address: 4CE4E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFAC9h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE4E7 second address: 4CE4FE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F59E0FE79CEh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CE4FE second address: 4CE504 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED0B second address: 4CED34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F59E0FE79C6h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007F59E0FE79C6h 0x00000015 jmp 00007F59E0FE79D4h 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED34 second address: 4CED38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED38 second address: 4CED42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED42 second address: 4CED46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED46 second address: 4CED4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED4C second address: 4CED52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED52 second address: 4CED58 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED58 second address: 4CED5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED5C second address: 4CED60 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CED60 second address: 4CED66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D2A41 second address: 4D2A4B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D2A4B second address: 4D2A5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FDFABFh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D2A5E second address: 4D2A64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D2A64 second address: 4D2A6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D2DB2 second address: 4D2DBE instructions: 0x00000000 rdtsc 0x00000002 jne 00007F59E0FE79CEh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D2DBE second address: 4D2DD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007F59E0FDFABEh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D306D second address: 4D307F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F59E0FE79C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D64A8 second address: 4D64B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jc 00007F59E0FDFAB6h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D65F5 second address: 4D662D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D8h 0x00000007 je 00007F59E0FE79C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f ja 00007F59E0FE79C8h 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 pushad 0x00000018 push edx 0x00000019 jo 00007F59E0FE79C6h 0x0000001f pushad 0x00000020 popad 0x00000021 pop edx 0x00000022 push edi 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D662D second address: 4D6666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F59E0FDFAB6h 0x0000000a pop edi 0x0000000b jmp 00007F59E0FDFAC7h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F59E0FDFAC3h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D6666 second address: 4D666A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D6AA4 second address: 4D6AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D6E05 second address: 4D6E1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jne 00007F59E0FE79C6h 0x0000000c popad 0x0000000d push edi 0x0000000e js 00007F59E0FE79C6h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D6E1B second address: 4D6E2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jg 00007F59E0FDFAB6h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4D6E2A second address: 4D6E2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4E3602 second address: 4E3606 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4E3606 second address: 4E3634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FE79D2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007F59E0FE79CEh 0x00000017 popad 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4E3634 second address: 4E3639 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4E3E57 second address: 4E3E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F59E0FE79C6h 0x0000000a pop ecx 0x0000000b jmp 00007F59E0FE79D7h 0x00000010 jns 00007F59E0FE79D5h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edx 0x00000019 pop edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4E3E94 second address: 4E3E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4E4C3E second address: 4E4C4D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4EA8BC second address: 4EA8C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F59E0FDFAB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4EA2D2 second address: 4EA2D6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ECBBD second address: 4ECBCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ECBCB second address: 4ECBD1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ECBD1 second address: 4ECBD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 423232 second address: 423253 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 423253 second address: 423278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007F59E0FDFAC4h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e push ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ECA1F second address: 4ECA2E instructions: 0x00000000 rdtsc 0x00000002 jno 00007F59E0FE79CAh 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4ECA2E second address: 4ECA36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4F7A83 second address: 4F7AB8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FE79D9h 0x00000009 jmp 00007F59E0FE79D8h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4F7727 second address: 4F7738 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push edx 0x00000006 pop edx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4F7738 second address: 4F7740 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4FC721 second address: 4FC725 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4FC725 second address: 4FC72B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4FC72B second address: 4FC762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 jmp 00007F59E0FDFAC2h 0x0000000c pop esi 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 push edx 0x00000017 pop edx 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F59E0FDFABFh 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 50D53D second address: 50D541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 50D541 second address: 50D55D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FDFAC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 50D55D second address: 50D561 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 5179FE second address: 517A08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F59E0FDFAB6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 517A08 second address: 517A1A instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 517A1A second address: 517A20 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 517A20 second address: 517A33 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F59E0FE79CEh 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007F59E0FE79C6h 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 51635C second address: 516361 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516361 second address: 51637E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FE79D7h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 51637E second address: 516386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516663 second address: 516681 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push esi 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jl 00007F59E0FE79C8h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007F59E0FE79C6h 0x0000001c pushad 0x0000001d popad 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516681 second address: 516685 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516685 second address: 51668D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516912 second address: 516918 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516BF0 second address: 516BF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516BF6 second address: 516C0B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F59E0FDFABCh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 516C0B second address: 516C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 52E85A second address: 52E867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 52E867 second address: 52E86B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 52E70B second address: 52E727 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 52E727 second address: 52E72B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 52E72B second address: 52E733 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53B042 second address: 53B047 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53B047 second address: 53B04D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53B04D second address: 53B071 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F59E0FE79D9h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53AECD second address: 53AED1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53DCC5 second address: 53DCEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D6h 0x00000007 jo 00007F59E0FE79C6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53DCEA second address: 53DCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53DCF0 second address: 53DD01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F59E0FE79C6h 0x0000000a jc 00007F59E0FE79C6h 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53D8C2 second address: 53D8CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 53D8CC second address: 53D8E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 push eax 0x00000009 pushad 0x0000000a jc 00007F59E0FE79C6h 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 560B28 second address: 560B46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FDFAC3h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 560B46 second address: 560B4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 55F9E3 second address: 55F9F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FDFABBh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 55F9F2 second address: 55FA18 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 ja 00007F59E0FE79C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F59E0FE79D7h 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 55FB49 second address: 55FB4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 55FB4F second address: 55FB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 55FCB2 second address: 55FCBC instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F59E0FDFAB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 55FF93 second address: 55FF9D instructions: 0x00000000 rdtsc 0x00000002 jp 00007F59E0FE79E0h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 56050B second address: 560511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 560511 second address: 560530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FE79CCh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F59E0FE79C6h 0x00000012 jg 00007F59E0FE79C6h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 560692 second address: 56069C instructions: 0x00000000 rdtsc 0x00000002 je 00007F59E0FDFAB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 56069C second address: 5606A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 5606A7 second address: 5606C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FDFABDh 0x00000009 popad 0x0000000a ja 00007F59E0FDFAC2h 0x00000010 jns 00007F59E0FDFAB6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 56083B second address: 560842 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 56370F second address: 563713 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 563A4D second address: 563A5D instructions: 0x00000000 rdtsc 0x00000002 js 00007F59E0FE79C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 563A5D second address: 563A61 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 563A61 second address: 563A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F59E0FE79D0h 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 pushad 0x00000011 jbe 00007F59E0FE79CCh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 566681 second address: 56669D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FDFAC7h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 56669D second address: 5666A2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 5666A2 second address: 5666A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 5666A8 second address: 5666AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80605 second address: 4C8063A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F59E0FDFAC0h 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F59E0FDFAC7h 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C8063A second address: 4C8063F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C8063F second address: 4C80669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 6E68h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d jmp 00007F59E0FDFAC7h 0x00000012 pop ebp 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov bh, cl 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C00D27 second address: 4C00D2D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C00D2D second address: 4C00D85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d call 00007F59E0FDFAC4h 0x00000012 call 00007F59E0FDFAC2h 0x00000017 pop eax 0x00000018 pop edi 0x00000019 mov ah, E2h 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F59E0FDFAC6h 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C00D85 second address: 4C00DD0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 pushfd 0x00000007 jmp 00007F59E0FE79CDh 0x0000000c or cl, FFFFFFD6h 0x0000000f jmp 00007F59E0FE79D1h 0x00000014 popfd 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push dword ptr [ebp+04h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F59E0FE79D8h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C00DD0 second address: 4C00DD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C00DD6 second address: 4C00DDC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C00DDC second address: 4C00DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C00DE0 second address: 4C00DE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50B1E second address: 4C50BC1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F59E0FDFAC4h 0x00000011 adc esi, 13183808h 0x00000017 jmp 00007F59E0FDFABBh 0x0000001c popfd 0x0000001d mov cx, BE7Fh 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007F59E0FDFAC5h 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F59E0FDFABCh 0x00000030 sbb ah, FFFFFF98h 0x00000033 jmp 00007F59E0FDFABBh 0x00000038 popfd 0x00000039 pushfd 0x0000003a jmp 00007F59E0FDFAC8h 0x0000003f xor cx, 57F8h 0x00000044 jmp 00007F59E0FDFABBh 0x00000049 popfd 0x0000004a popad 0x0000004b mov ebp, esp 0x0000004d pushad 0x0000004e push eax 0x0000004f push edx 0x00000050 mov edx, eax 0x00000052 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80D4E second address: 4C80D84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F59E0FE79D4h 0x0000000a xor ax, 3E08h 0x0000000f jmp 00007F59E0FE79CBh 0x00000014 popfd 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b movsx edi, si 0x0000001e push ecx 0x0000001f pop edi 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80D84 second address: 4C80D9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFAC4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80D9C second address: 4C80E05 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov cl, 2Ch 0x0000000c pushfd 0x0000000d jmp 00007F59E0FE79D9h 0x00000012 sub eax, 3F6D5136h 0x00000018 jmp 00007F59E0FE79D1h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 jmp 00007F59E0FE79CEh 0x00000025 mov ebp, esp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F59E0FE79D7h 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80E05 second address: 4C80E1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFAC4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80E1D second address: 4C80E35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80E35 second address: 4C80E50 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80E50 second address: 4C80E56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80E56 second address: 4C80E5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C10539 second address: 4C1053F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C1053F second address: 4C10543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C10543 second address: 4C10547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C10547 second address: 4C10553 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C10553 second address: 4C105A7 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 pop ebx 0x0000000a mov di, ax 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], ebp 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007F59E0FE79CAh 0x00000019 and cl, 00000018h 0x0000001c jmp 00007F59E0FE79CBh 0x00000021 popfd 0x00000022 movzx ecx, di 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 jmp 00007F59E0FE79D1h 0x0000002e mov si, C8B7h 0x00000032 popad 0x00000033 pop ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 mov dl, 6Ah 0x00000039 movzx esi, bx 0x0000003c popad 0x0000003d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80486 second address: 4C804D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007F59E0FDFAC5h 0x0000000b sbb ax, 7D56h 0x00000010 jmp 00007F59E0FDFAC1h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 xchg eax, ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F59E0FDFAC8h 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C804D8 second address: 4C804DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C804DE second address: 4C804E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80B26 second address: 4C80B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80B3A second address: 4C80B72 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59E0FDFAC1h 0x00000008 call 00007F59E0FDFAC0h 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F59E0FDFABCh 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80B72 second address: 4C80BB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [ebp+08h] 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F59E0FE79CBh 0x00000015 xor cx, 791Eh 0x0000001a jmp 00007F59E0FE79D9h 0x0000001f popfd 0x00000020 movzx eax, di 0x00000023 popad 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80BB6 second address: 4C80BEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F59E0FDFAC8h 0x00000009 jmp 00007F59E0FDFAC5h 0x0000000e popfd 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C80BEA second address: 4C80C07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 and dword ptr [eax], 00000000h 0x0000000a pushad 0x0000000b movzx esi, bx 0x0000000e mov esi, edi 0x00000010 popad 0x00000011 and dword ptr [eax+04h], 00000000h 0x00000015 pushad 0x00000016 push eax 0x00000017 push edx 0x00000018 mov edi, 2FB134C0h 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50A79 second address: 4C50ABA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F59E0FDFAC9h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F59E0FDFABDh 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50ABA second address: 4C50AE5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007F59E0FE79CEh 0x00000010 pop ebp 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 mov cl, CBh 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C9001B second address: 4C9008F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov ebx, eax 0x0000000d mov ax, EDAFh 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007F59E0FDFAC5h 0x00000018 xchg eax, ebp 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007F59E0FDFAC8h 0x00000020 or ax, 5F38h 0x00000025 jmp 00007F59E0FDFABBh 0x0000002a popfd 0x0000002b popad 0x0000002c mov ebp, esp 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 mov ecx, ebx 0x00000033 mov cx, di 0x00000036 popad 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C3076F second address: 4C30775 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C30775 second address: 4C30779 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C30779 second address: 4C307DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F59E0FE79D6h 0x00000011 push eax 0x00000012 pushad 0x00000013 mov ch, dh 0x00000015 pushfd 0x00000016 jmp 00007F59E0FE79CAh 0x0000001b xor ch, 00000068h 0x0000001e jmp 00007F59E0FE79CBh 0x00000023 popfd 0x00000024 popad 0x00000025 xchg eax, ebp 0x00000026 jmp 00007F59E0FE79D6h 0x0000002b mov ebp, esp 0x0000002d push eax 0x0000002e push edx 0x0000002f push eax 0x00000030 push edx 0x00000031 push eax 0x00000032 push edx 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C307DF second address: 4C307E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C307E3 second address: 4C307E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C307E7 second address: 4C307ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C307ED second address: 4C307FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FE79CBh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90AAE second address: 4C90AB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90AB4 second address: 4C90AB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90AB8 second address: 4C90ABC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90ABC second address: 4C90AF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a mov esi, 298B96DBh 0x0000000f mov di, si 0x00000012 popad 0x00000013 mov dword ptr [esp], ebp 0x00000016 pushad 0x00000017 pushad 0x00000018 jmp 00007F59E0FE79D6h 0x0000001d mov ecx, 389CAF31h 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90AF4 second address: 4C90B05 instructions: 0x00000000 rdtsc 0x00000002 mov si, 1369h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90B05 second address: 4C90B16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90B16 second address: 4C90B9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007F59E0FDFAC3h 0x0000000b jmp 00007F59E0FDFAC3h 0x00000010 popfd 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 xchg eax, ecx 0x00000015 pushad 0x00000016 mov ecx, 7B7F7C6Bh 0x0000001b pushad 0x0000001c jmp 00007F59E0FDFABEh 0x00000021 pushfd 0x00000022 jmp 00007F59E0FDFAC2h 0x00000027 sub ah, 00000028h 0x0000002a jmp 00007F59E0FDFABBh 0x0000002f popfd 0x00000030 popad 0x00000031 popad 0x00000032 push eax 0x00000033 push eax 0x00000034 push edx 0x00000035 pushad 0x00000036 jmp 00007F59E0FDFAC2h 0x0000003b mov bx, cx 0x0000003e popad 0x0000003f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90B9A second address: 4C90BD4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F59E0FE79CDh 0x00000008 pushfd 0x00000009 jmp 00007F59E0FE79D0h 0x0000000e and al, FFFFFFE8h 0x00000011 jmp 00007F59E0FE79CBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90BD4 second address: 4C90BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90BD8 second address: 4C90BDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90BDE second address: 4C90C4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F59E0FDFAC8h 0x00000009 sbb esi, 7B083878h 0x0000000f jmp 00007F59E0FDFABBh 0x00000014 popfd 0x00000015 jmp 00007F59E0FDFAC8h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov eax, dword ptr [76FB65FCh] 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushfd 0x00000026 jmp 00007F59E0FDFABCh 0x0000002b sub ax, 2208h 0x00000030 jmp 00007F59E0FDFABBh 0x00000035 popfd 0x00000036 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90C4D second address: 4C90CBD instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F59E0FE79D8h 0x00000008 sub eax, 64784468h 0x0000000e jmp 00007F59E0FE79CBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushfd 0x00000017 jmp 00007F59E0FE79D8h 0x0000001c jmp 00007F59E0FE79D5h 0x00000021 popfd 0x00000022 popad 0x00000023 test eax, eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F59E0FE79CDh 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90CBD second address: 4C90CC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90CC2 second address: 4C90CDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bx, 6540h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b je 00007F5A5328A65Fh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop edi 0x00000016 mov bx, ax 0x00000019 popad 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90CDC second address: 4C90CF4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFAC4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90CF4 second address: 4C90CF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C9019B second address: 4C901A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901A1 second address: 4C901B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, ax 0x00000006 mov ecx, 1055B06Fh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901B6 second address: 4C901BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901BA second address: 4C901BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901BE second address: 4C901C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901C4 second address: 4C901CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901CA second address: 4C901CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901CE second address: 4C901EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901EA second address: 4C901F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F59E0FDFABAh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901F9 second address: 4C901FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C901FF second address: 4C90203 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90203 second address: 4C9023F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F59E0FE79CEh 0x00000011 mov ebp, esp 0x00000013 jmp 00007F59E0FE79D0h 0x00000018 mov eax, dword ptr [ebp+08h] 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C9023F second address: 4C90243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90243 second address: 4C9024E instructions: 0x00000000 rdtsc 0x00000002 mov ebx, ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov dx, si 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C9024E second address: 4C90270 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and dword ptr [eax], 00000000h 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F59E0FDFAC4h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90270 second address: 4C9027F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79CBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C9027F second address: 4C90285 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90285 second address: 4C90289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C90289 second address: 4C902CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F59E0FDFABBh 0x00000015 sub cx, 678Eh 0x0000001a jmp 00007F59E0FDFAC9h 0x0000001f popfd 0x00000020 mov dx, cx 0x00000023 popad 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C902CD second address: 4C902D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C902D3 second address: 4C902D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50016 second address: 4C5002E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FE79D4h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C5002E second address: 4C50032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50032 second address: 4C50083 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F59E0FE79D8h 0x00000012 add eax, 2212BDD8h 0x00000018 jmp 00007F59E0FE79CBh 0x0000001d popfd 0x0000001e popad 0x0000001f mov ebp, esp 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007F59E0FE79D5h 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50083 second address: 4C50093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFABCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50093 second address: 4C5013C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b pushad 0x0000000c mov ebx, 16534380h 0x00000011 mov ecx, ebx 0x00000013 popad 0x00000014 push esi 0x00000015 jmp 00007F59E0FE79D0h 0x0000001a mov dword ptr [esp], ecx 0x0000001d pushad 0x0000001e mov ecx, 0601839Dh 0x00000023 pushfd 0x00000024 jmp 00007F59E0FE79CAh 0x00000029 add si, ACF8h 0x0000002e jmp 00007F59E0FE79CBh 0x00000033 popfd 0x00000034 popad 0x00000035 xchg eax, ebx 0x00000036 jmp 00007F59E0FE79D6h 0x0000003b push eax 0x0000003c pushad 0x0000003d push edx 0x0000003e push esi 0x0000003f pop ebx 0x00000040 pop eax 0x00000041 pushad 0x00000042 push ebx 0x00000043 pop eax 0x00000044 pushfd 0x00000045 jmp 00007F59E0FE79CBh 0x0000004a adc eax, 4E37561Eh 0x00000050 jmp 00007F59E0FE79D9h 0x00000055 popfd 0x00000056 popad 0x00000057 popad 0x00000058 xchg eax, ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007F59E0FE79CDh 0x00000060 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C5013C second address: 4C50145 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, C7E2h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50145 second address: 4C50164 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F59E0FE79D1h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50164 second address: 4C50168 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50168 second address: 4C5016E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C5016E second address: 4C501AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F59E0FDFABAh 0x00000008 pop esi 0x00000009 mov ax, bx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 mov ax, 0C9Fh 0x00000015 jmp 00007F59E0FDFAC4h 0x0000001a popad 0x0000001b mov dword ptr [esp], esi 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F59E0FDFABAh 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C501AE second address: 4C501B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C501B4 second address: 4C501BA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C501BA second address: 4C501BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C501BE second address: 4C501F8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov esi, dword ptr [ebp+08h] 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59E0FDFAC7h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C501F8 second address: 4C50283 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, edi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007F59E0FE79CCh 0x00000011 xor esi, 537F9A58h 0x00000017 jmp 00007F59E0FE79CBh 0x0000001c popfd 0x0000001d push esi 0x0000001e mov bx, 157Ah 0x00000022 pop edx 0x00000023 popad 0x00000024 push eax 0x00000025 pushad 0x00000026 jmp 00007F59E0FE79D7h 0x0000002b mov ax, F4EFh 0x0000002f popad 0x00000030 xchg eax, edi 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007F59E0FE79D0h 0x00000038 or si, 5F18h 0x0000003d jmp 00007F59E0FE79CBh 0x00000042 popfd 0x00000043 push eax 0x00000044 push edx 0x00000045 mov ebx, ecx 0x00000047 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C50283 second address: 4C502DA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a test esi, esi 0x0000000c pushad 0x0000000d jmp 00007F59E0FDFABEh 0x00000012 pushfd 0x00000013 jmp 00007F59E0FDFAC2h 0x00000018 adc cl, FFFFFFD8h 0x0000001b jmp 00007F59E0FDFABBh 0x00000020 popfd 0x00000021 popad 0x00000022 je 00007F5A532BDDFDh 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C502DA second address: 4C502E0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C502E0 second address: 4C502FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFAC9h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C502FD second address: 4C50375 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 jmp 00007F59E0FE79CEh 0x00000017 je 00007F5A532C5CC8h 0x0000001d pushad 0x0000001e push esi 0x0000001f pushfd 0x00000020 jmp 00007F59E0FE79CDh 0x00000025 adc ah, 00000036h 0x00000028 jmp 00007F59E0FE79D1h 0x0000002d popfd 0x0000002e pop ecx 0x0000002f push edx 0x00000030 jmp 00007F59E0FE79CCh 0x00000035 pop esi 0x00000036 popad 0x00000037 mov edx, dword ptr [esi+44h] 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007F59E0FE79CCh 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60056 second address: 4C6005C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6005C second address: 4C60092 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a call 00007F59E0FE79D0h 0x0000000f mov bh, cl 0x00000011 pop edx 0x00000012 mov dl, ch 0x00000014 popad 0x00000015 xchg eax, ebp 0x00000016 jmp 00007F59E0FE79CFh 0x0000001b mov ebp, esp 0x0000001d pushad 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60092 second address: 4C600D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F59E0FDFAC0h 0x0000000a and al, 00000018h 0x0000000d jmp 00007F59E0FDFABBh 0x00000012 popfd 0x00000013 popad 0x00000014 pushad 0x00000015 mov ax, 9665h 0x00000019 movzx eax, bx 0x0000001c popad 0x0000001d popad 0x0000001e and esp, FFFFFFF8h 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F59E0FDFABFh 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C600D7 second address: 4C600DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C600DD second address: 4C6010F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFAC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F59E0FDFAC7h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6010F second address: 4C60195 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FE79D9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F59E0FE79D1h 0x0000000f xchg eax, ebx 0x00000010 pushad 0x00000011 jmp 00007F59E0FE79CCh 0x00000016 jmp 00007F59E0FE79D2h 0x0000001b popad 0x0000001c xchg eax, esi 0x0000001d jmp 00007F59E0FE79D0h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushfd 0x00000027 jmp 00007F59E0FE79CCh 0x0000002c sbb si, 5858h 0x00000031 jmp 00007F59E0FE79CBh 0x00000036 popfd 0x00000037 push esi 0x00000038 pop ebx 0x00000039 popad 0x0000003a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60195 second address: 4C601D5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 pushfd 0x00000007 jmp 00007F59E0FDFABCh 0x0000000c sbb eax, 1145E2B8h 0x00000012 jmp 00007F59E0FDFABBh 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, esi 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F59E0FDFAC5h 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C601D5 second address: 4C601E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FE79CCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C601E5 second address: 4C601E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C601E9 second address: 4C60240 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b jmp 00007F59E0FE79D7h 0x00000010 sub ebx, ebx 0x00000012 jmp 00007F59E0FE79CFh 0x00000017 test esi, esi 0x00000019 pushad 0x0000001a mov edx, ecx 0x0000001c mov ax, 3597h 0x00000020 popad 0x00000021 je 00007F5A532ADB2Eh 0x00000027 pushad 0x00000028 mov bh, ah 0x0000002a mov cx, dx 0x0000002d popad 0x0000002e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 mov ax, bx 0x0000003b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60240 second address: 4C60274 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, cx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F59E0FDFAC0h 0x0000000c call 00007F59E0FDFAC2h 0x00000011 pop eax 0x00000012 pop edx 0x00000013 popad 0x00000014 mov ecx, esi 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60274 second address: 4C60278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60278 second address: 4C6027C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6027C second address: 4C60282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60282 second address: 4C602E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F59E0FDFAC0h 0x00000009 adc ax, 90F8h 0x0000000e jmp 00007F59E0FDFABBh 0x00000013 popfd 0x00000014 jmp 00007F59E0FDFAC8h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c je 00007F5A532A5B97h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F59E0FDFAC7h 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C602E1 second address: 4C60304 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, bx 0x00000006 mov dh, 8Eh 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b test byte ptr [76FB6968h], 00000002h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov ecx, edi 0x00000017 jmp 00007F59E0FE79CBh 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60304 second address: 4C6030A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6030A second address: 4C6030E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6030E second address: 4C6034A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jne 00007F5A532A5B56h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov bx, cx 0x00000014 pushfd 0x00000015 jmp 00007F59E0FDFAC4h 0x0000001a adc eax, 5D811A78h 0x00000020 jmp 00007F59E0FDFABBh 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6034A second address: 4C60350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60350 second address: 4C60354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60354 second address: 4C60365 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov edx, dword ptr [ebp+0Ch] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60365 second address: 4C60369 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60369 second address: 4C6036F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6036F second address: 4C60381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FDFABEh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60381 second address: 4C603C3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F59E0FE79CCh 0x0000000e mov dword ptr [esp], ebx 0x00000011 jmp 00007F59E0FE79D0h 0x00000016 xchg eax, ebx 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F59E0FE79D7h 0x0000001e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C603C3 second address: 4C6042B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, di 0x00000006 mov edi, 7BC3F086h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 mov edx, ecx 0x00000015 popad 0x00000016 call 00007F59E0FDFAC2h 0x0000001b pushfd 0x0000001c jmp 00007F59E0FDFAC2h 0x00000021 add ecx, 73D27E58h 0x00000027 jmp 00007F59E0FDFABBh 0x0000002c popfd 0x0000002d pop ecx 0x0000002e popad 0x0000002f xchg eax, ebx 0x00000030 jmp 00007F59E0FDFABFh 0x00000035 push dword ptr [ebp+14h] 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6042B second address: 4C6042F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6042F second address: 4C60435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60435 second address: 4C6043B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6043B second address: 4C6043F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C60488 second address: 4C6048E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C6048E second address: 4C604B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F59E0FDFABBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F59E0FDFAC0h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C604B4 second address: 4C604B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C604B8 second address: 4C604BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C604BE second address: 4C604CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F59E0FE79CDh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C604CF second address: 4C604D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4C604D3 second address: 4C6050A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebx 0x00000009 pushad 0x0000000a mov dx, C74Eh 0x0000000e mov ebx, 4A430A5Ah 0x00000013 popad 0x00000014 mov esp, ebp 0x00000016 jmp 00007F59E0FE79D1h 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007F59E0FE79CDh 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1967 second address: 4CC196D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC196D second address: 4CC1971 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1971 second address: 4CC1975 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1975 second address: 4CC1A29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F59E0FE79CEh 0x0000000e push eax 0x0000000f jmp 00007F59E0FE79CBh 0x00000014 xchg eax, ebp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F59E0FE79D4h 0x0000001c sub cl, FFFFFFD8h 0x0000001f jmp 00007F59E0FE79CBh 0x00000024 popfd 0x00000025 call 00007F59E0FE79D8h 0x0000002a call 00007F59E0FE79D2h 0x0000002f pop eax 0x00000030 pop edi 0x00000031 popad 0x00000032 mov ebp, esp 0x00000034 pushad 0x00000035 jmp 00007F59E0FE79D8h 0x0000003a popad 0x0000003b push 0000007Fh 0x0000003d jmp 00007F59E0FE79D0h 0x00000042 push 00000001h 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F59E0FE79CAh 0x0000004d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1A29 second address: 4CC1A2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1A2F second address: 4CC1A42 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push dword ptr [ebp+08h] 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1A42 second address: 4CC1A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1A46 second address: 4CC1A4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1A4A second address: 4CC1A50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 4CC1A50 second address: 4CC1A56 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeRDTSC instruction interceptor: First address: 46E69B second address: 46E69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSpecial instruction interceptor: First address: 2AFD01 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSpecial instruction interceptor: First address: 2AFD9E instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSpecial instruction interceptor: First address: 460FEF instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSpecial instruction interceptor: First address: 2AD6B6 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSpecial instruction interceptor: First address: 4885D7 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSpecial instruction interceptor: First address: 468EFF instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSpecial instruction interceptor: First address: 4ED528 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: BAFD01 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: BAFD9E instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: D60FEF instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: BAD6B6 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: D885D7 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: D68EFF instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: DED528 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 35FD01 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 35FD9E instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 510FEF instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 35D6B6 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 5385D7 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 518EFF instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 59D528 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_04CD0906 rdtsc 0_2_04CD0906
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow / User API: threadDelayed 1077Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow / User API: threadDelayed 1145Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeWindow / User API: threadDelayed 1040Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1107Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1124Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 738Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1199Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1145Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 712Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1358Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1386Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1171Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1156Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1148Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 6508Thread sleep time: -52026s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 6404Thread sleep count: 1077 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 6404Thread sleep time: -2155077s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 4248Thread sleep count: 243 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 7176Thread sleep count: 231 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 6500Thread sleep count: 1145 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 6500Thread sleep time: -2291145s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 3060Thread sleep count: 1040 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exe TID: 3060Thread sleep time: -2081040s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7248Thread sleep count: 115 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7248Thread sleep time: -230115s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7244Thread sleep count: 145 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7244Thread sleep time: -290145s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7440Thread sleep time: -32000s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7192Thread sleep count: 123 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232Thread sleep count: 75 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232Thread sleep time: -150075s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7192Thread sleep count: 1107 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7192Thread sleep time: -111807s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484Thread sleep count: 1124 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484Thread sleep count: 738 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7484Thread sleep time: -73800s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7252Thread sleep count: 119 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7252Thread sleep time: -238119s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7240Thread sleep count: 130 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7240Thread sleep time: -260130s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228Thread sleep count: 118 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228Thread sleep time: -236118s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7340Thread sleep count: 126 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7340Thread sleep time: -252126s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7344Thread sleep count: 99 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7344Thread sleep time: -198099s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7200Thread sleep count: 120 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7328Thread sleep count: 107 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7328Thread sleep time: -214107s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7336Thread sleep count: 116 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7336Thread sleep time: -232116s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7200Thread sleep count: 1199 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7200Thread sleep time: -121099s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7488Thread sleep count: 1145 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7488Thread sleep count: 712 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7488Thread sleep time: -71200s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7324Thread sleep count: 108 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7324Thread sleep time: -216108s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7556Thread sleep count: 50 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7556Thread sleep time: -100050s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7560Thread sleep time: -58029s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7516Thread sleep count: 59 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7516Thread sleep count: 265 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7708Thread sleep count: 260 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7548Thread sleep count: 1358 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7548Thread sleep time: -2717358s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7536Thread sleep count: 1386 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7536Thread sleep time: -2773386s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7868Thread sleep count: 33 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7868Thread sleep time: -66033s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7840Thread sleep count: 1171 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7840Thread sleep time: -2343171s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7824Thread sleep count: 271 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 8016Thread sleep count: 252 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7860Thread sleep count: 1156 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7860Thread sleep time: -2313156s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852Thread sleep count: 1148 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7852Thread sleep time: -2297148s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: MPGPH131.exe, 00000006.00000002.4115189261.000000000168D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: MPGPH131.exe, 00000005.00000002.4115259179.000000000148D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}q4
            Source: RageMP131.exe, 00000007.00000002.4115609037.0000000000DC0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000g
            Source: RageMP131.exe, 00000009.00000002.4112061259.00000000001AD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}H
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4115340739.0000000000E94000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000006.00000002.4115021267.00000000011AD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}f
            Source: RageMP131.exe, 00000007.00000002.4115609037.0000000000E02000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000nes\AppData\Local\Temp\heidiq
            Source: RageMP131.exe, 00000009.00000003.1920445343.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}B
            Source: RageMP131.exe, 00000009.00000002.4115337931.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000006.00000002.4115189261.000000000168D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}a
            Source: MPGPH131.exe, 00000006.00000003.1767661926.00000000016A1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}$
            Source: MPGPH131.exe, 00000005.00000002.4115259179.00000000014D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4114B19C
            Source: MPGPH131.exe, 00000006.00000002.4115189261.000000000166A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
            Source: RageMP131.exe, 00000009.00000002.4115337931.0000000000CF1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_4114B19C
            Source: RageMP131.exe, 00000007.00000003.1849767285.0000000000E14000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 00000009.00000002.4115337931.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&a
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: LisectAVT_2403002A_224.exe, 00000000.00000002.4115340739.0000000000E94000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4115259179.00000000014C2000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4115189261.000000000168D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4115609037.0000000000E02000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4115337931.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Potentially malicious time measurement code found
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_055D018A Start: 055D018F End: 055D01995_2_055D018A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_055D0DA1 Start: 055D0DB0 End: 055D0DB66_2_055D0DA1
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: NTICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_04CD0906 rdtsc 0_2_04CD0906
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001D3A40 mov eax, dword ptr fs:[00000030h]0_2_001D3A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_001D3A40 mov eax, dword ptr fs:[00000030h]0_2_001D3A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_00184100 mov eax, dword ptr fs:[00000030h]0_2_00184100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00AD3A40 mov eax, dword ptr fs:[00000030h]5_2_00AD3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00AD3A40 mov eax, dword ptr fs:[00000030h]5_2_00AD3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 5_2_00A84100 mov eax, dword ptr fs:[00000030h]5_2_00A84100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AD3A40 mov eax, dword ptr fs:[00000030h]6_2_00AD3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AD3A40 mov eax, dword ptr fs:[00000030h]6_2_00AD3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00A84100 mov eax, dword ptr fs:[00000030h]6_2_00A84100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00283A40 mov eax, dword ptr fs:[00000030h]7_2_00283A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00283A40 mov eax, dword ptr fs:[00000030h]7_2_00283A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 7_2_00234100 mov eax, dword ptr fs:[00000030h]7_2_00234100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_00283A40 mov eax, dword ptr fs:[00000030h]9_2_00283A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_00283A40 mov eax, dword ptr fs:[00000030h]9_2_00283A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 9_2_00234100 mov eax, dword ptr fs:[00000030h]9_2_00234100
            Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, RageMP131.exe, 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 'TProgram Manager
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeCode function: 0_2_0024F26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_0024F26A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_224.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_224.exe PID: 6816, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7188, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7820, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_224.exe PID: 6816, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7188, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 7196, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7512, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7820, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		2
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		24
            Virtualization/Sandbox Evasion            		LSASS Memory741
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		2
            Process Injection            		Security Account Manager24
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain Credentials214
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1481004 Sample: LisectAVT_2403002A_224.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Multi AV Scanner detection for submitted file 2->38 40 Yara detected RisePro Stealer 2->40 42 4 other signatures 2->42 7 LisectAVT_2403002A_224.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49730, 49731, 49732 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Tries to detect virtualization through RDTSC time measurements 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Multi AV Scanner detection for dropped file 12->54 56 Machine Learning detection for dropped file 12->56 58 Potentially malicious time measurement code found 12->58 60 Tries to detect sandboxes and other dynamic analysis tools (window names) 14->60 62 Tries to evade debugger and weak emulator (self modifying code) 14->62 64 Hides threads from debuggers 14->64 66 Tries to detect sandboxes / dynamic malware analysis system (registry check) 16->66 68 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->68 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002A_224.exe67%ReversingLabsWin32.Trojan.RisePro
            LisectAVT_2403002A_224.exe64%VirustotalBrowse
            LisectAVT_2403002A_224.exe100%AviraTR/Scar.vkkgx
            LisectAVT_2403002A_224.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%AviraTR/Scar.vkkgx
            C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraTR/Scar.vkkgx
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe67%ReversingLabsWin32.Trojan.RisePro
            C:\ProgramData\MPGPH131\MPGPH131.exe64%VirustotalBrowse
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe67%ReversingLabsWin32.Trojan.RisePro
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe64%VirustotalBrowse

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.winimage.com/zLibDll0%URL Reputationsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTbYE0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTX0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTX1%VirustotalBrowse
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%VirustotalBrowse
            https://t.me/RiseProSUPPORT0%VirustotalBrowse

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllLisectAVT_2403002A_224.exe, 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_224.exe, 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmpfalse
            • 0%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://t.me/RiseProSUPPORTXLisectAVT_2403002A_224.exe, 00000000.00000002.4115340739.0000000000E5E000.00000004.00000020.00020000.00000000.sdmpfalse
            • 1%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            https://t.me/RiseProSUPPORTbYERageMP131.exe, 00000009.00000002.4115337931.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.winimage.com/zLibDllLisectAVT_2403002A_224.exe, 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, LisectAVT_2403002A_224.exe, 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://t.me/RiseProSUPPORTLisectAVT_2403002A_224.exe, 00000000.00000002.4115340739.0000000000E5E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4115259179.000000000148D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4115189261.000000000166A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4115609037.0000000000DCE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4115337931.0000000000CBB000.00000004.00000020.00020000.00000000.sdmpfalseunknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.233.132.74
            		unknownRussian Federation
            		2895FREE-NET-ASFREEnetEUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1481004
            Start date and time:2024-07-25 02:45:45 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 11m 14s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:LisectAVT_2403002A_224.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@11/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe
            • Override analysis time to 240000 for current running targets taking high CPU consumption

            Warnings

            • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • Report size exceeded maximum capacity and may have missing behavior information.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            01:46:41Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
            01:46:41Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
            01:46:41AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            01:46:50AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            20:47:06API Interceptor3125258x Sleep call for process: LisectAVT_2403002A_224.exe modified
            20:47:11API Interceptor5502x Sleep call for process: MPGPH131.exe modified
            20:47:21API Interceptor4362026x Sleep call for process: RageMP131.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            193.233.132.7480OrFCsz0u.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
              SecuriteInfo.com.Win64.Evo-gen.28136.30716.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                file.exeGet hashmaliciousRisePro StealerBrowse
                  vGDqFBB1Jz.exeGet hashmaliciousRisePro StealerBrowse
                    iKV7MCWDJF.exeGet hashmaliciousRisePro StealerBrowse
                      8TFD6H44Pz.exeGet hashmaliciousRisePro StealerBrowse
                        uRLTbkeYF7.exeGet hashmaliciousRisePro StealerBrowse
                          7mIgg1hm7Q.exeGet hashmaliciousRisePro StealerBrowse
                            mZHCe1PQGn.exeGet hashmaliciousRisePro StealerBrowse
                              1hYctqPwrw.exeGet hashmaliciousRisePro StealerBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                FREE-NET-ASFREEnetEUhunta[1].exeGet hashmaliciousBdaejec, RisePro StealerBrowse
                                • 193.233.132.62
                                External Own 4.20.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                • 147.45.47.64
                                Aquantia_Setup 2.11.exeGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                • 147.45.47.64
                                AdobeUpdaterV131.exeGet hashmaliciousBdaejec, RisePro StealerBrowse
                                • 193.233.132.62
                                installer.exeGet hashmaliciousLummaC, PureLog Stealer, Xmrig, zgRATBrowse
                                • 147.45.47.81
                                92.249.48.47-skid.arm7-2024-07-20T09_04_19.elfGet hashmaliciousMirai, MoobotBrowse
                                • 147.45.93.156
                                conhost.exeGet hashmaliciousXmrigBrowse
                                • 147.45.47.81
                                http://premium.davidabostic.comGet hashmaliciousUnknownBrowse
                                • 147.45.78.74
                                Software1.30.1.exeGet hashmaliciousRedLine, XmrigBrowse
                                • 147.45.47.81
                                arm7.elfGet hashmaliciousMiraiBrowse
                                • 147.45.45.222

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_224.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2340360
                                Entropy (8bit):7.970077794206971
                                Encrypted:false
                                SSDEEP:49152:AB0vmtT5qmRdVuL9rNM9xz4mA6JMk1Y0/GiII:A2WYmRdVuLRNIfMk14I
                                MD5:CC4A3A36D266E313523FEB9146C56DF6
                                SHA1:094EF8DE8465D13EA82A0F9DAF13474F4F11BC17
                                SHA-256:721A20928239475312D70EE30D402768348D81E72F67363A92E34ED087A545E7
                                SHA-512:32C83BA930B1D6B3D88F4306F28ACF0303694D6F995574D5B7201855FB3F5E275C3CD47408959AB2C70259FE4595F2AC2774FCC95F311DFBC30D64A872A968BD
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 67%
                                • Antivirus: Virustotal, Detection: 64%, Browse
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0........Z...........@...........................Z......$...@.........................d.Z.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... .`,..........$..............@...eyjsffgc..... @......&..............@...qbcnvswu......Z.......#.............@...........................................................................................................................................................................................................................

                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_224.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_224.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2340360
                                Entropy (8bit):7.970077794206971
                                Encrypted:false
                                SSDEEP:49152:AB0vmtT5qmRdVuL9rNM9xz4mA6JMk1Y0/GiII:A2WYmRdVuLRNIfMk14I
                                MD5:CC4A3A36D266E313523FEB9146C56DF6
                                SHA1:094EF8DE8465D13EA82A0F9DAF13474F4F11BC17
                                SHA-256:721A20928239475312D70EE30D402768348D81E72F67363A92E34ED087A545E7
                                SHA-512:32C83BA930B1D6B3D88F4306F28ACF0303694D6F995574D5B7201855FB3F5E275C3CD47408959AB2C70259FE4595F2AC2774FCC95F311DFBC30D64A872A968BD
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                • Antivirus: ReversingLabs, Detection: 67%
                                • Antivirus: Virustotal, Detection: 64%, Browse
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0........Z...........@...........................Z......$...@.........................d.Z.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... .`,..........$..............@...eyjsffgc..... @......&..............@...qbcnvswu......Z.......#.............@...........................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_224.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_224.exe
                                File Type:ASCII text, with no line terminators
                                Category:modified
                                Size (bytes):13
                                Entropy (8bit):2.8150724101159437
                                Encrypted:false
                                SSDEEP:3:LEQH7P:rP
                                MD5:23B46E29AB05130754E2202717CB7A4A
                                SHA1:9040273811B82BEE20B102785D9C59001083A884
                                SHA-256:C0E625B2FC0F9C87BAAB7ED38FB5CEB2A44A8571CCD4D965B17589B7D9542D28
                                SHA-512:EFA5D2552F4AB487E5FB7DB4714419F78F91BA308B563D117BD363F167F2FFBA7E349C749DE9773AE949EC83F48CBF38E55AB643CAE3355D590A085174ECB4C7
                                Malicious:false
                                Reputation:low
                                Preview:1721872249513

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.970077794206971
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:LisectAVT_2403002A_224.exe
                                File size:2'340'360 bytes
                                MD5:cc4a3a36d266e313523feb9146c56df6
                                SHA1:094ef8de8465d13ea82a0f9daf13474f4f11bc17
                                SHA256:721a20928239475312d70ee30d402768348d81e72f67363a92e34ed087a545e7
                                SHA512:32c83ba930b1d6b3d88f4306f28acf0303694d6f995574d5b7201855fb3f5e275c3cd47408959ab2c70259fe4595f2ac2774fcc95f311dfbc30d64a872a968bd
                                SSDEEP:49152:AB0vmtT5qmRdVuL9rNM9xz4mA6JMk1Y0/GiII:A2WYmRdVuLRNIfMk14I
                                TLSH:5CB5330D5D48F730DD702F723ECA824B2E9C7A5956F4189E84DEBF2B720E25A431A5B4
                                File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

                                File Icon

                                Icon Hash:c769eccc64f6e2bb

                                Static PE Info

                                General

                                Entrypoint:0x9ab000
                                Entrypoint Section:qbcnvswu
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x65FE94C6 [Sat Mar 23 08:37:26 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                push esi
                                mov esi, esp
                                add esi, 00000004h
                                sub esi, 04h
                                push esi
                                push dword ptr [esp+04h]
                                pop esi
                                pop dword ptr [esp]
                                pop esp
                                mov dword ptr [esp], esi
                                push ecx
                                mov dword ptr [esp], 0A515175h
                                mov dword ptr [esp], ecx
                                mov dword ptr [esp], eax
                                sub esp, 00000004h
                                mov dword ptr [esp], edi
                                mov dword ptr [esp], edx
                                mov dword ptr [esp], ebx
                                call 00007F59E1453176h
                                int3
                                push dword ptr [esp]
                                mov eax, dword ptr [esp]
                                add esp, 04h
                                add esp, 04h
                                push eax
                                push dword ptr [esp]
                                pop ebx
                                add esp, 00000004h
                                push 3651A27Bh
                                mov dword ptr [esp], esi
                                mov esi, FFFFFFFFh
                                sub eax, esi
                                pop esi
                                push edi
                                push ebx
                                mov ebx, 7FDE0622h
                                neg ebx
                                or ebx, 798B12DAh
                                xor ebx, 7D4D9C37h
                                dec ebx
                                add ebx, 79FE9FDBh
                                xor ebx, FEFF97C3h
                                mov edi, ebx
                                pop ebx
                                sub eax, edi
                                mov edi, dword ptr [esp]
                                add esp, 04h
                                sub eax, 0DBC003Ch
                                add eax, 0DBC0000h
                                cmp byte ptr [ebx], FFFFFFCCh
                                jne 00007F59E145321Ch
                                push eax
                                mov ah, 00h
                                mov byte ptr [ebx], ah
                                push dword ptr [esp]
                                pop eax
                                add esp, 00000004h
                                push ebp
                                mov dword ptr [esp], edx
                                mov edx, 1E1FCE60h
                                and edx, 7EFBDAAEh
                                add edx, 3BDF2EE1h

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x5a81640x4ceyjsffgc
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x13b0550x69.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x2b58.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x13b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x1370000x90600e4e8fb48afd6339971ccb7f0ed7c224dFalse0.9991950757575757data7.988529889235953IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x1380000x2b580xc000dbc2e0ce54dde3b48359016fe487dbfFalse0.8388671875data7.028331503308207IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x13b0000x10000x200745dea56938759dccaf9e183aa01b020False0.146484375data0.998472215956371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x13c0000x2c60000x200f499450209318211941570717674635eunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                eyjsffgc0x4020000x1a90000x1a8c00743ce54a4e665c4336381ba8d8da7323False0.9903292147954679data7.951534972159276IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                qbcnvswu0x5ab0000x10000x400df3793edc675569036291f9ef32eb10eFalse0.8330078125data6.394279404898658IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x5a81b00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RussianRussia0.1892116182572614
                                RT_GROUP_ICON0x5aa7580x14dataRussianRussia1.15
                                RT_VERSION0x5aa76c0x2e4dataRussianRussia0.4689189189189189
                                RT_MANIFEST0x5aaa500x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Exports

                                NameOrdinalAddress
                                Start10x466e80

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                RussianRussia
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                2024-07-25T02:46:49.373342+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973158709192.168.2.4193.233.132.74
                                2024-07-25T02:46:46.402445+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4973158709192.168.2.4193.233.132.74
                                2024-07-25T02:46:49.373471+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973258709192.168.2.4193.233.132.74
                                2024-07-25T02:46:39.895152+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4973058709192.168.2.4193.233.132.74
                                2024-07-25T02:47:04.634108+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4974058709192.168.2.4193.233.132.74
                                2024-07-25T02:46:57.571611+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973458709192.168.2.4193.233.132.74
                                2024-07-25T02:46:56.137355+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434973320.114.59.183192.168.2.4
                                2024-07-25T02:47:34.333582+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434974120.114.59.183192.168.2.4
                                2024-07-25T02:46:42.884945+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4973058709192.168.2.4193.233.132.74

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 25, 2024 02:46:39.871575117 CEST4973058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:39.877028942 CEST5870949730193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:39.877276897 CEST4973058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:39.895152092 CEST4973058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:39.900207996 CEST5870949730193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:42.884944916 CEST4973058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:42.889842033 CEST5870949730193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:46.374893904 CEST4973158709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:46.376255989 CEST4973258709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:46.380253077 CEST5870949731193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:46.380354881 CEST4973158709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:46.381270885 CEST5870949732193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:46.381337881 CEST4973258709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:46.402445078 CEST4973158709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:46.403275967 CEST4973258709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:46.407592058 CEST5870949731193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:46.408183098 CEST5870949732193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:49.373342037 CEST4973158709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:49.373471022 CEST4973258709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:49.378490925 CEST5870949731193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:49.378561020 CEST5870949732193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:54.580554962 CEST4973458709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:54.585618973 CEST5870949734193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:54.587141037 CEST4973458709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:54.620657921 CEST4973458709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:54.625835896 CEST5870949734193.233.132.74192.168.2.4
                                Jul 25, 2024 02:46:57.571610928 CEST4973458709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:46:57.576564074 CEST5870949734193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:01.256742954 CEST5870949730193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:01.258691072 CEST4973058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:01.634232998 CEST4974058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:01.639583111 CEST5870949740193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:01.642580986 CEST4974058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:01.691051960 CEST4974058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:01.696101904 CEST5870949740193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:04.634108067 CEST4974058709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:04.639174938 CEST5870949740193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:07.740628958 CEST5870949731193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:07.740923882 CEST4973158709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:07.777354002 CEST5870949732193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:07.777483940 CEST4973258709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:15.980272055 CEST5870949734193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:15.980384111 CEST4973458709192.168.2.4193.233.132.74
                                Jul 25, 2024 02:47:23.049293995 CEST5870949740193.233.132.74192.168.2.4
                                Jul 25, 2024 02:47:23.049433947 CEST4974058709192.168.2.4193.233.132.74

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:20:46:35
                                Start date:24/07/2024
                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_224.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_224.exe"
                                Imagebase:0x170000
                                File size:2'340'360 bytes
                                MD5 hash:CC4A3A36D266E313523FEB9146C56DF6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1673549400.0000000004A30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:1
                                Start time:20:46:39
                                Start date:24/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Imagebase:0xf40000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:20:46:39
                                Start date:24/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:20:46:39
                                Start date:24/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Imagebase:0xf40000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:20:46:39
                                Start date:24/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff7699e0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:20:46:41
                                Start date:24/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0xa70000
                                File size:2'340'360 bytes
                                MD5 hash:CC4A3A36D266E313523FEB9146C56DF6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1734673045.0000000005330000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 67%, ReversingLabs
                                • Detection: 64%, Virustotal, Browse
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:6
                                Start time:20:46:41
                                Start date:24/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0xa70000
                                File size:2'340'360 bytes
                                MD5 hash:CC4A3A36D266E313523FEB9146C56DF6
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.1735290637.0000000005330000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:7
                                Start time:20:46:50
                                Start date:24/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x220000
                                File size:2'340'360 bytes
                                MD5 hash:CC4A3A36D266E313523FEB9146C56DF6
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.1822511495.0000000004960000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                • Detection: 67%, ReversingLabs
                                • Detection: 64%, Virustotal, Browse
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:9
                                Start time:20:46:58
                                Start date:24/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x220000
                                File size:2'340'360 bytes
                                MD5 hash:CC4A3A36D266E313523FEB9146C56DF6
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.1904982936.00000000048F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:2.4%
                                  Dynamic/Decrypted Code Coverage:1.2%
                                  Signature Coverage:4.3%
                                  Total number of Nodes:346
                                  Total number of Limit Nodes:55
                                  execution_graph 20883 17a210 20916 24f290 20883->20916 20885 17a248 20921 172ae0 20885->20921 20887 17a28b 20937 255362 20887->20937 20891 17a377 20894 17a34e 20894->20891 20966 2547b0 RtlAllocateHeap __fread_nolock __Getctype 20894->20966 20897 259136 4 API calls 20898 17a2fc 20897->20898 20903 17a318 20898->20903 20952 1dcf60 20898->20952 20957 25dbdf 20903->20957 20918 1721d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 20916->20918 20917 24f2af 20917->20885 20918->20917 20967 250651 RtlAllocateHeap ___std_exception_copy 20918->20967 20920 172213 20920->20885 20922 172ba5 20921->20922 20928 172af6 20921->20928 20968 172270 RtlAllocateHeap __fread_nolock std::_Xinvalid_argument 20922->20968 20924 172b02 std::locale::_Locimp::_Locimp 20924->20887 20925 172b2a 20929 24f290 std::_Facet_Register RtlAllocateHeap 20925->20929 20926 172baa 20969 1721d0 RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 20926->20969 20928->20924 20928->20925 20931 172b65 20928->20931 20932 172b6e 20928->20932 20930 172b3d 20929->20930 20936 172b46 std::locale::_Locimp::_Locimp 20930->20936 20970 2547b0 RtlAllocateHeap __fread_nolock __Getctype 20930->20970 20931->20925 20931->20926 20935 24f290 std::_Facet_Register RtlAllocateHeap 20932->20935 20932->20936 20935->20936 20936->20887 20971 2552a0 20937->20971 20939 17a2d7 20939->20894 20940 259136 20939->20940 20941 259149 __fread_nolock 20940->20941 21004 258e8d 20941->21004 20943 25915e 21011 2544dc 20943->21011 20946 254eeb 20947 254efe __fread_nolock 20946->20947 21117 254801 20947->21117 20949 254f0a 20950 2544dc __fread_nolock RtlAllocateHeap 20949->20950 20951 17a2f0 20950->20951 20951->20897 20953 1dcfa7 20952->20953 20955 1dcf78 __fread_nolock 20952->20955 21155 1e0560 20953->21155 20955->20903 20956 1dcfba 20956->20903 21173 25dbfc 20957->21173 20959 17a348 20960 258be8 20959->20960 20961 258bfb __fread_nolock 20960->20961 21288 258ac3 20961->21288 20963 258c07 20964 2544dc __fread_nolock RtlAllocateHeap 20963->20964 20965 258c13 20964->20965 20965->20894 20967->20920 20968->20926 20969->20930 20973 2552ac __fread_nolock 20971->20973 20972 2552b3 20989 25d23f RtlAllocateHeap __dosmaperr 20972->20989 20973->20972 20975 2552d3 20973->20975 20977 2552e5 20975->20977 20978 2552d8 20975->20978 20976 2552b8 20990 2547a0 RtlAllocateHeap __fread_nolock 20976->20990 20985 266688 20977->20985 20991 25d23f RtlAllocateHeap __dosmaperr 20978->20991 20982 2552ee 20983 2552c3 20982->20983 20992 25d23f RtlAllocateHeap __dosmaperr 20982->20992 20983->20939 20986 266694 __fread_nolock std::_Lockit::_Lockit 20985->20986 20993 26672c 20986->20993 20988 2666af 20988->20982 20989->20976 20990->20983 20991->20983 20992->20983 20994 26674f __fread_nolock 20993->20994 20998 266795 __fread_nolock 20994->20998 20999 2663f3 20994->20999 20996 2667b0 21003 266db3 RtlAllocateHeap __dosmaperr 20996->21003 20998->20988 21002 266400 __dosmaperr std::_Facet_Register 20999->21002 21000 26642b RtlAllocateHeap 21001 26643e __dosmaperr 21000->21001 21000->21002 21001->20996 21002->21000 21002->21001 21003->20998 21006 258e99 __fread_nolock 21004->21006 21005 258e9f 21026 254723 RtlAllocateHeap __fread_nolock __Getctype 21005->21026 21006->21005 21008 258ee2 __fread_nolock 21006->21008 21017 259010 21008->21017 21010 258eba 21010->20943 21012 2544e8 21011->21012 21013 2544ff 21012->21013 21115 254587 RtlAllocateHeap __fread_nolock __Getctype 21012->21115 21015 17a2ea 21013->21015 21116 254587 RtlAllocateHeap __fread_nolock __Getctype 21013->21116 21015->20946 21018 259036 21017->21018 21019 259023 21017->21019 21027 258f37 21018->21027 21019->21010 21021 2590e7 21021->21010 21022 259059 21022->21021 21031 2555d3 21022->21031 21026->21010 21028 258f48 21027->21028 21030 258fa0 21027->21030 21028->21030 21040 25e13d SetFilePointerEx RtlAllocateHeap __fread_nolock 21028->21040 21030->21022 21032 255613 21031->21032 21033 2555ec 21031->21033 21037 25e17d 21032->21037 21033->21032 21041 265f82 21033->21041 21035 255608 21048 26538b 21035->21048 21092 25e05c 21037->21092 21039 25e196 21039->21021 21040->21030 21042 265fa3 21041->21042 21043 265f8e 21041->21043 21042->21035 21055 25d23f RtlAllocateHeap __dosmaperr 21043->21055 21045 265f93 21056 2547a0 RtlAllocateHeap __fread_nolock 21045->21056 21047 265f9e 21047->21035 21049 265397 __fread_nolock 21048->21049 21050 2653d8 21049->21050 21052 26541e 21049->21052 21054 26539f 21049->21054 21071 254723 RtlAllocateHeap __fread_nolock __Getctype 21050->21071 21052->21054 21057 26549c 21052->21057 21054->21032 21055->21045 21056->21047 21058 2654c4 21057->21058 21070 2654e7 __fread_nolock 21057->21070 21059 2654c8 21058->21059 21061 265523 21058->21061 21077 254723 RtlAllocateHeap __fread_nolock __Getctype 21059->21077 21062 265541 21061->21062 21064 25e17d 2 API calls 21061->21064 21072 264fe1 21062->21072 21064->21062 21066 2655a0 21068 265609 WriteFile 21066->21068 21066->21070 21067 265559 21067->21070 21078 264bb2 RtlAllocateHeap RtlAllocateHeap std::_Locinfo::_Locinfo_dtor _ValidateLocalCookies std::locale::_Locimp::_Locimp 21067->21078 21068->21070 21070->21054 21071->21054 21079 270d44 21072->21079 21074 264ff3 21075 265021 21074->21075 21088 259d10 RtlAllocateHeap RtlAllocateHeap __fread_nolock std::_Locinfo::_Locinfo_dtor 21074->21088 21075->21066 21075->21067 21077->21070 21078->21070 21080 270d51 21079->21080 21082 270d5e 21079->21082 21089 25d23f RtlAllocateHeap __dosmaperr 21080->21089 21083 270d6a 21082->21083 21090 25d23f RtlAllocateHeap __dosmaperr 21082->21090 21083->21074 21085 270d56 21085->21074 21086 270d8b 21091 2547a0 RtlAllocateHeap __fread_nolock 21086->21091 21088->21075 21089->21085 21090->21086 21091->21085 21097 26a6de 21092->21097 21094 25e06e 21095 25e08a SetFilePointerEx 21094->21095 21096 25e076 __fread_nolock 21094->21096 21095->21096 21096->21039 21098 26a6eb 21097->21098 21101 26a700 21097->21101 21110 25d22c RtlAllocateHeap __dosmaperr 21098->21110 21100 26a6f0 21111 25d23f RtlAllocateHeap __dosmaperr 21100->21111 21105 26a725 21101->21105 21112 25d22c RtlAllocateHeap __dosmaperr 21101->21112 21103 26a730 21113 25d23f RtlAllocateHeap __dosmaperr 21103->21113 21105->21094 21107 26a6f8 21107->21094 21108 26a738 21114 2547a0 RtlAllocateHeap __fread_nolock 21108->21114 21110->21100 21111->21107 21112->21103 21113->21108 21114->21107 21115->21013 21116->21015 21118 25480d __fread_nolock 21117->21118 21119 254835 __fread_nolock 21118->21119 21120 254814 21118->21120 21124 254910 21119->21124 21127 254723 RtlAllocateHeap __fread_nolock __Getctype 21120->21127 21122 25482d 21122->20949 21128 254942 21124->21128 21126 254922 21126->21122 21127->21122 21129 254951 21128->21129 21130 254979 21128->21130 21144 254723 RtlAllocateHeap __fread_nolock __Getctype 21129->21144 21132 265f82 __fread_nolock RtlAllocateHeap 21130->21132 21133 254982 21132->21133 21141 25e11f 21133->21141 21136 254a2c 21145 254cae SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z _ValidateLocalCookies 21136->21145 21138 254a43 21140 25496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21138->21140 21146 254ae3 SetFilePointerEx RtlAllocateHeap __fread_nolock __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 21138->21146 21140->21126 21147 25df37 21141->21147 21143 2549a0 21143->21136 21143->21138 21143->21140 21144->21140 21145->21140 21146->21140 21149 25df43 __fread_nolock 21147->21149 21148 25df86 21154 254723 RtlAllocateHeap __fread_nolock __Getctype 21148->21154 21149->21148 21151 25dfcc 21149->21151 21153 25df4b 21149->21153 21152 25e05c __fread_nolock 2 API calls 21151->21152 21151->21153 21152->21153 21153->21143 21154->21153 21156 1e06a9 21155->21156 21159 1e0585 21155->21159 21170 172270 RtlAllocateHeap __fread_nolock std::_Xinvalid_argument 21156->21170 21158 1e06ae 21171 1721d0 RtlAllocateHeap Concurrency::cancel_current_task ___std_exception_copy 21158->21171 21161 1e05e3 21159->21161 21162 1e05f0 21159->21162 21164 1e059a 21159->21164 21161->21158 21161->21164 21167 24f290 std::_Facet_Register RtlAllocateHeap 21162->21167 21168 1e05aa __fread_nolock std::locale::_Locimp::_Locimp 21162->21168 21163 24f290 std::_Facet_Register RtlAllocateHeap 21163->21168 21164->21163 21167->21168 21169 1e0667 __fread_nolock std::locale::_Locimp::_Locimp 21168->21169 21172 2547b0 RtlAllocateHeap __fread_nolock __Getctype 21168->21172 21169->20956 21170->21158 21171->21168 21174 25dc08 __fread_nolock 21173->21174 21175 25dc52 __fread_nolock 21174->21175 21176 25dc1b __fread_nolock 21174->21176 21180 25dc40 __fread_nolock 21174->21180 21182 25da06 21175->21182 21195 25d23f RtlAllocateHeap __dosmaperr 21176->21195 21179 25dc35 21196 2547a0 RtlAllocateHeap __fread_nolock 21179->21196 21180->20959 21183 25da35 21182->21183 21186 25da18 __fread_nolock 21182->21186 21183->21180 21184 25da25 21256 25d23f RtlAllocateHeap __dosmaperr 21184->21256 21186->21183 21186->21184 21188 25da76 __fread_nolock 21186->21188 21188->21183 21190 265f82 __fread_nolock RtlAllocateHeap 21188->21190 21191 25dba1 __fread_nolock 21188->21191 21197 264623 21188->21197 21258 258a2b RtlAllocateHeap __fread_nolock __dosmaperr std::locale::_Locimp::_Locimp 21188->21258 21190->21188 21259 25d23f RtlAllocateHeap __dosmaperr 21191->21259 21193 25da2a 21257 2547a0 RtlAllocateHeap __fread_nolock 21193->21257 21195->21179 21196->21180 21198 264635 21197->21198 21199 26464d 21197->21199 21266 25d22c RtlAllocateHeap __dosmaperr 21198->21266 21201 26498f 21199->21201 21206 264690 21199->21206 21284 25d22c RtlAllocateHeap __dosmaperr 21201->21284 21202 26463a 21267 25d23f RtlAllocateHeap __dosmaperr 21202->21267 21204 264994 21285 25d23f RtlAllocateHeap __dosmaperr 21204->21285 21208 26469b 21206->21208 21210 264642 21206->21210 21215 2646cb 21206->21215 21268 25d22c RtlAllocateHeap __dosmaperr 21208->21268 21209 2646a8 21286 2547a0 RtlAllocateHeap __fread_nolock 21209->21286 21210->21188 21212 2646a0 21269 25d23f RtlAllocateHeap __dosmaperr 21212->21269 21216 2646e4 21215->21216 21217 2646f1 21215->21217 21218 26471f 21215->21218 21216->21217 21219 26470d 21216->21219 21270 25d22c RtlAllocateHeap __dosmaperr 21217->21270 21260 266e2d 21218->21260 21225 270d44 __fread_nolock RtlAllocateHeap 21219->21225 21222 2646f6 21271 25d23f RtlAllocateHeap __dosmaperr 21222->21271 21238 26486b 21225->21238 21227 2646fd 21272 2547a0 RtlAllocateHeap __fread_nolock 21227->21272 21228 264739 21274 266db3 RtlAllocateHeap __dosmaperr 21228->21274 21230 2648e3 ReadFile 21232 264957 21230->21232 21233 2648fb 21230->21233 21241 264964 21232->21241 21253 2648b5 21232->21253 21233->21232 21242 2648d4 21233->21242 21234 264740 21235 264765 21234->21235 21236 26474a 21234->21236 21277 25e13d SetFilePointerEx RtlAllocateHeap __fread_nolock 21235->21277 21275 25d23f RtlAllocateHeap __dosmaperr 21236->21275 21238->21230 21248 26489b 21238->21248 21282 25d23f RtlAllocateHeap __dosmaperr 21241->21282 21245 264937 21242->21245 21246 264920 21242->21246 21255 264708 __fread_nolock 21242->21255 21243 26474f 21276 25d22c RtlAllocateHeap __dosmaperr 21243->21276 21245->21255 21281 26417b SetFilePointerEx RtlAllocateHeap __fread_nolock 21245->21281 21280 264335 SetFilePointerEx RtlAllocateHeap __fread_nolock __dosmaperr 21246->21280 21248->21242 21248->21253 21249 264969 21283 25d22c RtlAllocateHeap __dosmaperr 21249->21283 21253->21255 21278 25d1e5 RtlAllocateHeap __dosmaperr 21253->21278 21279 266db3 RtlAllocateHeap __dosmaperr 21255->21279 21256->21193 21257->21183 21258->21188 21259->21193 21261 266e6b 21260->21261 21265 266e3b __dosmaperr std::_Facet_Register 21260->21265 21287 25d23f RtlAllocateHeap __dosmaperr 21261->21287 21263 266e56 RtlAllocateHeap 21264 264730 21263->21264 21263->21265 21273 266db3 RtlAllocateHeap __dosmaperr 21264->21273 21265->21261 21265->21263 21266->21202 21267->21210 21268->21212 21269->21209 21270->21222 21271->21227 21272->21255 21273->21228 21274->21234 21275->21243 21276->21255 21277->21219 21278->21255 21279->21210 21280->21255 21281->21255 21282->21249 21283->21255 21284->21204 21285->21209 21286->21210 21287->21264 21289 258acf __fread_nolock 21288->21289 21290 258ad9 21289->21290 21293 258afc __fread_nolock 21289->21293 21309 254723 RtlAllocateHeap __fread_nolock __Getctype 21290->21309 21292 258af4 21292->20963 21293->21292 21295 258b5a 21293->21295 21296 258b67 21295->21296 21297 258b8a 21295->21297 21321 254723 RtlAllocateHeap __fread_nolock __Getctype 21296->21321 21299 258b82 21297->21299 21300 2555d3 4 API calls 21297->21300 21299->21292 21301 258ba2 21300->21301 21310 266ded 21301->21310 21304 265f82 __fread_nolock RtlAllocateHeap 21305 258bb6 21304->21305 21314 264a3f 21305->21314 21309->21292 21311 266e04 21310->21311 21312 258baa 21310->21312 21311->21312 21323 266db3 RtlAllocateHeap __dosmaperr 21311->21323 21312->21304 21315 258bbd 21314->21315 21316 264a68 21314->21316 21315->21299 21322 266db3 RtlAllocateHeap __dosmaperr 21315->21322 21317 264ab7 21316->21317 21319 264a8f 21316->21319 21328 254723 RtlAllocateHeap __fread_nolock __Getctype 21317->21328 21324 2649ae 21319->21324 21321->21299 21322->21299 21323->21312 21325 2649ba __fread_nolock 21324->21325 21327 2649f9 21325->21327 21329 264b12 21325->21329 21327->21315 21328->21315 21330 26a6de __fread_nolock RtlAllocateHeap 21329->21330 21332 264b22 21330->21332 21331 264b28 21341 26a64d RtlAllocateHeap __dosmaperr 21331->21341 21332->21331 21333 264b5a 21332->21333 21335 26a6de __fread_nolock RtlAllocateHeap 21332->21335 21333->21331 21336 26a6de __fread_nolock RtlAllocateHeap 21333->21336 21337 264b51 21335->21337 21338 264b66 FindCloseChangeNotification 21336->21338 21339 26a6de __fread_nolock RtlAllocateHeap 21337->21339 21338->21331 21339->21333 21340 264b80 __fread_nolock 21340->21327 21341->21340 21390 189f50 5 API calls 3 library calls 21343 4cd0906 21344 4cd090b GetCurrentHwProfileW 21343->21344 21345 4cd092a 21344->21345 21391 25d168 SetFilePointerEx WriteFile RtlAllocateHeap RtlAllocateHeap __fread_nolock 21395 1729c0 RtlAllocateHeap 21389 184100 GetPEB RtlAllocateHeap __fread_nolock 21351 1d3a40 21354 1d3a55 21351->21354 21352 1d3b28 GetPEB 21352->21354 21353 1d3a73 GetPEB 21353->21354 21354->21352 21354->21353 21355 1d3b9d Sleep 21354->21355 21356 1d3ae8 Sleep 21354->21356 21357 1d3bc7 21354->21357 21355->21354 21356->21354 21393 172770 RtlAllocateHeap RtlAllocateHeap std::locale::_Locimp::_Locimp 21364 4cd06e6 GetCurrentHwProfileW GetCurrentHwProfileW 21367 18e0a0 WSAStartup 21368 18e0d8 21367->21368 21370 18e1a7 21367->21370 21369 18e175 socket 21368->21369 21368->21370 21369->21370 21371 18e18b connect 21369->21371 21371->21370 21372 18e19d closesocket 21371->21372 21372->21369 21372->21370 21384 1840e0 GetSystemTimePreciseAsFileTime __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z __Xtime_get_ticks

                                  Executed Functions

                                  Function 0018E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 18e0a0-18e0d2 WSAStartup 1 18e0d8-18e102 call 176bd0 * 2 0->1 2 18e1b7-18e1c0 0->2 7 18e10e-18e165 1->7 8 18e104-18e108 1->8 10 18e1b1 7->10 11 18e167-18e16d 7->11 8->2 8->7 10->2 12 18e16f 11->12 13 18e1c5-18e1cf 11->13 14 18e175-18e189 socket 12->14 13->10 19 18e1d1-18e1d9 13->19 14->10 16 18e18b-18e19b connect 14->16 17 18e19d-18e1a5 closesocket 16->17 18 18e1c1 16->18 17->14 20 18e1a7-18e1ab 17->20 18->13 20->10
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 657fcc9e98be9b49f5c66028d3d63b9d9e5b4ea06c4cfb8fe6e2be3874e40468
                                  • Instruction ID: 5df7e433156236e2eb21428d8c6452dce4226bfae1e57274167c736eeaa6d5cf
                                  • Opcode Fuzzy Hash: 657fcc9e98be9b49f5c66028d3d63b9d9e5b4ea06c4cfb8fe6e2be3874e40468
                                  • Instruction Fuzzy Hash: D531C4716053106BE7209F25CC48B2BB7E4EBC5734F104F1DF9A8A32D0D3359A048BA2
                                  Function 001D3A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 256 1d3a40-1d3a52 257 1d3a55-1d3a61 256->257 259 1d3b28-1d3b31 GetPEB 257->259 260 1d3a67-1d3a6d 257->260 261 1d3b34-1d3b48 259->261 260->259 262 1d3a73-1d3a7f GetPEB 260->262 263 1d3b99-1d3b9b 261->263 264 1d3b4a-1d3b4f 261->264 265 1d3a80-1d3a94 262->265 263->261 264->263 268 1d3b51-1d3b59 264->268 266 1d3ae4-1d3ae6 265->266 267 1d3a96-1d3a9b 265->267 266->265 267->266 270 1d3a9d-1d3aa3 267->270 269 1d3b60-1d3b73 268->269 271 1d3b75-1d3b88 269->271 272 1d3b92-1d3b97 269->272 273 1d3aa5-1d3ab8 270->273 271->271 274 1d3b8a-1d3b90 271->274 272->263 272->269 275 1d3add-1d3ae2 273->275 276 1d3aba 273->276 274->272 277 1d3b9d-1d3bc2 Sleep 274->277 275->266 275->273 278 1d3ac0-1d3ad3 276->278 277->257 278->278 279 1d3ad5-1d3adb 278->279 279->275 280 1d3ae8-1d3b0d Sleep 279->280 281 1d3b13-1d3b1a 280->281 281->259 282 1d3b1c-1d3b22 281->282 282->259 283 1d3bc7-1d3bd8 call 176bd0 282->283 286 1d3bde 283->286 287 1d3bda-1d3bdc 283->287 288 1d3be0-1d3bfd call 176bd0 286->288 287->288
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,001D3DB6), ref: 001D3B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,001D3DB6), ref: 001D3BBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 8519f31472b6e77d94ceb112f4794907bf09318eb7480644ecf1fa16e423593a
                                  • Instruction ID: af0e0cf718e63c7d9cd167aa42a64d54f53ee4b87ac57f817939a01d8fcb7224
                                  • Opcode Fuzzy Hash: 8519f31472b6e77d94ceb112f4794907bf09318eb7480644ecf1fa16e423593a
                                  • Instruction Fuzzy Hash: 8351C935B042198FCB28CF58C8D0EAAB3B1FF45704B29859AD465AF352D731EE45CB91
                                  Function 04CD0906 Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CD0911
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ac682e00ef806454b976c4e852014cde66bbbff9e530be5a630597deeeb6c9d9
                                  • Instruction ID: b578e010e373df1b13ff8f91ec75718d69614ddf982ced4268fadb99b85f8cbd
                                  • Opcode Fuzzy Hash: ac682e00ef806454b976c4e852014cde66bbbff9e530be5a630597deeeb6c9d9
                                  • Instruction Fuzzy Hash: D241D3EB70D122BD7152D14B2B51AFB666FE6D6338B388437F60BC6106F2946A497031
                                  Function 04CD078E Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 305COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: aa
                                  • API String ID: 2104809126-2759896527
                                  • Opcode ID: a61336ee737fbfcd5099e2459e149da119202ebbb8570e7db62eb9bad04104ad
                                  • Instruction ID: 12ddd4f9305c91d0fe81a572dfd9a2a709fec7f3047ecdd71140e249558acc6b
                                  • Opcode Fuzzy Hash: a61336ee737fbfcd5099e2459e149da119202ebbb8570e7db62eb9bad04104ad
                                  • Instruction Fuzzy Hash: A551E5EB70C211BDB202814B1B51AF7666FF7D6738F388436B60BD7202F2946A897131
                                  Function 00254942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 101 254942-25494f 102 254951-254974 call 254723 101->102 103 254979-25498d call 265f82 101->103 108 254ae0-254ae2 102->108 109 254992-25499b call 25e11f 103->109 110 25498f 103->110 112 2549a0-2549af 109->112 110->109 113 2549b1 112->113 114 2549bf-2549c8 112->114 115 2549b7-2549b9 113->115 116 254a89-254a8e 113->116 117 2549dc-254a10 114->117 118 2549ca-2549d7 114->118 115->114 115->116 119 254ade-254adf 116->119 121 254a12-254a1c 117->121 122 254a6d-254a79 117->122 120 254adc 118->120 119->108 120->119 123 254a43-254a4f 121->123 124 254a1e-254a2a 121->124 125 254a90-254a93 122->125 126 254a7b-254a82 122->126 123->125 129 254a51-254a6b call 254e59 123->129 124->123 128 254a2c-254a3e call 254cae 124->128 127 254a96-254a9e 125->127 126->116 130 254aa0-254aa6 127->130 131 254ada 127->131 128->119 129->127 134 254abe-254ac2 130->134 135 254aa8-254abc call 254ae3 130->135 131->120 139 254ad5-254ad7 134->139 140 254ac4-254ad2 call 274a10 134->140 135->119 139->131 140->139
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O%
                                  • API String ID: 0-3459504969
                                  • Opcode ID: eac49679473a12323e4e6accac1d17bc4948db6711504755ae559044b4c65548
                                  • Instruction ID: 95f303a785629387816874eed0340393e2134e6845bceb232729c80f4cf7bd96
                                  • Opcode Fuzzy Hash: eac49679473a12323e4e6accac1d17bc4948db6711504755ae559044b4c65548
                                  • Instruction Fuzzy Hash: 94511830A10108AFCF14EF58CC55AAAFBB1EF45328F248158FC495B252D3719EA5CB98
                                  Function 00264623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 144 264623-264633 145 264635-264648 call 25d22c call 25d23f 144->145 146 26464d-26464f 144->146 163 2649a7 145->163 148 264655-26465b 146->148 149 26498f-26499c call 25d22c call 25d23f 146->149 148->149 151 264661-26468a 148->151 165 2649a2 call 2547a0 149->165 151->149 155 264690-264699 151->155 158 2646b3-2646b5 155->158 159 26469b-2646ae call 25d22c call 25d23f 155->159 161 26498b-26498d 158->161 162 2646bb-2646bf 158->162 159->165 167 2649aa-2649ad 161->167 162->161 166 2646c5-2646c9 162->166 163->167 165->163 166->159 171 2646cb-2646e2 166->171 173 264717-26471d 171->173 174 2646e4-2646e7 171->174 175 2646f1-264708 call 25d22c call 25d23f call 2547a0 173->175 176 26471f-264726 173->176 177 26470d-264715 174->177 178 2646e9-2646ef 174->178 209 2648c2 175->209 180 26472a-26472b call 266e2d 176->180 181 264728 176->181 179 26478a-2647a9 177->179 178->175 178->177 183 264865-26486e call 270d44 179->183 184 2647af-2647bb 179->184 188 264730-264748 call 266db3 * 2 180->188 181->180 198 264870-264882 183->198 199 2648df 183->199 184->183 187 2647c1-2647c3 184->187 187->183 191 2647c9-2647ea 187->191 213 264765-264788 call 25e13d 188->213 214 26474a-264760 call 25d23f call 25d22c 188->214 191->183 195 2647ec-264802 191->195 195->183 202 264804-264806 195->202 198->199 200 264884-264893 198->200 201 2648e3-2648f9 ReadFile 199->201 200->199 217 264895-264899 200->217 205 264957-264962 201->205 206 2648fb-264901 201->206 202->183 207 264808-26482b 202->207 226 264964-264976 call 25d23f call 25d22c 205->226 227 26497b-26497e 205->227 206->205 211 264903 206->211 207->183 212 26482d-264843 207->212 215 2648c5-2648cf call 266db3 209->215 219 264906-264918 211->219 212->183 220 264845-264847 212->220 213->179 214->209 215->167 217->201 225 26489b-2648b3 217->225 219->215 228 26491a-26491e 219->228 220->183 229 264849-264860 220->229 245 2648d4-2648dd 225->245 246 2648b5-2648ba 225->246 226->209 234 264984-264986 227->234 235 2648bb-2648c1 call 25d1e5 227->235 232 264937-264944 228->232 233 264920-264930 call 264335 228->233 229->183 241 264946 call 26448c 232->241 242 264950-264955 call 26417b 232->242 253 264933-264935 233->253 234->215 235->209 254 26494b-26494e 241->254 242->254 245->219 246->235 253->215 254->253
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ffff077c7b799185c501543a818426cd8feab98400f9bdb319c562f3d65f712c
                                  • Instruction ID: 07dc3c6a69dfe1b4342b78b6f75162e3ecaab808c4b3cbb93d035db5584a9608
                                  • Opcode Fuzzy Hash: ffff077c7b799185c501543a818426cd8feab98400f9bdb319c562f3d65f712c
                                  • Instruction Fuzzy Hash: CFB14870E24246AFDB11FFA8D840BAEBBB2AF46314F144159E894A7382C7709DA1CF50
                                  Function 04CD06F3 Relevance: 1.9, APIs: 1, Instructions: 354COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 291 4cd06f3-4cd06f4 292 4cd06b4-4cd06d0 291->292 293 4cd06f6-4cd0904 call 4cd0906 291->293 299 4cd06e0 292->299 322 4cd090b-4cd0918 GetCurrentHwProfileW 293->322 323 4cd0906-4cd090a 293->323 299->299 324 4cd092a-4cd0c74 call 4cd09a3 322->324 323->322 363 4cd0c75-4cd0cd6 324->363 368 4cd0cd8-4cd0e02 363->368
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2f5b861f69fce8852913fd3b40c49510517c076939c96955d439af99c683e57b
                                  • Instruction ID: 259f31485ea1e6ac2ef6270c052a76b43740becd9ecc4b89ea4d66a25a008ab3
                                  • Opcode Fuzzy Hash: 2f5b861f69fce8852913fd3b40c49510517c076939c96955d439af99c683e57b
                                  • Instruction Fuzzy Hash: 687106EB74C211BDB202814B1B94AF66A6FF6D7738F388436F607D6102F2846E897171
                                  Function 04CD06E6 Relevance: 1.8, APIs: 1, Instructions: 344COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 382 4cd06e6-4cd0904 call 4cd0906 410 4cd090b-4cd0918 GetCurrentHwProfileW 382->410 411 4cd0906-4cd090a 382->411 412 4cd092a-4cd0c74 call 4cd09a3 410->412 411->410 451 4cd0c75-4cd0cd6 412->451 456 4cd0cd8-4cd0e02 451->456
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 31da4399d6259fc1af9f5a56f034bb2c36caa353d4c0f01cdb2cdf66453ba122
                                  • Instruction ID: 634ba24735ecb87c74e3eac34ee38f1fc27da3086fb38e209643194d78d1af4c
                                  • Opcode Fuzzy Hash: 31da4399d6259fc1af9f5a56f034bb2c36caa353d4c0f01cdb2cdf66453ba122
                                  • Instruction Fuzzy Hash: 9A61E4EB74C211BDB242814F1B94AF7666FF6D7738F388436B607D6206F2946A897031
                                  Function 04CD0738 Relevance: 1.8, APIs: 1, Instructions: 339COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 470 4cd0738-4cd0743 471 4cd0745 470->471 472 4cd0724-4cd0733 470->472 474 4cd0747-4cd0904 call 4cd0906 471->474 472->474 498 4cd090b-4cd0918 GetCurrentHwProfileW 474->498 499 4cd0906-4cd090a 474->499 500 4cd092a-4cd0c74 call 4cd09a3 498->500 499->498 539 4cd0c75-4cd0cd6 500->539 544 4cd0cd8-4cd0e02 539->544
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 5247cc31b65fc26430b189b48fa16ae7eb8164673ed7ab6eb31d5eecb74b078e
                                  • Instruction ID: cce67d5ae5849c832dca4a4356a8ef4ca24ea6435f668f3fd9f97b5a8d618787
                                  • Opcode Fuzzy Hash: 5247cc31b65fc26430b189b48fa16ae7eb8164673ed7ab6eb31d5eecb74b078e
                                  • Instruction Fuzzy Hash: 546103EB74C211BDB252818F1B94AF6666FF6D7338F388436F607D6206F2946A497031
                                  Function 04CD071E Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 558 4cd071e-4cd0904 call 4cd0906 584 4cd090b-4cd0918 GetCurrentHwProfileW 558->584 585 4cd0906-4cd090a 558->585 586 4cd092a-4cd0c74 call 4cd09a3 584->586 585->584 625 4cd0c75-4cd0cd6 586->625 630 4cd0cd8-4cd0e02 625->630
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 0063380f97e4762c1d40cd3e292497ec93eeebf35c077e12b04e73ab6bccb046
                                  • Instruction ID: e535f171099180854ccf256b0c6d7973494848ab64234a62c29403658f0e9e2a
                                  • Opcode Fuzzy Hash: 0063380f97e4762c1d40cd3e292497ec93eeebf35c077e12b04e73ab6bccb046
                                  • Instruction Fuzzy Hash: C461F5EB74C211BDB242814F1B94AF6666FF6D7738F388436B607D6106F2C46A497131
                                  Function 04CD075B Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 644 4cd075b-4cd0904 call 4cd0906 668 4cd090b-4cd0918 GetCurrentHwProfileW 644->668 669 4cd0906-4cd090a 644->669 670 4cd092a-4cd0c74 call 4cd09a3 668->670 669->668 709 4cd0c75-4cd0cd6 670->709 714 4cd0cd8-4cd0e02 709->714
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f5824348039bc199e79af5d00dde8bc797c8a965294096dd5ca73241834c28c1
                                  • Instruction ID: 32b37448f1bad78862666de6c9cbeb98a185a2e386685e7129694bc20b22bd53
                                  • Opcode Fuzzy Hash: f5824348039bc199e79af5d00dde8bc797c8a965294096dd5ca73241834c28c1
                                  • Instruction Fuzzy Hash: 4A51F7EB70C211BDB202914F1B94AF7666FF6D7738F388436B607D6206F2946A497131
                                  Function 04CD076E Relevance: 1.8, APIs: 1, Instructions: 311COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 728 4cd076e-4cd0904 call 4cd0906 750 4cd090b-4cd0918 GetCurrentHwProfileW 728->750 751 4cd0906-4cd090a 728->751 752 4cd092a-4cd0c74 call 4cd09a3 750->752 751->750 791 4cd0c75-4cd0cd6 752->791 796 4cd0cd8-4cd0e02 791->796
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e38c685b54df00549ace43185ea3a05e28c4da0e34b93fbf99b7ccf884116fec
                                  • Instruction ID: ddd0451dbefddb1f06a86eafa0b84d59e2114222552ba22979188ad0d9e21088
                                  • Opcode Fuzzy Hash: e38c685b54df00549ace43185ea3a05e28c4da0e34b93fbf99b7ccf884116fec
                                  • Instruction Fuzzy Hash: FD5106EB74C211BDB202814F1B54AF7666FF6D7738F388436B60BD6206F2946A897131
                                  Function 04CD0804 Relevance: 1.8, APIs: 1, Instructions: 304COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 810 4cd0804-4cd080d 811 4cd080f-4cd0811 810->811 812 4cd07a8-4cd07ff 810->812 814 4cd0813-4cd0904 call 4cd0906 811->814 812->814 832 4cd090b-4cd0918 GetCurrentHwProfileW 814->832 833 4cd0906-4cd090a 814->833 834 4cd092a-4cd0c74 call 4cd09a3 832->834 833->832 873 4cd0c75-4cd0cd6 834->873 878 4cd0cd8-4cd0e02 873->878
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CD0911
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f2746491717cb9135ae0c305327e0e3d728240d2ef755e713076c022cfe84f7a
                                  • Instruction ID: a35ea6594c13efcae6452b092ec3c9fc51a993c9360207ce3da095c902dd6404
                                  • Opcode Fuzzy Hash: f2746491717cb9135ae0c305327e0e3d728240d2ef755e713076c022cfe84f7a
                                  • Instruction Fuzzy Hash: 295127EB70D211BDB202804F1B90AF6676FE6D6738F388037B707C6202F2946A897171
                                  Function 04CD07BB Relevance: 1.8, APIs: 1, Instructions: 302COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 892 4cd07bb-4cd07c7 893 4cd07c9-4cd083b 892->893 894 4cd0840-4cd084a 892->894 896 4cd084b-4cd0904 call 4cd0906 893->896 894->896 913 4cd090b-4cd0918 GetCurrentHwProfileW 896->913 914 4cd0906-4cd090a 896->914 915 4cd092a-4cd0c74 call 4cd09a3 913->915 914->913 954 4cd0c75-4cd0cd6 915->954 959 4cd0cd8-4cd0e02 954->959
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CD0911
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: daa4e1f2b39fe127431982be38dc42adaaa999bc14f382ab2f1cfe62a3f26485
                                  • Instruction ID: c4ec28e0e4c883f6c9e97ed6b4235aecdadd3ee8d6d8ab6a746cc4abfa91f087
                                  • Opcode Fuzzy Hash: daa4e1f2b39fe127431982be38dc42adaaa999bc14f382ab2f1cfe62a3f26485
                                  • Instruction Fuzzy Hash: 1051F7EB70D111BDB242814B1B90AF6676FE6D6738F388476B607C6206F2946A497131
                                  Function 04CD082D Relevance: 1.8, APIs: 1, Instructions: 300COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 973 4cd082d-4cd0832 974 4cd0834-4cd0835 973->974 975 4cd07f7-4cd0828 973->975 976 4cd07f5 974->976 977 4cd0837-4cd0839 974->977 979 4cd083a-4cd0904 call 4cd0906 975->979 976->975 977->979 992 4cd090b-4cd0918 GetCurrentHwProfileW 979->992 993 4cd0906-4cd090a 979->993 994 4cd092a-4cd0c74 call 4cd09a3 992->994 993->992 1033 4cd0c75-4cd0cd6 994->1033 1038 4cd0cd8-4cd0e02 1033->1038
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CD0911
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6907d4c84a6f612ffe3d188c63bd2c6050954ebf9f611c91931ff3ac90772444
                                  • Instruction ID: ad4f373e6c3521eb40561ed2d215368270eaca6fdb5361359b02bc7e1efd9dec
                                  • Opcode Fuzzy Hash: 6907d4c84a6f612ffe3d188c63bd2c6050954ebf9f611c91931ff3ac90772444
                                  • Instruction Fuzzy Hash: 8351F6EB70C111BDB642814F5B90AF6676FE7D6338F388476B607C6206F2946A8A7131
                                  Function 04CD07D3 Relevance: 1.8, APIs: 1, Instructions: 297COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 1052 4cd07d3-4cd07d4 1053 4cd07db-4cd0904 call 4cd0906 1052->1053 1054 4cd07d6-4cd07da 1052->1054 1069 4cd090b-4cd0918 GetCurrentHwProfileW 1053->1069 1070 4cd0906-4cd090a 1053->1070 1054->1053 1071 4cd092a-4cd0c74 call 4cd09a3 1069->1071 1070->1069 1110 4cd0c75-4cd0cd6 1071->1110 1115 4cd0cd8-4cd0e02 1110->1115
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CD0911
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ba2756729f5f08736e9a4fe9c1cdd8925f57ab40d755ab32474bf16c9dfecb56
                                  • Instruction ID: 0212acb21016c5bd86bdbb654f1fc0ca45599af4c2cebdb2e64188676ba0d4bd
                                  • Opcode Fuzzy Hash: ba2756729f5f08736e9a4fe9c1cdd8925f57ab40d755ab32474bf16c9dfecb56
                                  • Instruction Fuzzy Hash: 4451F7EB70C211BDB242814F1B51AF6676FE7D6738F388076B607C7202F2946A4A7171
                                  Function 04CD07AB Relevance: 1.8, APIs: 1, Instructions: 294COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d25dccae9393793cf193bf937396a3a864177ee970e97f9c5c08ed9b822cf94c
                                  • Instruction ID: a60e626440bd1b095f8a7a8fb998bd3e47c448a450be527895d9dc6a4d6f7a11
                                  • Opcode Fuzzy Hash: d25dccae9393793cf193bf937396a3a864177ee970e97f9c5c08ed9b822cf94c
                                  • Instruction Fuzzy Hash: 7251F6EB70C211BDB242804F1B90AF6666FE6D6738F388436B707D6206F2946A897131
                                  Function 04CD0854 Relevance: 1.8, APIs: 1, Instructions: 287COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CD0911
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a20083381074a932e2bf9aa9980583afa1645b04557ddce9f75e8838467f0412
                                  • Instruction ID: 4b62e4d0ede624742ee9b0a0ba39cb8bd9ad2dc4f983a598c7133d4a9ee3d240
                                  • Opcode Fuzzy Hash: a20083381074a932e2bf9aa9980583afa1645b04557ddce9f75e8838467f0412
                                  • Instruction Fuzzy Hash: 2C5136EB70D221BDB202815B1B51AFA676FEAD7338F388476F607C7506F2846A497131
                                  Function 04CD081B Relevance: 1.8, APIs: 1, Instructions: 276COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 9a751d2099c2f037a9b35232da6c28a0ebd5eef500e9dcd164eed9da549f6ccc
                                  • Instruction ID: 306abdff13aed3d1c0134c3e11c016053acb5380a0b3efb407d00abbce76edb2
                                  • Opcode Fuzzy Hash: 9a751d2099c2f037a9b35232da6c28a0ebd5eef500e9dcd164eed9da549f6ccc
                                  • Instruction Fuzzy Hash: FE51E5EB70C211BDB102904B1B50AFB666FE6D6738F388436B60BD7206F2946E497131
                                  Function 04CD08A4 Relevance: 1.8, APIs: 1, Instructions: 263COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04CD0911
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 04d8dbb062490617da6ed968c9e6ab8e432b1a1979d162f37aad96b8b18b9976
                                  • Instruction ID: c712668c9a7f194e622f7d0f332a53302a7ab762c49750df4279769b86e9ae2d
                                  • Opcode Fuzzy Hash: 04d8dbb062490617da6ed968c9e6ab8e432b1a1979d162f37aad96b8b18b9976
                                  • Instruction Fuzzy Hash: 415105EB70D121BDB112914F2B50AFB666FE6D6338B388437B64BC6106F2846A497131
                                  Function 04CD08DA Relevance: 1.7, APIs: 1, Instructions: 235COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: c569d8b77b3652d7d58122a816af3cb34bbac22fe89e057dc3ae6ab0f8f4d9e9
                                  • Instruction ID: 94751a602ecb8dc61e3eb30b6d916b2187ba1265057e1eb7f79498d967b5a077
                                  • Opcode Fuzzy Hash: c569d8b77b3652d7d58122a816af3cb34bbac22fe89e057dc3ae6ab0f8f4d9e9
                                  • Instruction Fuzzy Hash: 1F41F2EB70D121BD7112D14B2B51AFB666FE6D6338B38843BF60BC6106F2946E497031
                                  Function 0017A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: d32ab36099e89df1452dc2434c7164bed3cd1e10676749dd735e4d4da1560085
                                  • Instruction ID: 877f361a1d1d695c51aa29542b1116064417f97d63cf45d21bdde2282e8272ba
                                  • Opcode Fuzzy Hash: d32ab36099e89df1452dc2434c7164bed3cd1e10676749dd735e4d4da1560085
                                  • Instruction Fuzzy Hash: 6D715971910204AFDB18DF68CC46BAEBBF8EF81704F50C56DF8099B282D7B59945CB92
                                  Function 04CD08EA Relevance: 1.7, APIs: 1, Instructions: 230COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119394949.0000000004CD0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CD0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4cd0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e7595d1abaeca384df3b6da25715057467d2588c45ec2b5df9e875857cbeddc0
                                  • Instruction ID: 386d8b1d29819b060cb02189f6366cc8cc53b9dede4d5d6996602be71ada6ba8
                                  • Opcode Fuzzy Hash: e7595d1abaeca384df3b6da25715057467d2588c45ec2b5df9e875857cbeddc0
                                  • Instruction Fuzzy Hash: 8541F3EB70D121BD7112D14B2B519FB676FE6D6738B38843BF60BC6106F2946A496031
                                  Function 0026549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00259087,?,00000000,00000000,00000000,?,00000000,?,0017A3EB,00259087,00000000,0017A3EB,?,?), ref: 00265621
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: cde942d1942a3cc5e770d261b3c4909ce9310cd24ab3c2f96916a5f3540057cd
                                  • Instruction ID: 7980bd705e5a196cd841fdc971b404e0548be06cb1e50ac24b8a4ed1ade2ce98
                                  • Opcode Fuzzy Hash: cde942d1942a3cc5e770d261b3c4909ce9310cd24ab3c2f96916a5f3540057cd
                                  • Instruction Fuzzy Hash: E761D871D2052AAFDF11DFA8C848EEEBFBAEF09304F540185E805A7255D771D9A1CBA0
                                  Function 001E0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001E06AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 8f7ae79ddb7cf7c899d83e8a560e5750676ac085d935f767886fc3978d3bffa4
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 4041F672A005549BCB16EF69DD8066EBBA5EF8C310F150169FC05DB302D770DDA18BE1
                                  Function 00264B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,002649F9,00000000,CF830579,002A1140,0000000C,00264AB5,00258BBD,?), ref: 00264B68
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: eb81faaa81da7a148cfe68ba981c35b219a9c86e4e1fd78eb622bef0051987ae
                                  • Instruction ID: 86dda41ff3ce2b70175b00972d18c13fcd6d6803c2b2e5864adefa5aaceb8a0d
                                  • Opcode Fuzzy Hash: eb81faaa81da7a148cfe68ba981c35b219a9c86e4e1fd78eb622bef0051987ae
                                  • Instruction Fuzzy Hash: 22116B33E7111416DB243A75E845B7EA74ECB8377CF390249F8589B0C2EE60DCE14995
                                  Function 0025E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,002A0DF8,0017A3EB,00000002,0017A3EB,00000000,?,?,?,0025E166,00000000,?,0017A3EB,00000002,002A0DF8), ref: 0025E098
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 0650b28ace0548cbe31d09ca7afb639b3c66932401f26e1972d49ca66016b422
                                  • Instruction ID: a2dd52c867fbfb92236b7846b4a47394218bed3c968642c4bfde9abe50059c0b
                                  • Opcode Fuzzy Hash: 0650b28ace0548cbe31d09ca7afb639b3c66932401f26e1972d49ca66016b422
                                  • Instruction Fuzzy Hash: D4012B32624115AFCF199F55CC05C9E3B2ADB81334F250148FC50A71D1E6B1EE558BD0
                                  Function 0024F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0017220E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 57e3a21e3014e9654acea49b4cfd9e7732b387955d27f9aaf0b917f7d714f14a
                                  • Instruction ID: f6faad1ab675c48772a9b69d62313343db23d54598796ae5dae912bc9dfde539
                                  • Opcode Fuzzy Hash: 57e3a21e3014e9654acea49b4cfd9e7732b387955d27f9aaf0b917f7d714f14a
                                  • Instruction Fuzzy Hash: 7F01DB7551430DABCB18EFA8EC0295977ACDA00320B54843AFE1DDB591EB70E9748B95
                                  Function 002663F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,002591F7,00000000,?,00265D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0025D244,002589C3,002591F7,00000000), ref: 00266434
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 0a3b53a882c9a553f91e6e25f5391ab29d332217c7a4042bfb04a8103cd3a151
                                  • Instruction ID: 2db50934df840829e1b9254ec917dfd8bdf762897247fda9480253db12fba835
                                  • Opcode Fuzzy Hash: 0a3b53a882c9a553f91e6e25f5391ab29d332217c7a4042bfb04a8103cd3a151
                                  • Instruction Fuzzy Hash: BCF0E23253512566DB31AF62DC0AB5B7B8CEF81B60F298021AC08A64C0CF30ECB14AF1
                                  Function 00266E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0026D635,4D88C033,?,0026D635,00000220,?,002657EF,4D88C033), ref: 00266E5F
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 7cec77ec7f2f0bf63b20622b0e2d38d46dd03cd27e39ef082f8bef5bc8c8a4b8
                                  • Instruction ID: 6af6fd3868922b8aab586b8a73feeaac3309e58f12eaf8cee80f3271aac77415
                                  • Opcode Fuzzy Hash: 7cec77ec7f2f0bf63b20622b0e2d38d46dd03cd27e39ef082f8bef5bc8c8a4b8
                                  • Instruction Fuzzy Hash: 3FE02B3957551266DB313E66DC09F5B764C8F417B0F250120FC04D24D1CF63CCB085A8
                                  Function 04CE0000 Relevance: .1, Instructions: 126COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 606357a0ce67b1f2469b3bd31c086e45bf1aa721fa92c4d911dc5e3ada75285f
                                  • Instruction ID: 58252b52efa71627cd16d6672c82c4e3336b298fa6ea19391303b0b9ea0e74dd
                                  • Opcode Fuzzy Hash: 606357a0ce67b1f2469b3bd31c086e45bf1aa721fa92c4d911dc5e3ada75285f
                                  • Instruction Fuzzy Hash: 64215EEF24C230BD604294576B15AF76B6FE2D77303388526F847D9542E3DA1A8A31B2
                                  Function 04CE0019 Relevance: .1, Instructions: 122COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e1f613d3330bd93d491170a4c7649585c78a04996ab8b68de19679625243054b
                                  • Instruction ID: f6ce8e683689f0066975ec7804351cc04b1ee7b4d2d8abb26143eaa2e1b9878c
                                  • Opcode Fuzzy Hash: e1f613d3330bd93d491170a4c7649585c78a04996ab8b68de19679625243054b
                                  • Instruction Fuzzy Hash: E12193EF24C230BD604254576B15AF66B6FE2D77303348526F447D5942E3DA1A8E31B2
                                  Function 04CE0091 Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6e5590e438e29c271e39f51c15f30f325ad80123df753824ea8425961530e33d
                                  • Instruction ID: a21ad29e5f1e2c09a6545bb56c0c40938f8140e9ef0decfeca962ba6dae52809
                                  • Opcode Fuzzy Hash: 6e5590e438e29c271e39f51c15f30f325ad80123df753824ea8425961530e33d
                                  • Instruction Fuzzy Hash: B011E1EF20C230BD604258576B15AF66B6FE2D77303388516F407C9A41F3EA1B8A31B1
                                  Function 04CE0043 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2b3cbbbeee1fdea5ed64717d311bf3374da752c18daa86b6f323146cd79762e
                                  • Instruction ID: 0d2c81b9dbe069e869b3acea1a7edf0eb5845753ead14360e757909817470605
                                  • Opcode Fuzzy Hash: a2b3cbbbeee1fdea5ed64717d311bf3374da752c18daa86b6f323146cd79762e
                                  • Instruction Fuzzy Hash: 45115CEB20C270BEA14245575B15AF67B7FE6D33303388156F443C9541E3DA1A4D72B2
                                  Function 04CE006A Relevance: .1, Instructions: 88COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 74dce76d552d4ea6d6bf5e955f3022f1048db1e92a135d8aa344c44a69f90b93
                                  • Instruction ID: fb6c47b2e0b80a3cbdbe20eb9b73719fd3627b3262a93433b614095e6ded25d4
                                  • Opcode Fuzzy Hash: 74dce76d552d4ea6d6bf5e955f3022f1048db1e92a135d8aa344c44a69f90b93
                                  • Instruction Fuzzy Hash: 0611A5EF20C230BD654245576B15AF76B7FE2D63303358226F453D8682E3DA1B8A71B1
                                  Function 04CE00BC Relevance: .1, Instructions: 82COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0dd53a2ee16d28117ebd288356cf8aa87bb04124e2298e8990e5578c6079ae94
                                  • Instruction ID: 75c76f55c74bf5e2276e6ac612b48388333bccdd98ad44c58ca491d7c99de24d
                                  • Opcode Fuzzy Hash: 0dd53a2ee16d28117ebd288356cf8aa87bb04124e2298e8990e5578c6079ae94
                                  • Instruction Fuzzy Hash: 360144AB20C230AD654258639B195F66B2BF3933303388216F443D8981E7DA678A72B1
                                  Function 04CE0137 Relevance: .1, Instructions: 67COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2eb08ff77d654e37d42066f0daa31ab31dec23f3a7f4cf10ac2d559f4b3206e0
                                  • Instruction ID: a378933ba738812508a3ea01adec3761e7994a99e38197e90d1c1f6b4fe30709
                                  • Opcode Fuzzy Hash: 2eb08ff77d654e37d42066f0daa31ab31dec23f3a7f4cf10ac2d559f4b3206e0
                                  • Instruction Fuzzy Hash: 9901479F20C270BEA14259635B195B76B7BA6D73303388626F043D8942F7CA274932B2
                                  Function 04CE00AC Relevance: .1, Instructions: 65COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ee6fdbc06f5095cb3db599fb6b8312ca09d98b87c3af89efd1d645af66b5fbf0
                                  • Instruction ID: 257eac3e486ec61edf762afa15193442484ea7fbd94782e0b7c8f1c304708cd0
                                  • Opcode Fuzzy Hash: ee6fdbc06f5095cb3db599fb6b8312ca09d98b87c3af89efd1d645af66b5fbf0
                                  • Instruction Fuzzy Hash: C401F2AF20C230BD604258535B159B76B6BA2D6330338C126F40798541E3DA564932A1
                                  Function 04CE00DD Relevance: .1, Instructions: 61COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0a136111b0d9fe8e8703a6a2c2a753c81c14d8a4f9a5957466848a4a06db376e
                                  • Instruction ID: c621579d8bf22cc0d9e552d9a3255673030e11f70af11c90e583ef6c5449f521
                                  • Opcode Fuzzy Hash: 0a136111b0d9fe8e8703a6a2c2a753c81c14d8a4f9a5957466848a4a06db376e
                                  • Instruction Fuzzy Hash: BE012BBF20C170AE920249535B196F67B3BE6D7330339417AF443CA906E3CA565962B1
                                  Function 04CE0106 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1a5708b82801d35715d4bf4abdc123f67d9d9207760f568bc1d9d1fc6bb91aa5
                                  • Instruction ID: 12241703b9636b2ae2cd425a404f677f76fa939739f54614cd8f762ad2daa37d
                                  • Opcode Fuzzy Hash: 1a5708b82801d35715d4bf4abdc123f67d9d9207760f568bc1d9d1fc6bb91aa5
                                  • Instruction Fuzzy Hash: E4F0B4BF14C221AEA14195936B195B677BBF2D6330775843AF403C9105E3CB2A4A76B1
                                  Function 04CE012A Relevance: .0, Instructions: 45COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d205beaa656397e3103be5b0b7a73d2f3bb49e97436ef049ba4e402e18683082
                                  • Instruction ID: 7a4cf95b10492b9fe3a8a88cc373c0c0419ba3aa226a9bcaabe9e66c890fc4f5
                                  • Opcode Fuzzy Hash: d205beaa656397e3103be5b0b7a73d2f3bb49e97436ef049ba4e402e18683082
                                  • Instruction Fuzzy Hash: 9DE0E5EF14C131ADA00154936B296F7677BE2D63307B58427F407C9502E3CA168D76B1
                                  Function 04CE015C Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4119442932.0000000004CE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04CE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4ce0000_LisectAVT_2403002A_224.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9d5a5095c22c4a4843687220f2f991d96f24299b140201505ca6b2a3b8e6c7fc
                                  • Instruction ID: d43c24211dfaa2488696f159673b6ef860dfc5035893da43a1654b72b5f3861d
                                  • Opcode Fuzzy Hash: 9d5a5095c22c4a4843687220f2f991d96f24299b140201505ca6b2a3b8e6c7fc
                                  • Instruction Fuzzy Hash: D3E026EF04C120AF600190836A289FBA77EE1D6330375C037F083D9106E7CA054E76B0

                                  Non-executed Functions

                                  Function 00189F50 Relevance: 16.1, Strings: 11, Instructions: 2331COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $$%s|%s$,$,$.$.$131$:$type must be boolean, but is $|N*$|N*
                                  • API String ID: 0-748053694
                                  • Opcode ID: ee4726273ec254a006d56c1cea5e0bbccf850d1b9ab845f289abf311056e3f5d
                                  • Instruction ID: a42831404a23340f1f4b14787787c3966dc0b55a7463410410fff5d8c776c657
                                  • Opcode Fuzzy Hash: ee4726273ec254a006d56c1cea5e0bbccf850d1b9ab845f289abf311056e3f5d
                                  • Instruction Fuzzy Hash: FB23D170D042588FDB29EF68C998BEDBBB4EF05304F148199E449AB392D7319B84CF91
                                  Function 001E73F0 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 897COMMON
                                  Download Yara Rule
                                  Strings
                                  • unordered_map/set too long, xrefs: 001E78C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: unordered_map/set too long
                                  • API String ID: 0-306623848
                                  • Opcode ID: d9ef4b6e485e49e21f8fe024edca36a61f807b92553724ab65da63e25decc71f
                                  • Instruction ID: 81120c9ef6a7899a2030ded3e2b3fb7ea14f3b2829c9ad94ca53a62308bda3cc
                                  • Opcode Fuzzy Hash: d9ef4b6e485e49e21f8fe024edca36a61f807b92553724ab65da63e25decc71f
                                  • Instruction Fuzzy Hash: 9F629171E006499FDB14DFA9C880AADFBF5FF48314F248269E819AB395D730AD51CB80
                                  Function 002584A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 7ff3fead07b693b6cce34ec92bf466dcaeede13452b32dd38f86c7a1ea44a446
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 9B026B71E1121A9BDF14CFA8C8806AEFBF5FF48315F248269D919F7380DB71A9158B84
                                  Function 001E50B0 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
                                  • API String ID: 0-1144537432
                                  • Opcode ID: 3ae7a040992e97fb32d01a497415f5e1eda6708974f67eaab75c285eb619cec3
                                  • Instruction ID: 003b070cd5fb1d2cdc3942df13600e81aad4b4fb50ce63f26f120b74c5c96f58
                                  • Opcode Fuzzy Hash: 3ae7a040992e97fb32d01a497415f5e1eda6708974f67eaab75c285eb619cec3
                                  • Instruction Fuzzy Hash: 32914676E00A099FCB08CF6CD8517DDB7AAEB88314F14826EE919D7391EB759D05CB80
                                  Function 001791A0 Relevance: 4.9, Strings: 3, Instructions: 1146COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /$/\/$\
                                  • API String ID: 0-1523196992
                                  • Opcode ID: b98181a38291335a2143f1c50d0d2bc5b6f5ea2e45eee463004d8d15bc6829f9
                                  • Instruction ID: 026b85fcf0bc5bd665de28ca1ce4d634fe052ea25e7ed0996f9aea30f572a71c
                                  • Opcode Fuzzy Hash: b98181a38291335a2143f1c50d0d2bc5b6f5ea2e45eee463004d8d15bc6829f9
                                  • Instruction Fuzzy Hash: B692D671D002588FDF19CFA8C894BEEBBB5FF45314F14826DD449AB282E7315A4ACB91
                                  Function 001724F0 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: L*$L*
                                  • API String ID: 0-893013501
                                  • Opcode ID: e424eeacf5d95ce9cac88c7c331a9b67a58546d5aa2059e03271f8f5b5a5cefc
                                  • Instruction ID: 9dd70ee2d94a05ce9d4994ec3eac762c8f86ac140a668f3e6b07436f63cacd90
                                  • Opcode Fuzzy Hash: e424eeacf5d95ce9cac88c7c331a9b67a58546d5aa2059e03271f8f5b5a5cefc
                                  • Instruction Fuzzy Hash: F27115B4E002568FDB14DF68D8D17FEBBB5EB1A310F14826AD85897342C734990BCBA0
                                  Function 00178D70 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: File
                                  • API String ID: 0-749574446
                                  • Opcode ID: 7fca3744ca74ab57476613ea6be418318d1e58f5d3ffaaf98df8194134a4552b
                                  • Instruction ID: ed0524005b8621d37e52d9efec1bf6909744ee911808626e2483068d0ce3f6e4
                                  • Opcode Fuzzy Hash: 7fca3744ca74ab57476613ea6be418318d1e58f5d3ffaaf98df8194134a4552b
                                  • Instruction Fuzzy Hash: 32C1B170D102599BEF24DFA4CC85BEEBBB9FF05304F104069E908BB281DB719959CB65
                                  Function 0025BEAF Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 145e7dad2a8722deca9f99e917323cda82dd81c584b6f3c5f657d09bf677b3f7
                                  • Instruction ID: 6dd34e51bb79aeb33f655f887c0e38b7c49c14926d13a6c0c6be122e15e76b37
                                  • Opcode Fuzzy Hash: 145e7dad2a8722deca9f99e917323cda82dd81c584b6f3c5f657d09bf677b3f7
                                  • Instruction Fuzzy Hash: AAB1D234520B07CFCB25CF68C880A7AB7B1AF05312F244619EC5A97692E731AD6DCF58
                                  Function 0024F26A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,0024EC78,?,?,?,?,001840EB,?,001D3C2E), ref: 0024F283
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$FilePreciseSystem
                                  • String ID:
                                  • API String ID: 1802150274-0
                                  • Opcode ID: cb29443ac1fbc515cd7c4485468daf3ef1e139263c6966713e82693f2c9e5d68
                                  • Instruction ID: 0ab29b55818d36aef78290586b3587134daa059712283b6b1a9923fc520ff110
                                  • Opcode Fuzzy Hash: cb29443ac1fbc515cd7c4485468daf3ef1e139263c6966713e82693f2c9e5d68
                                  • Instruction Fuzzy Hash: DCD02232A52038978AD93FC1BD088ACBB1C9B8AB503040236EE09631148B916C105BD4
                                  Function 001F9880 Relevance: .7, Instructions: 748COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 24bb6029f677f1da32f9d96d4c1866d89451971e321bb15b1834e2c9d6dd1b85
                                  • Instruction ID: 9dd6dbd29c95e019b9c851cbfdf66c4db61433d4029bfe13c04b737512cac775
                                  • Opcode Fuzzy Hash: 24bb6029f677f1da32f9d96d4c1866d89451971e321bb15b1834e2c9d6dd1b85
                                  • Instruction Fuzzy Hash: 206260B0E002099BDB18DF59C5847BDBBF1AF84308F2881ADDA08AB356D735D946CF91
                                  Function 0026F771 Relevance: .3, Instructions: 327COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 23e19819f1d422d564742bd8597df51f57b8e1aeabff205f884225a356cafa5b
                                  • Instruction ID: c07ad4c175613734a86997f216a6657ff821a81f3a45653f87091f927b96cabe
                                  • Opcode Fuzzy Hash: 23e19819f1d422d564742bd8597df51f57b8e1aeabff205f884225a356cafa5b
                                  • Instruction Fuzzy Hash: 2BB123315207069BDF289F28DD82BBBB3A9EF44308F14457DE987C6680EB75A9D5CB10
                                  Function 00269824 Relevance: .3, Instructions: 270COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 920210460b7f6a2068692c5b301465b8b78ec645a9c57e533a68f770885a9839
                                  • Instruction ID: a652a1d824ec685055eb045f6f67b05c0e2d85cb36ba4914cdee7914575989b5
                                  • Opcode Fuzzy Hash: 920210460b7f6a2068692c5b301465b8b78ec645a9c57e533a68f770885a9839
                                  • Instruction Fuzzy Hash: B6B139316206099FDB15CF28C48AB657BE4FF45364F29865CE899CF2A1CB35E9E1CB40
                                  Function 001F6550 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d1f27913ce12cd3992e43b0cd1b35270bb02ae416dbc9cca5a9e784c2a4e906b
                                  • Instruction ID: ea053442302a76afa22d25530330eadfe5137120a97b327a279092595176d035
                                  • Opcode Fuzzy Hash: d1f27913ce12cd3992e43b0cd1b35270bb02ae416dbc9cca5a9e784c2a4e906b
                                  • Instruction Fuzzy Hash: 406130396111644FD719CF6EFCC44363361A78A301387821AEAC1DB2A7D739E926DBA0
                                  Function 001F55B0 Relevance: .2, Instructions: 187COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 673d5ff3bb7b0ad53b3e0db9c713919e7ec6c8bbcf1723622c98b7316c990154
                                  • Instruction ID: 4aaccf1ec8178444878f54736baa1d4cc5f3190bbd0b2f9dff82b4bc834a16b4
                                  • Opcode Fuzzy Hash: 673d5ff3bb7b0ad53b3e0db9c713919e7ec6c8bbcf1723622c98b7316c990154
                                  • Instruction Fuzzy Hash: 1D8192B081429C9EDF08CF94D855AFEBFB9EF06304F5080AED851AB651D778530ACB66
                                  Function 00184100 Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2a84eaef98b6de883feb85383a91bc74a417ce6e1c92125db405d5dcd364aa77
                                  • Instruction ID: 49d5d753ed7c525b49b94b7b1ebd268af87e37cde83ca1f3d2691afdb0582a3b
                                  • Opcode Fuzzy Hash: 2a84eaef98b6de883feb85383a91bc74a417ce6e1c92125db405d5dcd364aa77
                                  • Instruction Fuzzy Hash: DA51AD71E0021A9FCB18EF98D985AEEBBB5FB58310F14456DE815A7341DB30AA44CFA0
                                  Function 0025646A Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction ID: 4b87a8b043cded7aa03e5c1862dc417463e853a197dabcc9ad321c9744c83183
                                  • Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction Fuzzy Hash: CD51A172D1011AEFDF14CF98C841AEEBBB2FF88300F898498E815AB201D7349E54DB94
                                  Function 00252CE0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 65f4687cff6ccb89b618acdeed19e302ae6a318481098ba7d1dd3dfead2ba5c3
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 111138B7222083C3D6048E2DC8B46B6A3B5EADB32372C436AC8414B6D8D232D86D9508
                                  Function 001DF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001DF833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001DF855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001DF875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001DF89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001DF90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001DF959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001DF973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001DFA08
                                  • std::_Facet_Register.LIBCPMT ref: 001DFA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$")
                                  • API String ID: 3375549084-2947786438
                                  • Opcode ID: 4f8d4fdf74b17caefd334e4a17116fa05e97cf7b2bcfb0f599afda7d4bea07ee
                                  • Instruction ID: cefe170c61816a2e9ff6c7fc1106fe82092a1eb08032da184cea65d93206a65b
                                  • Opcode Fuzzy Hash: 4f8d4fdf74b17caefd334e4a17116fa05e97cf7b2bcfb0f599afda7d4bea07ee
                                  • Instruction Fuzzy Hash: EB61A071E10248DFEF24DFA4D845B9EBBB4AF15310F144069E809A7381DB74EA06CB96
                                  Function 00252E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00252E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00252E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00252ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00252F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00252F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: i*$csm
                                  • API String ID: 1170836740-2185108902
                                  • Opcode ID: c3ac234793f5d801df8c18f5a10b1a393ba701a84a4f23fddb2aec95687c87cc
                                  • Instruction ID: 6394e0621bd7c10b00838264fd011c377e2fec889b7508c718b85410bf4f8f73
                                  • Opcode Fuzzy Hash: c3ac234793f5d801df8c18f5a10b1a393ba701a84a4f23fddb2aec95687c87cc
                                  • Instruction Fuzzy Hash: 9D41B434A20209DBCF10DF68D885A9EBBB5AF46325F148055EC149B3D2D731EE6DCB94
                                  Function 001DDE70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001DDE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 001DDEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001DDED6
                                  • std::_Facet_Register.LIBCPMT ref: 001DDF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 001DDF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001DDF7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID: m
                                  • API String ID: 2081738530-3130793244
                                  • Opcode ID: 8edd0447dcd6a03eb36d687726c5b829ade408ec12d31a6a1c0dd77fb15dbaba
                                  • Instruction ID: de40bbf53a632084693d5300b3d42d6d3752b5f4da93f42b992fb46b2806f07c
                                  • Opcode Fuzzy Hash: 8edd0447dcd6a03eb36d687726c5b829ade408ec12d31a6a1c0dd77fb15dbaba
                                  • Instruction Fuzzy Hash: A841F571900215DFCF14DF54E889AAEBBB4FB15710F14426AE815AB392DB30AD12CFD1
                                  Function 001739F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00173A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00173AA4
                                  • __Getctype.LIBCPMT ref: 00173ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00173AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00173B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 43ac77810a00b67d271668b7932f83a298c057d085d4d5146ee34c860a99b265
                                  • Instruction ID: d8ae6a6ddf84e605f349839ce6c353a63df9ce8e8062e57e2fb9413cc97c0500
                                  • Opcode Fuzzy Hash: 43ac77810a00b67d271668b7932f83a298c057d085d4d5146ee34c860a99b265
                                  • Instruction Fuzzy Hash: 415152B1D002089FEF14DFA4D945B8EBBB8BF14310F148069EC09AB381E775DA18CB95
                                  Function 00174C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00174F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00174FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 001750C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 0017504C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 4b6f4b2ade5226a2a0990014c078d49e204b6573392429528e390fceb988d98b
                                  • Instruction ID: 60240741352f0ce512a85b87fbc119c40de12390e74eb6d692ec1b99eb9a569b
                                  • Opcode Fuzzy Hash: 4b6f4b2ade5226a2a0990014c078d49e204b6573392429528e390fceb988d98b
                                  • Instruction Fuzzy Hash: 60E104719002049FCB28DF68D845BAEF7F9FF48310F148A2DE45A97781EB74A954CBA1
                                  Function 00177820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0017799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00177B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: f72ead6823922020a35b493eeb1eecffc1e379d936e321b0f49e9e872227685b
                                  • Instruction ID: a1657cb37dd4540864982d9b565fe488a9ef008c0add958e6d60a6513131df9e
                                  • Opcode Fuzzy Hash: f72ead6823922020a35b493eeb1eecffc1e379d936e321b0f49e9e872227685b
                                  • Instruction Fuzzy Hash: 86C166B19002089FDB08DFA8D984B9DFBF5FF48310F14866AE419EB782E7749984CB54
                                  Function 00172270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00172275
                                    • Part of subcall function 0024D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0024D6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$L*$L*
                                  • API String ID: 1997705970-1600591071
                                  • Opcode ID: 044d154c3975ca12bcf6db3a8b90b0d49139b94d77f3dce100c172641f4d507f
                                  • Instruction ID: 8027d6bd2599dda7bb5df45d8ce8314f33f4a5f2c5f80af919a907f5a91551e9
                                  • Opcode Fuzzy Hash: 044d154c3975ca12bcf6db3a8b90b0d49139b94d77f3dce100c172641f4d507f
                                  • Instruction Fuzzy Hash: 03810275A042859FDB05CF68C451BEEBFB2FF6A300F18816EC899A7742C3758546CBA1
                                  Function 001773B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001775BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 001775CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 5af4e192679f5b69e0180d84fb06a56951ae7a6526ade286d4fc7b5a64c1d455
                                  • Instruction ID: 80e0d5312b39dd09d363233e393c8d022a51be3563f95ab464a561da578edf6e
                                  • Opcode Fuzzy Hash: 5af4e192679f5b69e0180d84fb06a56951ae7a6526ade286d4fc7b5a64c1d455
                                  • Instruction Fuzzy Hash: FC61E571A042049FDB0CDF68DD94BADBBB6FF44300F24862CE419A7781D774AA54CB91
                                  Function 00173D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00173E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 47fb75a86988378fbcd1ae9dc43a4e24eacda00fd214b114ac93341656d3b59a
                                  • Instruction ID: c73ed3d0360c2db568538fc1cceff76daee930932c19ee41197ad33e42239faf
                                  • Opcode Fuzzy Hash: 47fb75a86988378fbcd1ae9dc43a4e24eacda00fd214b114ac93341656d3b59a
                                  • Instruction Fuzzy Hash: 3141B6B2910204AFCB14DF58C845B9EF7F8EF49310F54C52AF929D7641E770AA158BA4
                                  Function 00173DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00173E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: c8164ce186b55d8bb777c5f09351068b5a34757576eade310b2bfd7c99b18697
                                  • Instruction ID: e53a0d18a29fe5f7d66c01b5c13f5126080620614952d6e18406e8fd60b13a21
                                  • Opcode Fuzzy Hash: c8164ce186b55d8bb777c5f09351068b5a34757576eade310b2bfd7c99b18697
                                  • Instruction Fuzzy Hash: F421D8B2514704AFC714DF58D806B96B7ECAB04310F18C82AFA7C87641EB70EA249B95
                                  Function 00176F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00177340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: 2522329efa14742b0e2b438a1b22a304e9cd451d3ba8d046bd9d66998af4d62c
                                  • Instruction ID: 5e098f7b82e5742b3798e4d4c29edd8e0f30836c3d801c3d0d0771584d313497
                                  • Opcode Fuzzy Hash: 2522329efa14742b0e2b438a1b22a304e9cd451d3ba8d046bd9d66998af4d62c
                                  • Instruction Fuzzy Hash: BAE17070D042089FDB18CF68C994BADBBB1FF49300F248269E418EB792D7749A85CF91
                                  Function 00176C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00176F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00176F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 80f3fa840c98554b9c683e27ca68a1da6bb01c774cd8bc0aacdf34aa28d903f9
                                  • Instruction ID: ec7b877b6a26f3b3354f00308e5157a6d699bd7aed8b54c97495716b51c56925
                                  • Opcode Fuzzy Hash: 80f3fa840c98554b9c683e27ca68a1da6bb01c774cd8bc0aacdf34aa28d903f9
                                  • Instruction Fuzzy Hash: 0A91E770A006049FDB18CF68C994B9EFBF5FF49300F20852CE459AB792D771AA45CB51
                                  Function 001EE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 001EE491
                                  Strings
                                  • type must be string, but is , xrefs: 001EE4F8
                                  • type must be boolean, but is , xrefs: 001EE582
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.4112057176.0000000000171000.00000040.00000001.01000000.00000003.sdmp, Offset: 00170000, based on PE: true
                                  • Associated: 00000000.00000002.4112021575.0000000000170000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4112057176.00000000002A3000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113832752.00000000002A8000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.00000000002AC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000442000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000525000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.000000000055C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000563000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4113869557.0000000000572000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114489300.0000000000573000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.4114849502.000000000071B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_170000_LisectAVT_2403002A_224.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 74bab5e242b393286a8708924ac9cef106f52d6b139dc9b022230accbba75b01
                                  • Instruction ID: e92507dc7e9dba42c4bd5d64570b724334aec81bba68c05beed8e79d01e86109
                                  • Opcode Fuzzy Hash: 74bab5e242b393286a8708924ac9cef106f52d6b139dc9b022230accbba75b01
                                  • Instruction Fuzzy Hash: 63419CB5904688AFCB04EBA4D802B9EB7F8EB10310F148679F819D77C1EB35E950C796

                                  Execution Graph

                                  Execution Coverage:3.2%
                                  Dynamic/Decrypted Code Coverage:1.4%
                                  Signature Coverage:0%
                                  Total number of Nodes:627
                                  Total number of Limit Nodes:64
                                  execution_graph 18526 a8e0a0 WSAStartup 18527 a8e0d8 18526->18527 18530 a8e1a7 18526->18530 18528 a8e175 socket 18527->18528 18527->18530 18529 a8e18b connect 18528->18529 18528->18530 18529->18530 18531 a8e19d closesocket 18529->18531 18531->18528 18531->18530 19616 55d0255 19617 55d0272 GetCurrentHwProfileW 19616->19617 19619 55d02d7 19617->19619 18532 b65d2c 18534 b65d35 __dosmaperr 18532->18534 18533 b65d4c 18534->18533 18535 b663f3 __dosmaperr RtlAllocateHeap 18534->18535 18537 b65d79 __dosmaperr 18535->18537 18536 b65d81 __dosmaperr 18539 b66db3 ___std_exception_copy RtlAllocateHeap 18536->18539 18537->18536 18538 b65db9 18537->18538 18540 b65a09 __dosmaperr RtlAllocateHeap 18538->18540 18539->18533 18541 b65dc4 18540->18541 18542 b66db3 ___std_exception_copy RtlAllocateHeap 18541->18542 18542->18533 18543 ad3a40 18544 ad3a55 18543->18544 18545 ad3b28 GetPEB 18544->18545 18546 ad3a73 GetPEB 18544->18546 18547 ad3b9d Sleep 18544->18547 18548 ad3ae8 Sleep 18544->18548 18549 ad3bc7 18544->18549 18545->18544 18546->18544 18547->18544 18548->18544 18550 55d02f0 18551 55d0295 GetCurrentHwProfileW 18550->18551 18553 55d02d7 18550->18553 18551->18553 19624 55d026f 19625 55d0272 GetCurrentHwProfileW 19624->19625 19627 55d02d7 19625->19627 19627->19627 17801 a7a210 17834 b4f290 17801->17834 17803 a7a248 17839 a72ae0 17803->17839 17805 a7a28b 17855 b55362 17805->17855 17808 a7a377 17812 a7a34e 17812->17808 17884 b547b0 17812->17884 17815 b59136 4 API calls 17816 a7a2fc 17815->17816 17821 a7a318 17816->17821 17870 adcf60 17816->17870 17875 b5dbdf 17821->17875 17836 a721d0 Concurrency::cancel_current_task std::_Xinvalid_argument ___std_exception_copy std::_Facet_Register 17834->17836 17835 b4f2af 17835->17803 17836->17835 17887 b50651 17836->17887 17840 a72ba5 17839->17840 17844 a72af6 17839->17844 18105 a72270 17840->18105 17841 a72b02 std::locale::_Locimp::_Locimp 17841->17805 17843 a72baa 18115 a721d0 17843->18115 17844->17841 17846 a72b65 17844->17846 17849 a72b2a 17844->17849 17850 a72b6e 17844->17850 17846->17843 17846->17849 17847 b4f290 std::_Facet_Register RtlAllocateHeap 17851 a72b3d 17847->17851 17848 b547b0 RtlAllocateHeap 17852 a72bb4 17848->17852 17849->17847 17853 b4f290 std::_Facet_Register RtlAllocateHeap 17850->17853 17854 a72b46 std::locale::_Locimp::_Locimp 17850->17854 17851->17848 17851->17854 17853->17854 17854->17805 18128 b552a0 17855->18128 17857 a7a2d7 17857->17812 17858 b59136 17857->17858 17859 b59149 __fread_nolock 17858->17859 18152 b58e8d 17859->18152 17861 b5915e 17862 b544dc __fread_nolock RtlAllocateHeap 17861->17862 17863 a7a2ea 17862->17863 17864 b54eeb 17863->17864 17865 b54efe __fread_nolock 17864->17865 18285 b54801 17865->18285 17867 b54f0a 17868 b544dc __fread_nolock RtlAllocateHeap 17867->17868 17869 a7a2f0 17868->17869 17869->17815 17871 adcfa7 17870->17871 17874 adcf78 __fread_nolock 17870->17874 18333 ae0560 17871->18333 17873 adcfba 17873->17821 17874->17821 18348 b5dbfc 17875->18348 17877 a7a348 17878 b58be8 17877->17878 17879 b58bfb __fread_nolock 17878->17879 18472 b58ac3 17879->18472 17881 b58c07 17882 b544dc __fread_nolock RtlAllocateHeap 17881->17882 17883 b58c13 17882->17883 17883->17812 17885 b546ec __fread_nolock RtlAllocateHeap 17884->17885 17886 b547bf __Getctype 17885->17886 17888 b5065e ___std_exception_copy 17887->17888 17892 a72213 17887->17892 17889 b5068b 17888->17889 17888->17892 17893 b656b8 17888->17893 17902 b5d7d6 17889->17902 17892->17803 17894 b656c6 17893->17894 17895 b656d4 17893->17895 17894->17895 17899 b656ec 17894->17899 17905 b5d23f 17895->17905 17898 b656e6 17898->17889 17899->17898 17900 b5d23f __dosmaperr RtlAllocateHeap 17899->17900 17901 b656dc 17900->17901 17908 b547a0 17901->17908 17903 b66db3 ___std_exception_copy RtlAllocateHeap 17902->17903 17904 b5d7ee 17903->17904 17904->17892 17911 b65d2c 17905->17911 18016 b546ec 17908->18016 17913 b65d35 __dosmaperr 17911->17913 17912 b5d244 17912->17901 17913->17912 17922 b663f3 17913->17922 17915 b65d81 __dosmaperr 17926 b66db3 17915->17926 17916 b65d79 __dosmaperr 17916->17915 17917 b65db9 17916->17917 17930 b65a09 17917->17930 17921 b66db3 ___std_exception_copy RtlAllocateHeap 17921->17912 17925 b66400 __dosmaperr std::_Facet_Register 17922->17925 17923 b6642b RtlAllocateHeap 17924 b6643e __dosmaperr 17923->17924 17923->17925 17924->17916 17925->17923 17925->17924 17927 b66de8 17926->17927 17928 b66dbe __dosmaperr 17926->17928 17927->17912 17928->17927 17929 b5d23f __dosmaperr RtlAllocateHeap 17928->17929 17929->17927 17931 b65a77 __dosmaperr 17930->17931 17934 b659af 17931->17934 17933 b65aa0 17933->17921 17935 b659bb __fread_nolock std::_Lockit::_Lockit 17934->17935 17938 b65b90 17935->17938 17937 b659dd __dosmaperr 17937->17933 17939 b65bc6 __Getctype 17938->17939 17940 b65b9f __Getctype 17938->17940 17939->17937 17940->17939 17942 b6f2a7 17940->17942 17943 b6f327 17942->17943 17945 b6f2bd 17942->17945 17946 b66db3 ___std_exception_copy RtlAllocateHeap 17943->17946 17969 b6f375 17943->17969 17945->17943 17949 b66db3 ___std_exception_copy RtlAllocateHeap 17945->17949 17950 b6f2f0 17945->17950 17947 b6f349 17946->17947 17948 b66db3 ___std_exception_copy RtlAllocateHeap 17947->17948 17951 b6f35c 17948->17951 17955 b6f2e5 17949->17955 17956 b66db3 ___std_exception_copy RtlAllocateHeap 17950->17956 17968 b6f312 17950->17968 17957 b66db3 ___std_exception_copy RtlAllocateHeap 17951->17957 17952 b66db3 ___std_exception_copy RtlAllocateHeap 17953 b6f31c 17952->17953 17958 b66db3 ___std_exception_copy RtlAllocateHeap 17953->17958 17954 b6f3e3 17959 b66db3 ___std_exception_copy RtlAllocateHeap 17954->17959 17970 b6e5ab 17955->17970 17961 b6f307 17956->17961 17962 b6f36a 17957->17962 17958->17943 17964 b6f3e9 17959->17964 17998 b6ea0a 17961->17998 17966 b66db3 ___std_exception_copy RtlAllocateHeap 17962->17966 17963 b6f383 17963->17954 17967 b66db3 RtlAllocateHeap ___std_exception_copy 17963->17967 17964->17939 17966->17969 17967->17963 17968->17952 18010 b6f418 17969->18010 17971 b6e5bc 17970->17971 17997 b6e6a5 17970->17997 17972 b6e5cd 17971->17972 17973 b66db3 ___std_exception_copy RtlAllocateHeap 17971->17973 17974 b66db3 ___std_exception_copy RtlAllocateHeap 17972->17974 17975 b6e5df 17972->17975 17973->17972 17974->17975 17976 b66db3 ___std_exception_copy RtlAllocateHeap 17975->17976 17978 b6e5f1 17975->17978 17976->17978 17977 b6e603 17980 b6e615 17977->17980 17981 b66db3 ___std_exception_copy RtlAllocateHeap 17977->17981 17978->17977 17979 b66db3 ___std_exception_copy RtlAllocateHeap 17978->17979 17979->17977 17982 b6e627 17980->17982 17983 b66db3 ___std_exception_copy RtlAllocateHeap 17980->17983 17981->17980 17984 b6e639 17982->17984 17985 b66db3 ___std_exception_copy RtlAllocateHeap 17982->17985 17983->17982 17986 b6e64b 17984->17986 17987 b66db3 ___std_exception_copy RtlAllocateHeap 17984->17987 17985->17984 17988 b6e65d 17986->17988 17989 b66db3 ___std_exception_copy RtlAllocateHeap 17986->17989 17987->17986 17990 b6e66f 17988->17990 17991 b66db3 ___std_exception_copy RtlAllocateHeap 17988->17991 17989->17988 17992 b6e681 17990->17992 17993 b66db3 ___std_exception_copy RtlAllocateHeap 17990->17993 17991->17990 17994 b6e693 17992->17994 17995 b66db3 ___std_exception_copy RtlAllocateHeap 17992->17995 17993->17992 17996 b66db3 ___std_exception_copy RtlAllocateHeap 17994->17996 17994->17997 17995->17994 17996->17997 17997->17950 17999 b6ea17 17998->17999 18000 b6ea6f 17998->18000 18001 b6ea27 17999->18001 18003 b66db3 ___std_exception_copy RtlAllocateHeap 17999->18003 18000->17968 18002 b6ea39 18001->18002 18004 b66db3 ___std_exception_copy RtlAllocateHeap 18001->18004 18005 b6ea4b 18002->18005 18006 b66db3 ___std_exception_copy RtlAllocateHeap 18002->18006 18003->18001 18004->18002 18007 b6ea5d 18005->18007 18008 b66db3 ___std_exception_copy RtlAllocateHeap 18005->18008 18006->18005 18007->18000 18009 b66db3 ___std_exception_copy RtlAllocateHeap 18007->18009 18008->18007 18009->18000 18011 b6f444 18010->18011 18012 b6f425 18010->18012 18011->17963 18012->18011 18013 b6ef31 __Getctype RtlAllocateHeap 18012->18013 18014 b6f43e 18013->18014 18015 b66db3 ___std_exception_copy RtlAllocateHeap 18014->18015 18015->18011 18017 b546fe __fread_nolock 18016->18017 18022 b54723 18017->18022 18019 b54716 18029 b544dc 18019->18029 18023 b54733 18022->18023 18026 b5473a __fread_nolock __Getctype 18022->18026 18035 b54541 18023->18035 18025 b54748 18025->18019 18026->18025 18027 b546ec __fread_nolock RtlAllocateHeap 18026->18027 18028 b547ac 18027->18028 18028->18019 18030 b544e8 18029->18030 18031 b544ff 18030->18031 18050 b54587 18030->18050 18033 b54587 __fread_nolock RtlAllocateHeap 18031->18033 18034 b54512 18031->18034 18033->18034 18034->17898 18036 b54550 18035->18036 18039 b65ddd 18036->18039 18040 b65df0 __dosmaperr 18039->18040 18041 b54572 18040->18041 18042 b663f3 __dosmaperr RtlAllocateHeap 18040->18042 18041->18026 18043 b65e20 __dosmaperr 18042->18043 18044 b65e5c 18043->18044 18045 b65e28 __dosmaperr 18043->18045 18046 b65a09 __dosmaperr RtlAllocateHeap 18044->18046 18047 b66db3 ___std_exception_copy RtlAllocateHeap 18045->18047 18048 b65e67 18046->18048 18047->18041 18049 b66db3 ___std_exception_copy RtlAllocateHeap 18048->18049 18049->18041 18051 b54591 18050->18051 18052 b5459a 18050->18052 18053 b54541 __fread_nolock RtlAllocateHeap 18051->18053 18052->18031 18054 b54596 18053->18054 18054->18052 18057 b60259 18054->18057 18058 b6025e std::locale::_Setgloballocale 18057->18058 18061 b60269 std::locale::_Setgloballocale 18058->18061 18063 b6c7c6 18058->18063 18084 b5f224 18061->18084 18064 b6c7d2 __fread_nolock 18063->18064 18065 b65d2c __dosmaperr RtlAllocateHeap 18064->18065 18066 b6c822 18064->18066 18069 b6c803 std::locale::_Setgloballocale 18064->18069 18071 b6c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 18064->18071 18065->18069 18067 b5d23f __dosmaperr RtlAllocateHeap 18066->18067 18068 b6c827 18067->18068 18070 b547a0 __fread_nolock RtlAllocateHeap 18068->18070 18069->18066 18069->18071 18083 b6c80c 18069->18083 18070->18083 18072 b6c8a7 18071->18072 18073 b6c9a4 std::_Lockit::~_Lockit 18071->18073 18075 b6c8d5 std::locale::_Setgloballocale 18071->18075 18072->18075 18087 b65bdb 18072->18087 18074 b5f224 std::locale::_Setgloballocale RtlAllocateHeap 18073->18074 18076 b6c9b7 18074->18076 18078 b65bdb __Getctype RtlAllocateHeap 18075->18078 18081 b6c92a 18075->18081 18075->18083 18078->18081 18080 b65bdb __Getctype RtlAllocateHeap 18080->18075 18082 b65bdb __Getctype RtlAllocateHeap 18081->18082 18081->18083 18082->18083 18083->18061 18101 b5f094 18084->18101 18086 b5f235 18088 b65be4 __dosmaperr 18087->18088 18089 b663f3 __dosmaperr RtlAllocateHeap 18088->18089 18090 b65bfb 18088->18090 18092 b65c28 __dosmaperr 18089->18092 18091 b65c8b 18090->18091 18093 b60259 __Getctype RtlAllocateHeap 18090->18093 18091->18080 18094 b65c30 __dosmaperr 18092->18094 18095 b65c68 18092->18095 18096 b65c95 18093->18096 18098 b66db3 ___std_exception_copy RtlAllocateHeap 18094->18098 18097 b65a09 __dosmaperr RtlAllocateHeap 18095->18097 18099 b65c73 18097->18099 18098->18090 18100 b66db3 ___std_exception_copy RtlAllocateHeap 18099->18100 18100->18090 18102 b5f0c1 std::locale::_Setgloballocale 18101->18102 18103 b5ef23 std::locale::_Setgloballocale RtlAllocateHeap 18102->18103 18104 b5f10a std::locale::_Setgloballocale 18103->18104 18104->18086 18119 b4d6e9 18105->18119 18116 a721de Concurrency::cancel_current_task std::_Xinvalid_argument 18115->18116 18117 b50651 ___std_exception_copy RtlAllocateHeap 18116->18117 18118 a72213 18117->18118 18118->17851 18122 b4d4af 18119->18122 18121 b4d6fa std::_Xinvalid_argument 18125 a73010 18122->18125 18126 b50651 ___std_exception_copy RtlAllocateHeap 18125->18126 18127 a7303d 18126->18127 18127->18121 18129 b552ac __fread_nolock 18128->18129 18130 b552b3 18129->18130 18133 b552d3 18129->18133 18131 b5d23f __dosmaperr RtlAllocateHeap 18130->18131 18132 b552b8 18131->18132 18136 b547a0 __fread_nolock RtlAllocateHeap 18132->18136 18134 b552e5 18133->18134 18135 b552d8 18133->18135 18142 b66688 18134->18142 18137 b5d23f __dosmaperr RtlAllocateHeap 18135->18137 18141 b552c3 18136->18141 18137->18141 18139 b552ee 18140 b5d23f __dosmaperr RtlAllocateHeap 18139->18140 18139->18141 18140->18141 18141->17857 18143 b66694 __fread_nolock std::_Lockit::_Lockit 18142->18143 18146 b6672c 18143->18146 18145 b666af 18145->18139 18151 b6674f __fread_nolock 18146->18151 18147 b663f3 __dosmaperr RtlAllocateHeap 18148 b667b0 18147->18148 18149 b66db3 ___std_exception_copy RtlAllocateHeap 18148->18149 18150 b66795 __fread_nolock 18149->18150 18150->18145 18151->18147 18151->18150 18153 b58e99 __fread_nolock 18152->18153 18154 b58e9f 18153->18154 18156 b58ee2 __fread_nolock 18153->18156 18155 b54723 __fread_nolock RtlAllocateHeap 18154->18155 18158 b58eba 18155->18158 18159 b59010 18156->18159 18158->17861 18160 b59036 18159->18160 18161 b59023 18159->18161 18168 b58f37 18160->18168 18161->18158 18163 b590e7 18163->18158 18164 b59059 18164->18163 18172 b555d3 18164->18172 18169 b58f48 18168->18169 18171 b58fa0 18168->18171 18169->18171 18181 b5e13d 18169->18181 18171->18164 18173 b55613 18172->18173 18174 b555ec 18172->18174 18178 b5e17d 18173->18178 18174->18173 18208 b65f82 18174->18208 18176 b55608 18215 b6538b 18176->18215 18179 b5e05c __fread_nolock 2 API calls 18178->18179 18180 b5e196 18179->18180 18180->18163 18182 b5e151 __fread_nolock 18181->18182 18187 b5e05c 18182->18187 18184 b5e166 18185 b544dc __fread_nolock RtlAllocateHeap 18184->18185 18186 b5e175 18185->18186 18186->18171 18192 b6a6de 18187->18192 18189 b5e06e 18190 b5e08a SetFilePointerEx 18189->18190 18191 b5e076 __fread_nolock 18189->18191 18190->18191 18191->18184 18193 b6a6eb 18192->18193 18194 b6a700 18192->18194 18205 b5d22c 18193->18205 18196 b5d22c __dosmaperr RtlAllocateHeap 18194->18196 18198 b6a725 18194->18198 18199 b6a730 18196->18199 18198->18189 18201 b5d23f __dosmaperr RtlAllocateHeap 18199->18201 18200 b5d23f __dosmaperr RtlAllocateHeap 18202 b6a6f8 18200->18202 18203 b6a738 18201->18203 18202->18189 18204 b547a0 __fread_nolock RtlAllocateHeap 18203->18204 18204->18202 18206 b65d2c __dosmaperr RtlAllocateHeap 18205->18206 18207 b5d231 18206->18207 18207->18200 18209 b65fa3 18208->18209 18210 b65f8e 18208->18210 18209->18176 18211 b5d23f __dosmaperr RtlAllocateHeap 18210->18211 18212 b65f93 18211->18212 18213 b547a0 __fread_nolock RtlAllocateHeap 18212->18213 18214 b65f9e 18213->18214 18214->18176 18217 b65397 __fread_nolock 18215->18217 18216 b6539f 18216->18173 18217->18216 18218 b653d8 18217->18218 18220 b6541e 18217->18220 18219 b54723 __fread_nolock RtlAllocateHeap 18218->18219 18219->18216 18220->18216 18222 b6549c 18220->18222 18223 b654c4 18222->18223 18235 b654e7 __fread_nolock 18222->18235 18224 b654c8 18223->18224 18226 b65523 18223->18226 18225 b54723 __fread_nolock RtlAllocateHeap 18224->18225 18225->18235 18227 b65541 18226->18227 18228 b5e17d 2 API calls 18226->18228 18236 b64fe1 18227->18236 18228->18227 18231 b655a0 18233 b65609 WriteFile 18231->18233 18231->18235 18232 b65559 18232->18235 18241 b64bb2 18232->18241 18233->18235 18235->18216 18247 b70d44 18236->18247 18238 b64ff3 18239 b65021 18238->18239 18256 b59d10 18238->18256 18239->18231 18239->18232 18242 b64c1a 18241->18242 18243 b59d10 std::_Locinfo::_Locinfo_dtor 2 API calls 18242->18243 18246 b64c2b std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 18242->18246 18243->18246 18244 b684be RtlAllocateHeap RtlAllocateHeap 18244->18246 18245 b64ee1 _ValidateLocalCookies 18245->18235 18245->18245 18246->18244 18246->18245 18248 b70d51 18247->18248 18249 b70d5e 18247->18249 18250 b5d23f __dosmaperr RtlAllocateHeap 18248->18250 18252 b70d6a 18249->18252 18253 b5d23f __dosmaperr RtlAllocateHeap 18249->18253 18251 b70d56 18250->18251 18251->18238 18252->18238 18254 b70d8b 18253->18254 18255 b547a0 __fread_nolock RtlAllocateHeap 18254->18255 18255->18251 18257 b54587 __fread_nolock RtlAllocateHeap 18256->18257 18258 b59d20 18257->18258 18263 b65ef3 18258->18263 18264 b59d3d 18263->18264 18265 b65f0a 18263->18265 18267 b65f51 18264->18267 18265->18264 18271 b6f4f3 18265->18271 18268 b59d4a 18267->18268 18269 b65f68 18267->18269 18268->18239 18269->18268 18280 b6d81e 18269->18280 18272 b6f4ff __fread_nolock 18271->18272 18273 b65bdb __Getctype RtlAllocateHeap 18272->18273 18275 b6f508 std::_Lockit::_Lockit 18273->18275 18274 b6f54e 18274->18264 18275->18274 18276 b6f574 __Getctype RtlAllocateHeap 18275->18276 18277 b6f537 __Getctype 18276->18277 18277->18274 18278 b60259 __Getctype RtlAllocateHeap 18277->18278 18279 b6f573 18278->18279 18281 b65bdb __Getctype RtlAllocateHeap 18280->18281 18282 b6d823 18281->18282 18283 b6d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 18282->18283 18284 b6d82e 18283->18284 18284->18268 18286 b5480d __fread_nolock 18285->18286 18287 b54835 __fread_nolock 18286->18287 18288 b54814 18286->18288 18292 b54910 18287->18292 18289 b54723 __fread_nolock RtlAllocateHeap 18288->18289 18291 b5482d 18289->18291 18291->17867 18295 b54942 18292->18295 18294 b54922 18294->18291 18296 b54951 18295->18296 18297 b54979 18295->18297 18298 b54723 __fread_nolock RtlAllocateHeap 18296->18298 18299 b65f82 __fread_nolock RtlAllocateHeap 18297->18299 18300 b5496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18298->18300 18301 b54982 18299->18301 18300->18294 18308 b5e11f 18301->18308 18304 b54a2c 18311 b54cae 18304->18311 18305 b54a43 18305->18300 18319 b54ae3 18305->18319 18326 b5df37 18308->18326 18310 b549a0 18310->18300 18310->18304 18310->18305 18312 b54cbd 18311->18312 18313 b65f82 __fread_nolock RtlAllocateHeap 18312->18313 18314 b54cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18313->18314 18315 b5e11f 2 API calls 18314->18315 18318 b54ce5 _ValidateLocalCookies 18314->18318 18316 b54d39 18315->18316 18317 b5e11f 2 API calls 18316->18317 18316->18318 18317->18318 18318->18300 18320 b65f82 __fread_nolock RtlAllocateHeap 18319->18320 18321 b54af6 18320->18321 18322 b54b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18321->18322 18323 b5e11f 2 API calls 18321->18323 18322->18300 18324 b54b9d 18323->18324 18324->18322 18325 b5e11f 2 API calls 18324->18325 18325->18322 18327 b5df43 __fread_nolock 18326->18327 18328 b5df86 18327->18328 18330 b5dfcc 18327->18330 18332 b5df4b 18327->18332 18329 b54723 __fread_nolock RtlAllocateHeap 18328->18329 18329->18332 18331 b5e05c __fread_nolock 2 API calls 18330->18331 18330->18332 18331->18332 18332->18310 18334 ae06a9 18333->18334 18338 ae0585 18333->18338 18335 a72270 RtlAllocateHeap 18334->18335 18336 ae06ae 18335->18336 18337 a721d0 Concurrency::cancel_current_task RtlAllocateHeap 18336->18337 18344 ae05aa __fread_nolock std::locale::_Locimp::_Locimp 18337->18344 18340 ae05e3 18338->18340 18341 ae05f0 18338->18341 18343 ae059a 18338->18343 18339 b4f290 std::_Facet_Register RtlAllocateHeap 18339->18344 18340->18336 18340->18343 18341->18344 18346 b4f290 std::_Facet_Register RtlAllocateHeap 18341->18346 18342 b547b0 RtlAllocateHeap 18345 ae06b8 18342->18345 18343->18339 18344->18342 18347 ae0667 __fread_nolock std::locale::_Locimp::_Locimp 18344->18347 18346->18344 18347->17873 18349 b5dc08 __fread_nolock 18348->18349 18350 b5dc52 __fread_nolock 18349->18350 18351 b5dc1b __fread_nolock 18349->18351 18356 b5dc40 __fread_nolock 18349->18356 18357 b5da06 18350->18357 18352 b5d23f __dosmaperr RtlAllocateHeap 18351->18352 18353 b5dc35 18352->18353 18355 b547a0 __fread_nolock RtlAllocateHeap 18353->18355 18355->18356 18356->17877 18358 b5da35 18357->18358 18361 b5da18 __fread_nolock 18357->18361 18358->18356 18359 b5da25 18360 b5d23f __dosmaperr RtlAllocateHeap 18359->18360 18368 b5da2a 18360->18368 18361->18358 18361->18359 18363 b5da76 __fread_nolock 18361->18363 18362 b547a0 __fread_nolock RtlAllocateHeap 18362->18358 18363->18358 18364 b5dba1 __fread_nolock 18363->18364 18366 b65f82 __fread_nolock RtlAllocateHeap 18363->18366 18370 b64623 18363->18370 18429 b58a2b 18363->18429 18367 b5d23f __dosmaperr RtlAllocateHeap 18364->18367 18366->18363 18367->18368 18368->18362 18371 b64635 18370->18371 18372 b6464d 18370->18372 18373 b5d22c __dosmaperr RtlAllocateHeap 18371->18373 18374 b6498f 18372->18374 18379 b64690 18372->18379 18376 b6463a 18373->18376 18375 b5d22c __dosmaperr RtlAllocateHeap 18374->18375 18377 b64994 18375->18377 18378 b5d23f __dosmaperr RtlAllocateHeap 18376->18378 18380 b5d23f __dosmaperr RtlAllocateHeap 18377->18380 18383 b64642 18378->18383 18381 b6469b 18379->18381 18379->18383 18388 b646cb 18379->18388 18382 b646a8 18380->18382 18384 b5d22c __dosmaperr RtlAllocateHeap 18381->18384 18387 b547a0 __fread_nolock RtlAllocateHeap 18382->18387 18383->18363 18385 b646a0 18384->18385 18386 b5d23f __dosmaperr RtlAllocateHeap 18385->18386 18386->18382 18387->18383 18389 b646e4 18388->18389 18390 b646f1 18388->18390 18391 b6471f 18388->18391 18389->18390 18395 b6470d 18389->18395 18392 b5d22c __dosmaperr RtlAllocateHeap 18390->18392 18443 b66e2d 18391->18443 18394 b646f6 18392->18394 18397 b5d23f __dosmaperr RtlAllocateHeap 18394->18397 18398 b70d44 __fread_nolock RtlAllocateHeap 18395->18398 18400 b646fd 18397->18400 18412 b6486b 18398->18412 18399 b66db3 ___std_exception_copy RtlAllocateHeap 18401 b64739 18399->18401 18402 b547a0 __fread_nolock RtlAllocateHeap 18400->18402 18404 b66db3 ___std_exception_copy RtlAllocateHeap 18401->18404 18428 b64708 __fread_nolock 18402->18428 18403 b648e3 ReadFile 18405 b64957 18403->18405 18406 b648fb 18403->18406 18407 b64740 18404->18407 18414 b64964 18405->18414 18418 b648b5 18405->18418 18406->18405 18426 b648d4 18406->18426 18408 b64765 18407->18408 18409 b6474a 18407->18409 18411 b5e13d __fread_nolock 2 API calls 18408->18411 18413 b5d23f __dosmaperr RtlAllocateHeap 18409->18413 18410 b66db3 ___std_exception_copy RtlAllocateHeap 18410->18383 18411->18395 18412->18403 18420 b6489b 18412->18420 18415 b6474f 18413->18415 18416 b5d23f __dosmaperr RtlAllocateHeap 18414->18416 18419 b5d22c __dosmaperr RtlAllocateHeap 18415->18419 18421 b64969 18416->18421 18417 b64920 18454 b64335 18417->18454 18418->18428 18449 b5d1e5 18418->18449 18419->18428 18420->18418 18420->18426 18427 b5d22c __dosmaperr RtlAllocateHeap 18421->18427 18424 b64937 18424->18428 18464 b6417b 18424->18464 18426->18417 18426->18424 18426->18428 18427->18428 18428->18410 18430 b58a3c 18429->18430 18439 b58a38 std::locale::_Locimp::_Locimp 18429->18439 18431 b58a43 18430->18431 18435 b58a56 __fread_nolock 18430->18435 18432 b5d23f __dosmaperr RtlAllocateHeap 18431->18432 18433 b58a48 18432->18433 18434 b547a0 __fread_nolock RtlAllocateHeap 18433->18434 18434->18439 18436 b58a84 18435->18436 18437 b58a8d 18435->18437 18435->18439 18438 b5d23f __dosmaperr RtlAllocateHeap 18436->18438 18437->18439 18441 b5d23f __dosmaperr RtlAllocateHeap 18437->18441 18440 b58a89 18438->18440 18439->18363 18442 b547a0 __fread_nolock RtlAllocateHeap 18440->18442 18441->18440 18442->18439 18444 b66e6b 18443->18444 18448 b66e3b __dosmaperr std::_Facet_Register 18443->18448 18445 b5d23f __dosmaperr RtlAllocateHeap 18444->18445 18447 b64730 18445->18447 18446 b66e56 RtlAllocateHeap 18446->18447 18446->18448 18447->18399 18448->18444 18448->18446 18450 b5d22c __dosmaperr RtlAllocateHeap 18449->18450 18451 b5d1f0 __dosmaperr 18450->18451 18452 b5d23f __dosmaperr RtlAllocateHeap 18451->18452 18453 b5d203 18452->18453 18453->18428 18468 b6402e 18454->18468 18456 b6437d 18456->18428 18458 b643d7 18461 b5e13d __fread_nolock 2 API calls 18458->18461 18462 b64391 __fread_nolock 18458->18462 18459 b643c7 18460 b5d23f __dosmaperr RtlAllocateHeap 18459->18460 18460->18456 18461->18462 18462->18456 18463 b5d1e5 __dosmaperr RtlAllocateHeap 18462->18463 18463->18456 18466 b641b5 18464->18466 18465 b64246 18465->18428 18466->18465 18467 b5e13d __fread_nolock 2 API calls 18466->18467 18467->18465 18469 b64062 18468->18469 18470 b640ce 18469->18470 18471 b5e13d __fread_nolock 2 API calls 18469->18471 18470->18456 18470->18458 18470->18459 18470->18462 18471->18470 18473 b58acf __fread_nolock 18472->18473 18474 b58ad9 18473->18474 18476 b58afc __fread_nolock 18473->18476 18475 b54723 __fread_nolock RtlAllocateHeap 18474->18475 18478 b58af4 18475->18478 18476->18478 18479 b58b5a 18476->18479 18478->17881 18480 b58b67 18479->18480 18481 b58b8a 18479->18481 18482 b54723 __fread_nolock RtlAllocateHeap 18480->18482 18483 b555d3 4 API calls 18481->18483 18492 b58b82 18481->18492 18482->18492 18484 b58ba2 18483->18484 18493 b66ded 18484->18493 18487 b65f82 __fread_nolock RtlAllocateHeap 18488 b58bb6 18487->18488 18497 b64a3f 18488->18497 18491 b66db3 ___std_exception_copy RtlAllocateHeap 18491->18492 18492->18478 18494 b66e04 18493->18494 18495 b58baa 18493->18495 18494->18495 18496 b66db3 ___std_exception_copy RtlAllocateHeap 18494->18496 18495->18487 18496->18495 18498 b58bbd 18497->18498 18499 b64a68 18497->18499 18498->18491 18498->18492 18500 b64ab7 18499->18500 18502 b64a8f 18499->18502 18501 b54723 __fread_nolock RtlAllocateHeap 18500->18501 18501->18498 18504 b649ae 18502->18504 18505 b649ba __fread_nolock 18504->18505 18507 b649f9 18505->18507 18508 b64b12 18505->18508 18507->18498 18509 b6a6de __fread_nolock RtlAllocateHeap 18508->18509 18511 b64b22 18509->18511 18513 b6a6de __fread_nolock RtlAllocateHeap 18511->18513 18518 b64b28 18511->18518 18519 b64b5a 18511->18519 18512 b6a6de __fread_nolock RtlAllocateHeap 18515 b64b66 FindCloseChangeNotification 18512->18515 18514 b64b51 18513->18514 18517 b6a6de __fread_nolock RtlAllocateHeap 18514->18517 18515->18518 18516 b64b80 __fread_nolock 18516->18507 18517->18519 18520 b6a64d 18518->18520 18519->18512 18519->18518 18521 b6a65c 18520->18521 18522 b5d23f __dosmaperr RtlAllocateHeap 18521->18522 18525 b6a686 18521->18525 18523 b6a6c8 18522->18523 18524 b5d22c __dosmaperr RtlAllocateHeap 18523->18524 18524->18525 18525->18516

                                  Executed Functions

                                  Function 00AD3A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 278 ad3a40-ad3a52 279 ad3a55-ad3a61 278->279 281 ad3b28-ad3b31 GetPEB 279->281 282 ad3a67-ad3a6d 279->282 283 ad3b34-ad3b48 281->283 282->281 284 ad3a73-ad3a7f GetPEB 282->284 285 ad3b99-ad3b9b 283->285 286 ad3b4a-ad3b4f 283->286 287 ad3a80-ad3a94 284->287 285->283 286->285 288 ad3b51-ad3b59 286->288 289 ad3ae4-ad3ae6 287->289 290 ad3a96-ad3a9b 287->290 291 ad3b60-ad3b73 288->291 289->287 290->289 292 ad3a9d-ad3aa3 290->292 293 ad3b75-ad3b88 291->293 294 ad3b92-ad3b97 291->294 295 ad3aa5-ad3ab8 292->295 293->293 296 ad3b8a-ad3b90 293->296 294->285 294->291 297 ad3add-ad3ae2 295->297 298 ad3aba 295->298 296->294 299 ad3b9d-ad3bc2 Sleep 296->299 297->289 297->295 300 ad3ac0-ad3ad3 298->300 299->279 300->300 301 ad3ad5-ad3adb 300->301 301->297 302 ad3ae8-ad3b0d Sleep 301->302 303 ad3b13-ad3b1a 302->303 303->281 304 ad3b1c-ad3b22 303->304 304->281 305 ad3bc7-ad3bd8 call a76bd0 304->305 308 ad3bde 305->308 309 ad3bda-ad3bdc 305->309 310 ad3be0-ad3bfd call a76bd0 308->310 309->310
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00AD3DB6), ref: 00AD3B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00AD3DB6), ref: 00AD3BBA
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 308e4c270ce0ebc796642c2fa52edb8a53941bbe3885bceaaa12496f9994ca6a
                                  • Instruction ID: 5ce03385b1765083d13302fa9f07434aece1d9ed770d0e6f8825bf48e66a55a9
                                  • Opcode Fuzzy Hash: 308e4c270ce0ebc796642c2fa52edb8a53941bbe3885bceaaa12496f9994ca6a
                                  • Instruction Fuzzy Hash: BC51A936A042198FCF24CF58C8D0EAAB7B1FF85744B29859AD446AF351D732EE05CB91
                                  Function 00A8E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 a8e0a0-a8e0d2 WSAStartup 1 a8e0d8-a8e102 call a76bd0 * 2 0->1 2 a8e1b7-a8e1c0 0->2 7 a8e10e-a8e165 1->7 8 a8e104-a8e108 1->8 10 a8e1b1-a8e1b6 7->10 11 a8e167-a8e16d 7->11 8->2 8->7 10->2 12 a8e16f 11->12 13 a8e1c5-a8e1cf 11->13 15 a8e175-a8e189 socket 12->15 13->10 18 a8e1d1-a8e1d9 13->18 15->10 17 a8e18b-a8e19b connect 15->17 19 a8e19d-a8e1a5 closesocket 17->19 20 a8e1c1 17->20 19->15 21 a8e1a7-a8e1b0 19->21 20->13 21->10
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 48d76b699c48df94181b49e273319c1fd96134d5eff7ffb074cd4627a5f61a68
                                  • Instruction ID: b6c14a8b1613e580b387bcad2642619ba5ac2e455c63ca5decf59b98d8b3f416
                                  • Opcode Fuzzy Hash: 48d76b699c48df94181b49e273319c1fd96134d5eff7ffb074cd4627a5f61a68
                                  • Instruction Fuzzy Hash: F931B071605300ABE720EF25CC8872BB7E4EBD6724F004F1DF9A8A62D0D33599048BA2
                                  Function 055D0255 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 212COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(055D0244), ref: 055D02C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4119264163.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: PPR$`
                                  • API String ID: 2104809126-4190364777
                                  • Opcode ID: dcf0765fa1c26bbf121e09c7d239b6f888dd2dc0c70a87b3f6ad967d129ec187
                                  • Instruction ID: e393145b787960ed3f9e07d5b0be6e0c57a0d3be2a395993d8ad1fe5c8b64954
                                  • Opcode Fuzzy Hash: dcf0765fa1c26bbf121e09c7d239b6f888dd2dc0c70a87b3f6ad967d129ec187
                                  • Instruction Fuzzy Hash: 8C41C3EB24C111BDB521D1996B2CEFB976EF1D6730B308827F807C55A2F6848A4E11B1
                                  Function 055D027A Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 210COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(055D0244), ref: 055D02C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4119264163.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: PPR$`
                                  • API String ID: 2104809126-4190364777
                                  • Opcode ID: b2f080bfcf41fac40be69e26eab557cb299ebaa108068cf3844865a541fafe4b
                                  • Instruction ID: 528e8bd2ad47e96ad6540bcb389b7dc53d75e1e521e4f3410c12f145c5984771
                                  • Opcode Fuzzy Hash: b2f080bfcf41fac40be69e26eab557cb299ebaa108068cf3844865a541fafe4b
                                  • Instruction Fuzzy Hash: 6B410BE724C1017DF121D1986A2CEFBE76EF6D6730B308837F802C61A2F6848A4E01B1
                                  Function 055D02F0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 204COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 94 55d02f0-55d02f6 95 55d02f8 94->95 96 55d0295-55d02ca GetCurrentHwProfileW 94->96 97 55d02fa-55d0413 call 55d0425 95->97 101 55d02d7-55d02eb 96->101 114 55d0418-55d0453 call 55d0443 97->114 101->97 119 55d0455-55d0477 114->119 121 55d0478-55d0497 call 55d049d 119->121 124 55d0499-55d04b4 call 55d04c3 121->124 129 55d04b4 124->129 129->129
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(055D0244), ref: 055D02C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4119264163.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: PPR$`
                                  • API String ID: 2104809126-4190364777
                                  • Opcode ID: ba1eb97a5e990067ea66cb3edcdfabbdc51c3565bb0fa94dc15f2109c4640257
                                  • Instruction ID: 2d57bbc71b59ba444dc923e6135ddfb7aa54c39a57ab5e4d4283630e90c911d8
                                  • Opcode Fuzzy Hash: ba1eb97a5e990067ea66cb3edcdfabbdc51c3565bb0fa94dc15f2109c4640257
                                  • Instruction Fuzzy Hash: 6F4109E724C1117DB522D1996B6CEFBDB6EF6D2630B308837F803C51A2F6848A4E01B1
                                  Function 055D026F Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 203COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 130 55d026f-55d0296 133 55d02a3-55d02ca GetCurrentHwProfileW 130->133 135 55d02d7-55d0413 call 55d0425 133->135 150 55d0418-55d0453 call 55d0443 135->150 155 55d0455-55d0477 150->155 157 55d0478-55d0497 call 55d049d 155->157 160 55d0499-55d04b4 call 55d04c3 157->160 165 55d04b4 160->165 165->165
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(055D0244), ref: 055D02C3
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4119264163.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: PPR$`
                                  • API String ID: 2104809126-4190364777
                                  • Opcode ID: 2d4b03b400196e564c23b033f18c5ee98b3996b3c2e011c48ad081ad33abda08
                                  • Instruction ID: 6426fca8d5fc9a8879b0909168ea5160970c3dbd62b0bf239ec725374dfed302
                                  • Opcode Fuzzy Hash: 2d4b03b400196e564c23b033f18c5ee98b3996b3c2e011c48ad081ad33abda08
                                  • Instruction Fuzzy Hash: D041C3EB24C111BDB521D1996B2CEFB976EF5D6730B308827F807C51A2F6848A4E11B1
                                  Function 00B64623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 166 b64623-b64633 167 b64635-b64648 call b5d22c call b5d23f 166->167 168 b6464d-b6464f 166->168 185 b649a7 167->185 170 b64655-b6465b 168->170 171 b6498f-b6499c call b5d22c call b5d23f 168->171 170->171 174 b64661-b6468a 170->174 188 b649a2 call b547a0 171->188 174->171 177 b64690-b64699 174->177 180 b646b3-b646b5 177->180 181 b6469b-b646ae call b5d22c call b5d23f 177->181 183 b6498b-b6498d 180->183 184 b646bb-b646bf 180->184 181->188 190 b649aa-b649ad 183->190 184->183 189 b646c5-b646c9 184->189 185->190 188->185 189->181 193 b646cb-b646e2 189->193 195 b64717-b6471d 193->195 196 b646e4-b646e7 193->196 197 b646f1-b64708 call b5d22c call b5d23f call b547a0 195->197 198 b6471f-b64726 195->198 199 b6470d-b64715 196->199 200 b646e9-b646ef 196->200 227 b648c2 197->227 202 b6472a-b6472b call b66e2d 198->202 203 b64728 198->203 201 b6478a-b647a9 199->201 200->197 200->199 205 b64865-b6486e call b70d44 201->205 206 b647af-b647bb 201->206 210 b64730-b64748 call b66db3 * 2 202->210 203->202 217 b64870-b64882 205->217 218 b648df 205->218 206->205 209 b647c1-b647c3 206->209 209->205 213 b647c9-b647ea 209->213 235 b64765-b64788 call b5e13d 210->235 236 b6474a-b64760 call b5d23f call b5d22c 210->236 213->205 219 b647ec-b64802 213->219 217->218 222 b64884-b64893 217->222 223 b648e3-b648f9 ReadFile 218->223 219->205 224 b64804-b64806 219->224 222->218 240 b64895-b64899 222->240 228 b64957-b64962 223->228 229 b648fb-b64901 223->229 224->205 230 b64808-b6482b 224->230 237 b648c5-b648cf call b66db3 227->237 248 b64964-b64976 call b5d23f call b5d22c 228->248 249 b6497b-b6497e 228->249 229->228 233 b64903 229->233 230->205 234 b6482d-b64843 230->234 242 b64906-b64918 233->242 234->205 243 b64845-b64847 234->243 235->201 236->227 237->190 240->223 247 b6489b-b648b3 240->247 242->237 250 b6491a-b6491e 242->250 243->205 251 b64849-b64860 243->251 267 b648d4-b648dd 247->267 268 b648b5-b648ba 247->268 248->227 256 b64984-b64986 249->256 257 b648bb-b648c1 call b5d1e5 249->257 254 b64937-b64944 250->254 255 b64920-b64930 call b64335 250->255 251->205 263 b64946 call b6448c 254->263 264 b64950-b64955 call b6417b 254->264 276 b64933-b64935 255->276 256->237 257->227 273 b6494b-b6494e 263->273 264->273 267->242 268->257 273->276 276->237
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1f7f71f464384f24c5030f6217e82a0f8357eafe8e6bde4945417a098ce52dd4
                                  • Instruction ID: 36463d5ab51578eb9c7ea7a973444042557872fac45826076e8852d6cded2d0b
                                  • Opcode Fuzzy Hash: 1f7f71f464384f24c5030f6217e82a0f8357eafe8e6bde4945417a098ce52dd4
                                  • Instruction Fuzzy Hash: C3B11670A04649AFDB11DFA8D881BBEBBF1EF46310F1442D8E854A7292CB799D45CB60
                                  Function 00A7A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 313 a7a210-a7a2ab call b4f290 call a72ae0 318 a7a2b0-a7a2bb 313->318 318->318 319 a7a2bd-a7a2c8 318->319 320 a7a2cd-a7a2de call b55362 319->320 321 a7a2ca 319->321 324 a7a351-a7a357 320->324 325 a7a2e0-a7a305 call b59136 call b54eeb call b59136 320->325 321->320 326 a7a381-a7a393 324->326 327 a7a359-a7a365 324->327 342 a7a307 325->342 343 a7a30c-a7a316 325->343 330 a7a377-a7a37e call b4f511 327->330 331 a7a367-a7a375 327->331 330->326 331->330 333 a7a394-a7a3ae call b547b0 331->333 341 a7a3b0-a7a3bb 333->341 341->341 344 a7a3bd-a7a3c8 341->344 342->343 345 a7a328-a7a32f call adcf60 343->345 346 a7a318-a7a31c 343->346 347 a7a3cd-a7a3df call b55362 344->347 348 a7a3ca 344->348 354 a7a334-a7a33a 345->354 350 a7a320-a7a326 346->350 351 a7a31e 346->351 355 a7a3e1-a7a3f9 call b59136 call b54eeb call b58be8 347->355 356 a7a3fc-a7a403 347->356 348->347 350->354 351->350 357 a7a33e-a7a349 call b5dbdf call b58be8 354->357 358 a7a33c 354->358 355->356 360 a7a405-a7a411 356->360 361 a7a42d-a7a433 356->361 371 a7a34e 357->371 358->357 365 a7a423-a7a42a call b4f511 360->365 366 a7a413-a7a421 360->366 365->361 366->365 369 a7a434-a7a45e call b547b0 366->369 380 a7a460-a7a464 369->380 381 a7a46f-a7a474 369->381 371->324 380->381 382 a7a466-a7a46e 380->382
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: bff99f61635dc78b269abd781d54db10353a0467e758f88c0b24ffd633a07cae
                                  • Instruction ID: 11787d8074ff9e7235ba42425957bff18b03b7026022f0a7eb9678f31a34255c
                                  • Opcode Fuzzy Hash: bff99f61635dc78b269abd781d54db10353a0467e758f88c0b24ffd633a07cae
                                  • Instruction Fuzzy Hash: 62714B71900204BFDB14DF68CC49BAEBBE8EF81700F10C5ADF8099B682D7B59A45C792
                                  Function 00B6549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 383 b6549c-b654be 384 b654c4-b654c6 383->384 385 b656b1 383->385 387 b654f2-b65515 384->387 388 b654c8-b654e7 call b54723 384->388 386 b656b3-b656b7 385->386 389 b65517-b65519 387->389 390 b6551b-b65521 387->390 396 b654ea-b654ed 388->396 389->390 392 b65523-b65534 389->392 390->388 390->392 394 b65536-b65544 call b5e17d 392->394 395 b65547-b65557 call b64fe1 392->395 394->395 401 b655a0-b655b2 395->401 402 b65559-b6555f 395->402 396->386 403 b655b4-b655ba 401->403 404 b65609-b65629 WriteFile 401->404 405 b65561-b65564 402->405 406 b65588-b6559e call b64bb2 402->406 410 b655f5-b65607 call b6505e 403->410 411 b655bc-b655bf 403->411 407 b65634 404->407 408 b6562b-b65631 404->408 412 b65566-b65569 405->412 413 b6556f-b6557e call b64f79 405->413 423 b65581-b65583 406->423 415 b65637-b65642 407->415 408->407 430 b655dc-b655df 410->430 416 b655e1-b655f3 call b65222 411->416 417 b655c1-b655c4 411->417 412->413 418 b65649-b6564c 412->418 413->423 424 b65644-b65647 415->424 425 b656ac-b656af 415->425 416->430 426 b6564f-b65651 417->426 427 b655ca-b655d7 call b65139 417->427 418->426 423->415 424->418 425->386 432 b65653-b65658 426->432 433 b6567f-b6568b 426->433 427->430 430->423 437 b65671-b6567a call b5d208 432->437 438 b6565a-b6566c 432->438 435 b65695-b656a7 433->435 436 b6568d-b65693 433->436 435->396 436->385 436->435 437->396 438->396
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00B59087,?,00000000,00000000,00000000,?,00000000,?,00A7A3EB,00B59087,00000000,00A7A3EB,?,?), ref: 00B65621
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: c68603f16a9f3c651b8d2ac84aa65c3c98db9f9ebbd5cd0b82fa147421179748
                                  • Instruction ID: 5b247d6b4af18c93e82631a1bdfbc856055a215319db3605eeac5980fa0575bf
                                  • Opcode Fuzzy Hash: c68603f16a9f3c651b8d2ac84aa65c3c98db9f9ebbd5cd0b82fa147421179748
                                  • Instruction Fuzzy Hash: 4561A1B2900519AFDF21DFA8C884EEEBBFAEF19304F1401C5E805A7215D779D961CBA0
                                  Function 00B54942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 441 b54942-b5494f 442 b54951-b54974 call b54723 441->442 443 b54979-b5498d call b65f82 441->443 448 b54ae0-b54ae2 442->448 449 b54992-b5499b call b5e11f 443->449 450 b5498f 443->450 452 b549a0-b549af 449->452 450->449 453 b549b1 452->453 454 b549bf-b549c8 452->454 455 b549b7-b549b9 453->455 456 b54a89-b54a8e 453->456 457 b549dc-b54a10 454->457 458 b549ca-b549d7 454->458 455->454 455->456 462 b54ade-b54adf 456->462 460 b54a12-b54a1c 457->460 461 b54a6d-b54a79 457->461 459 b54adc 458->459 459->462 463 b54a43-b54a4f 460->463 464 b54a1e-b54a2a 460->464 465 b54a90-b54a93 461->465 466 b54a7b-b54a82 461->466 462->448 463->465 468 b54a51-b54a6b call b54e59 463->468 464->463 467 b54a2c-b54a3e call b54cae 464->467 469 b54a96-b54a9e 465->469 466->456 467->462 468->469 472 b54aa0-b54aa6 469->472 473 b54ada 469->473 474 b54abe-b54ac2 472->474 475 b54aa8-b54abc call b54ae3 472->475 473->459 479 b54ad5-b54ad7 474->479 480 b54ac4-b54ad2 call b74a10 474->480 475->462 479->473 480->479
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 873bb3c47b15d373126beefc2e09f71cf402ef20fe3bcf237f6867130a39263a
                                  • Instruction ID: 6fc1532634142dbf2a5e6b08e91f4269efd13529698e007af4e0160a2605a84e
                                  • Opcode Fuzzy Hash: 873bb3c47b15d373126beefc2e09f71cf402ef20fe3bcf237f6867130a39263a
                                  • Instruction Fuzzy Hash: B451B370A00108AFDB54CF58C881BAEBBF1EF49369F2481D8FC599B252D3719E95CB90
                                  Function 00AE0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 484 ae0560-ae057f 485 ae06a9 call a72270 484->485 486 ae0585-ae0598 484->486 490 ae06ae call a721d0 485->490 488 ae059a 486->488 489 ae05c0-ae05c8 486->489 493 ae059c-ae05a1 488->493 491 ae05ca-ae05cf 489->491 492 ae05d1-ae05d5 489->492 499 ae06b3-ae06b8 call b547b0 490->499 491->493 495 ae05d9-ae05e1 492->495 496 ae05d7 492->496 497 ae05a4-ae05a5 call b4f290 493->497 500 ae05e3-ae05e8 495->500 501 ae05f0-ae05f2 495->501 496->495 502 ae05aa-ae05af 497->502 500->490 504 ae05ee 500->504 505 ae05f4-ae05ff call b4f290 501->505 506 ae0601 501->506 502->499 507 ae05b5-ae05be 502->507 504->497 510 ae0603-ae0629 505->510 506->510 507->510 511 ae062b-ae0655 call b50f70 call b514f0 510->511 512 ae0680-ae06a6 call b50f70 call b514f0 510->512 522 ae0669-ae067d call b4f511 511->522 523 ae0657-ae0665 511->523 523->499 524 ae0667 523->524 524->522
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00AE06AE
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 629e8c71b86cef13bd0161e4997186ee116ec03c669648962dccb1b59c98d6d0
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 5B41E572A001549BCB15EF69DD80AAE7BE5EF88310F1441A9FC05DB302D7B0DEA09BE1
                                  Function 00B64B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 527 b64b12-b64b26 call b6a6de 530 b64b2c-b64b34 527->530 531 b64b28-b64b2a 527->531 533 b64b36-b64b3d 530->533 534 b64b3f-b64b42 530->534 532 b64b7a-b64b9a call b6a64d 531->532 544 b64bac 532->544 545 b64b9c-b64baa call b5d208 532->545 533->534 536 b64b4a-b64b5e call b6a6de * 2 533->536 537 b64b44-b64b48 534->537 538 b64b60-b64b70 call b6a6de FindCloseChangeNotification 534->538 536->531 536->538 537->536 537->538 538->531 548 b64b72-b64b78 538->548 546 b64bae-b64bb1 544->546 545->546 548->532
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00B649F9,00000000,CF830579,00BA1140,0000000C,00B64AB5,00B58BBD,?), ref: 00B64B68
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: b5509422815d2f7e7047400b12ea34974cf3ea9363c7b46f8470dffe2c21aa1f
                                  • Instruction ID: 577cad133243b59295a64456a560aa9bc6265fa443683f94d0f80e75178b51f1
                                  • Opcode Fuzzy Hash: b5509422815d2f7e7047400b12ea34974cf3ea9363c7b46f8470dffe2c21aa1f
                                  • Instruction Fuzzy Hash: C911483364151816CB253674D846B7EB7C9CB83770F2D02DDF8189B0C2EF69D8825555
                                  Function 00B5E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 553 b5e05c-b5e074 call b6a6de 556 b5e076-b5e07d 553->556 557 b5e08a-b5e0a0 SetFilePointerEx 553->557 558 b5e084-b5e088 556->558 559 b5e0b5-b5e0bf 557->559 560 b5e0a2-b5e0b3 call b5d208 557->560 562 b5e0db-b5e0de 558->562 559->558 561 b5e0c1-b5e0d6 559->561 560->558 561->562
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00BA0DF8,00A7A3EB,00000002,00A7A3EB,00000000,?,?,?,00B5E166,00000000,?,00A7A3EB,00000002,00BA0DF8), ref: 00B5E098
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 6641a99bfad2f2ae292e906e2fb13521750cd8b05c47a8eff085f07e3a8dcc1b
                                  • Instruction ID: 13582bae817d2770e9d44237b60d26fb586cc951f5e16f6c1514b8260f440697
                                  • Opcode Fuzzy Hash: 6641a99bfad2f2ae292e906e2fb13521750cd8b05c47a8eff085f07e3a8dcc1b
                                  • Instruction Fuzzy Hash: D7010832614119ABCF199F55CC0699E3B9ADB81331B280288EC60971D0E6B1EE41CBD0
                                  Function 00B4F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 566 b4f290-b4f293 567 b4f2a2-b4f2a5 call b5df2c 566->567 569 b4f2aa-b4f2ad 567->569 570 b4f295-b4f2a0 call b617d8 569->570 571 b4f2af-b4f2b0 569->571 570->567 574 b4f2b1-b4f2b5 570->574 575 a721d0-a72220 call a721b0 call b50efb call b50651 574->575 576 b4f2bb 574->576 576->576
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A7220E
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 25e7954cbe89233ca00581d69169b55b070b8f2e6094e1840ebd59dd632e47d6
                                  • Instruction ID: 73c230ea496404db19ae85c01a08eaa18707b4370f9878e3341fd3e0e378dcf0
                                  • Opcode Fuzzy Hash: 25e7954cbe89233ca00581d69169b55b070b8f2e6094e1840ebd59dd632e47d6
                                  • Instruction Fuzzy Hash: B4012B7650430EABCB14AFA8DC0296977ECDA00310B54C5B9FE1DDB551EB70E9548794
                                  Function 00B663F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 583 b663f3-b663fe 584 b66400-b6640a 583->584 585 b6640c-b66412 583->585 584->585 586 b66440-b6644b call b5d23f 584->586 587 b66414-b66415 585->587 588 b6642b-b6643c RtlAllocateHeap 585->588 592 b6644d-b6644f 586->592 587->588 589 b66417-b6641e call b63f93 588->589 590 b6643e 588->590 589->586 596 b66420-b66429 call b617d8 589->596 590->592 596->586 596->588
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00B591F7,00000000,?,00B65D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00B5D244,00B589C3,00B591F7,00000000), ref: 00B66434
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 98907af624a6ce96451d3f5501384db4459a53024993449d7f3783684673f71a
                                  • Instruction ID: b4c15e1ceed0f2c7728773a8fe143150d690f24d48f41c8ecdfbea86f6be490d
                                  • Opcode Fuzzy Hash: 98907af624a6ce96451d3f5501384db4459a53024993449d7f3783684673f71a
                                  • Instruction Fuzzy Hash: BEF0893254512466DB216B66DC17B5B7BCDEF51B64F2581E1EC04A7290CE38EC1146F1
                                  Function 00B66E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00B6D635,4D88C033,?,00B6D635,00000220,?,00B657EF,4D88C033), ref: 00B66E60
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: d30aa0ef34bcd88e01c765665eedda19780e37c5924531ec492157e6ae4e46e2
                                  • Instruction ID: f682c6a2a6edde1077892c69fdf5e9be412b2dc8e13d5ef253aadf0c76efe720
                                  • Opcode Fuzzy Hash: d30aa0ef34bcd88e01c765665eedda19780e37c5924531ec492157e6ae4e46e2
                                  • Instruction Fuzzy Hash: 67E0ED3A94562166DA302266CC01B6B7BC8CBA27A1F0505E1FC04D20D0CF2ACC0081A4

                                  Non-executed Functions

                                  Function 00B584A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 9ce32bd519990f92cdfb160b500c19bf8f6db6426940903da7a90d62eb7b9c32
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 4D022D71E012199BDF14CFA9D8807AEBBF1FF48315F2482A9D919F7380DB31A9458B90
                                  Function 055D018A Relevance: .1, Instructions: 62COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4119264163.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b19f2d368e9658a8b9fca4a24bc68deb535cdac7f428862cea0b64a5810f253b
                                  • Instruction ID: b1e7bb5d844ecb331c2b667bc1128daf28053b2eb17d7e7472954bdd16828d3d
                                  • Opcode Fuzzy Hash: b19f2d368e9658a8b9fca4a24bc68deb535cdac7f428862cea0b64a5810f253b
                                  • Instruction Fuzzy Hash: DF01897750C2989ED313C6E82A9C3E8BF36BB93230F3845BFD04286592E7940A4E4231
                                  Function 00ADF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADF875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADF89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADF959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADF973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADFA08
                                  • std::_Facet_Register.LIBCPMT ref: 00ADFA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: e3d010db819d2ba949adbb9fd107647a8fe8e225c4fc84076c3ef0f27ac75fcf
                                  • Instruction ID: 38df27924287b8bdba71f8167509716181c8f6f3eff58b70e4349ee376f56cf7
                                  • Opcode Fuzzy Hash: e3d010db819d2ba949adbb9fd107647a8fe8e225c4fc84076c3ef0f27ac75fcf
                                  • Instruction Fuzzy Hash: DF616EB1D002489FEF20DFA4D845B9EBBF4AF15710F1841A9E816A7341EB74EA05CB92
                                  Function 00A739F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00A73A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A73AA4
                                  • __Getctype.LIBCPMT ref: 00A73ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A73AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00A73B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 7bb4de58a8d44943d33fb7d3e9407b12fee82f9a60f96baebc80b0d1b4934a9a
                                  • Instruction ID: 13f73beedc94de9d46bc43e4edce78056c9d25f3c738ebc1e0991ef726e0262d
                                  • Opcode Fuzzy Hash: 7bb4de58a8d44943d33fb7d3e9407b12fee82f9a60f96baebc80b0d1b4934a9a
                                  • Instruction Fuzzy Hash: 3D5130B2D012489BEF10DFA4DC45B9EBBF8AF54310F1481A9E809AB341E775DA08DB91
                                  Function 00B52E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00B52E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00B52E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00B52ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00B52F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00B52F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: e98551110e5a50f17180e0d3840e447a36147e15659089685c48d3cd1e519ec2
                                  • Instruction ID: bf72ab0f317d4a9128e7928f2bb9fafa319f065582c9d0588044997eb2c39fc9
                                  • Opcode Fuzzy Hash: e98551110e5a50f17180e0d3840e447a36147e15659089685c48d3cd1e519ec2
                                  • Instruction Fuzzy Hash: 29419130A012099BCF10DF68D885B9EBBF5EF46315F1480D5ED189B392D731DA49CB90
                                  Function 00ADDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADDE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADDEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADDED6
                                  • std::_Facet_Register.LIBCPMT ref: 00ADDF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADDF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00ADDF7B
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: c03016c01924e7dd2e343f5316efa6c5528a095dcd9aa44fc0f0f2ae2c1e6e16
                                  • Instruction ID: 0fe2e2e8b9442f6f31ac3a41cd8a7d107d977768cc5ff9ec9ebf5790aac0b60a
                                  • Opcode Fuzzy Hash: c03016c01924e7dd2e343f5316efa6c5528a095dcd9aa44fc0f0f2ae2c1e6e16
                                  • Instruction Fuzzy Hash: 7C41B2B1900215DFCF14DF58D845AAEBBF4FB05710F14466AE8169B392DB31AE05CBD1
                                  Function 00A74C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A74F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A74FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A750C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 00A7504C
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: f61041b02dcce777b7efb80a637ca91e61f23187c2b3a857c138110da9025674
                                  • Instruction ID: 1d223d151804ccf9954e84bfec9eb3b6e269fdb1fcddcbae671971f847aa0def
                                  • Opcode Fuzzy Hash: f61041b02dcce777b7efb80a637ca91e61f23187c2b3a857c138110da9025674
                                  • Instruction Fuzzy Hash: 82E1E0719002059FCB28DF68CD45BAEB7F9FF48710F108A6DE45A97781E774AA04CBA1
                                  Function 00A77820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A7799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A77B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 6bfa4a5049e065fe6ed3a58a1bfd0124992e5d7005f5817957fd539e0a02f634
                                  • Instruction ID: da9c46fa6771d612c9573084d4125abb46b7b1384140ed26eb9031cbb5b46f7e
                                  • Opcode Fuzzy Hash: 6bfa4a5049e065fe6ed3a58a1bfd0124992e5d7005f5817957fd539e0a02f634
                                  • Instruction Fuzzy Hash: 5FC157B1D002089FDB18DFA8D984B9DBBF5FF48300F14866AE419EB791E7749980CB54
                                  Function 00A773B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A775BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A775CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 9091a30999fdfebd5acf93302cc4f62311a63fcf42c23899d47e387fe6dc1cca
                                  • Instruction ID: 666b59668a73a8901c2a4ef0ca271b3ac13544a6a17c5819db1f196ace0c3bb4
                                  • Opcode Fuzzy Hash: 9091a30999fdfebd5acf93302cc4f62311a63fcf42c23899d47e387fe6dc1cca
                                  • Instruction Fuzzy Hash: 6961C171A042059FDB08DF68DD84BADBBF6FF44300F24C668E419A7782D774AA44CB91
                                  Function 00A73D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A73E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 28452488a43dcb035f3bf3b75a5b888a8a29e8abaa67a6f0c3779fcff7783aa4
                                  • Instruction ID: 059a8d05e346c8d8aa7e86a1f22bdcd0159f869fadf1bdf14e7aba4e97044fab
                                  • Opcode Fuzzy Hash: 28452488a43dcb035f3bf3b75a5b888a8a29e8abaa67a6f0c3779fcff7783aa4
                                  • Instruction Fuzzy Hash: 8641B4B3900209AFCB14DF68CC45BAEB7F8EF49310F14C56AF919D7641E770AA048BA4
                                  Function 00A73DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A73E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 424749cede513fc4d820d55567ff2eaf55e897bd98a72e7821cdb1c5453097bd
                                  • Instruction ID: 896b4465d931b0b46656993ec8364cea8a853c5827bd53b1dfbf60a5e67ae863
                                  • Opcode Fuzzy Hash: 424749cede513fc4d820d55567ff2eaf55e897bd98a72e7821cdb1c5453097bd
                                  • Instruction Fuzzy Hash: 5D2105B39047056FCB14DF58DC02B96B7E8AB04310F19C8BAFA6C8B641E770EA148B95
                                  Function 00A76F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A77340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: a36752a6cab398645f967befd0bb0e6696d44aa2d6791be29b7def99e181634e
                                  • Instruction ID: 4ab7e2da644a007e83129b465b72869f213f801c41b6c6fb47aea9b8ae204e06
                                  • Opcode Fuzzy Hash: a36752a6cab398645f967befd0bb0e6696d44aa2d6791be29b7def99e181634e
                                  • Instruction Fuzzy Hash: B7E14E719042449FDB18CF68CD84B9DBBF1BF49304F24C2A9E419AB792D7749A81CF91
                                  Function 00A76C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A76F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A76F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 8832be2fbdb71314eb89c9a2f451f452099b018f68f12edbacf093a47a539bae
                                  • Instruction ID: b1b1f4a20c4a095241b3334a6ac6a30061494df7035c7cad45ff5dcf89cd9f0d
                                  • Opcode Fuzzy Hash: 8832be2fbdb71314eb89c9a2f451f452099b018f68f12edbacf093a47a539bae
                                  • Instruction Fuzzy Hash: F591C370A006049FDB18CF68DD84BAEBBF5EF48300F20C56CE419AB792D771AA45CB91
                                  Function 00AEE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00AEE491
                                  Strings
                                  • type must be boolean, but is , xrefs: 00AEE582
                                  • type must be string, but is , xrefs: 00AEE4F8
                                  Memory Dump Source
                                  • Source File: 00000005.00000002.4112092223.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000005.00000002.4111979088.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4112092223.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113927951.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4113971389.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114617141.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000005.00000002.4114946317.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_5_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 916f9bc2e0b82d72467c8625bfd0a54e5b9316dac33056446fd169f5e19f6bc6
                                  • Instruction ID: 68a442044b90205a71fcba8720537a9ec575fad64cf3470a1dec716514d64847
                                  • Opcode Fuzzy Hash: 916f9bc2e0b82d72467c8625bfd0a54e5b9316dac33056446fd169f5e19f6bc6
                                  • Instruction Fuzzy Hash: 49417CB5904288AFCB14EBA4DD02B9EB7E8DB00310F1486B9F419D77D1EB36AD44C396

                                  Execution Graph

                                  Execution Coverage:3.1%
                                  Dynamic/Decrypted Code Coverage:1.7%
                                  Signature Coverage:0%
                                  Total number of Nodes:661
                                  Total number of Limit Nodes:68
                                  execution_graph 19034 a8e0a0 WSAStartup 19035 a8e0d8 19034->19035 19036 a8e1a7 19034->19036 19035->19036 19037 a8e175 socket 19035->19037 19037->19036 19038 a8e18b connect 19037->19038 19038->19036 19039 a8e19d closesocket 19038->19039 19039->19036 19039->19037 18305 55d0708 18306 55d06f2 GetCurrentHwProfileW 18305->18306 18308 55d070e 18305->18308 18306->18308 20162 55d064a 20163 55d0659 GetCurrentHwProfileW 20162->20163 20165 55d0717 20163->20165 19047 b5d168 19048 b5d17b ___std_exception_copy 19047->19048 19053 b5cf4a 19048->19053 19050 b5d190 19051 b544dc ___std_exception_copy RtlAllocateHeap 19050->19051 19052 b5d19d 19051->19052 19054 b5cf80 19053->19054 19055 b5cf58 19053->19055 19054->19050 19055->19054 19056 b5cf65 19055->19056 19057 b5cf87 19055->19057 19058 b54723 ___std_exception_copy RtlAllocateHeap 19056->19058 19061 b5cea3 19057->19061 19058->19054 19060 b5cfbf 19060->19050 19062 b5ceaf __fread_nolock 19061->19062 19065 b5cefe 19062->19065 19064 b5ceca 19064->19060 19072 b68644 19065->19072 19092 b68606 19072->19092 19074 b68655 19075 b5cf16 19074->19075 19076 b66e2d std::_Locinfo::_Locinfo_ctor 2 API calls 19074->19076 19079 b5cfc1 19075->19079 19077 b686ae 19076->19077 19078 b66db3 __freea RtlAllocateHeap 19077->19078 19078->19075 19081 b5cfd3 19079->19081 19083 b5cf34 19079->19083 19080 b5cfe1 19082 b54723 ___std_exception_copy RtlAllocateHeap 19080->19082 19081->19080 19081->19083 19086 b5d017 std::locale::_Locimp::_Locimp 19081->19086 19082->19083 19088 b686ef 19083->19088 19084 b555d3 4 API calls 19084->19086 19085 b65f82 __fread_nolock RtlAllocateHeap 19085->19086 19086->19083 19086->19084 19086->19085 19087 b6538b 4 API calls 19086->19087 19087->19086 19089 b686fa 19088->19089 19090 b5cf40 19088->19090 19089->19090 19091 b555d3 4 API calls 19089->19091 19090->19064 19091->19090 19094 b68612 19092->19094 19093 b68640 19093->19074 19094->19093 19095 b6863c 19094->19095 19096 b65f82 __fread_nolock RtlAllocateHeap 19094->19096 19095->19074 19097 b6862d 19096->19097 19098 b70d44 __fread_nolock RtlAllocateHeap 19097->19098 19099 b68633 19098->19099 19099->19074 19040 ad3a40 19043 ad3a55 19040->19043 19041 ad3b28 GetPEB 19041->19043 19042 ad3a73 GetPEB 19042->19043 19043->19041 19043->19042 19044 ad3b9d Sleep 19043->19044 19045 ad3ae8 Sleep 19043->19045 19046 ad3bc7 19043->19046 19044->19043 19045->19043 18309 a7a210 18342 b4f290 18309->18342 18311 a7a248 18347 a72ae0 18311->18347 18313 a7a28b 18363 b55362 18313->18363 18316 a7a377 18319 a7a34e 18319->18316 18392 b547b0 18319->18392 18323 b59136 4 API calls 18324 a7a2fc 18323->18324 18329 a7a318 18324->18329 18378 adcf60 18324->18378 18383 b5dbdf 18329->18383 18344 a721d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 18342->18344 18343 b4f2af 18343->18311 18344->18343 18395 b50651 18344->18395 18348 a72ba5 18347->18348 18354 a72af6 18347->18354 18613 a72270 18348->18613 18349 a72b02 std::locale::_Locimp::_Locimp 18349->18313 18351 a72b2a 18358 b4f290 std::_Facet_Register RtlAllocateHeap 18351->18358 18352 a72baa 18623 a721d0 18352->18623 18354->18349 18354->18351 18356 a72b65 18354->18356 18357 a72b6e 18354->18357 18355 a72b3d 18359 b547b0 RtlAllocateHeap 18355->18359 18362 a72b46 std::locale::_Locimp::_Locimp 18355->18362 18356->18351 18356->18352 18361 b4f290 std::_Facet_Register RtlAllocateHeap 18357->18361 18357->18362 18358->18355 18360 a72bb4 18359->18360 18361->18362 18362->18313 18636 b552a0 18363->18636 18365 a7a2d7 18365->18319 18366 b59136 18365->18366 18367 b59149 ___std_exception_copy 18366->18367 18660 b58e8d 18367->18660 18369 b5915e 18370 b544dc ___std_exception_copy RtlAllocateHeap 18369->18370 18371 a7a2ea 18370->18371 18372 b54eeb 18371->18372 18373 b54efe ___std_exception_copy 18372->18373 18793 b54801 18373->18793 18375 b54f0a 18376 b544dc ___std_exception_copy RtlAllocateHeap 18375->18376 18377 a7a2f0 18376->18377 18377->18323 18379 adcfa7 18378->18379 18382 adcf78 __fread_nolock 18378->18382 18841 ae0560 18379->18841 18381 adcfba 18381->18329 18382->18329 18856 b5dbfc 18383->18856 18385 a7a348 18386 b58be8 18385->18386 18387 b58bfb ___std_exception_copy 18386->18387 18980 b58ac3 18387->18980 18389 b58c07 18390 b544dc ___std_exception_copy RtlAllocateHeap 18389->18390 18391 b58c13 18390->18391 18391->18319 18393 b546ec ___std_exception_copy RtlAllocateHeap 18392->18393 18394 b547bf __Getctype 18393->18394 18396 b5065e ___std_exception_copy 18395->18396 18400 a72213 18395->18400 18397 b5068b 18396->18397 18396->18400 18401 b656b8 18396->18401 18410 b5d7d6 18397->18410 18400->18311 18402 b656c6 18401->18402 18403 b656d4 18401->18403 18402->18403 18408 b656ec 18402->18408 18413 b5d23f 18403->18413 18405 b656dc 18416 b547a0 18405->18416 18407 b656e6 18407->18397 18408->18407 18409 b5d23f __dosmaperr RtlAllocateHeap 18408->18409 18409->18405 18411 b66db3 __freea RtlAllocateHeap 18410->18411 18412 b5d7ee 18411->18412 18412->18400 18419 b65d2c 18413->18419 18524 b546ec 18416->18524 18420 b65d35 __Getctype 18419->18420 18421 b5d244 18420->18421 18430 b663f3 18420->18430 18421->18405 18423 b65d79 __Getctype 18424 b65d81 __Getctype 18423->18424 18425 b65db9 18423->18425 18434 b66db3 18424->18434 18438 b65a09 18425->18438 18429 b66db3 __freea RtlAllocateHeap 18429->18421 18433 b66400 __Getctype std::_Facet_Register 18430->18433 18431 b6642b RtlAllocateHeap 18432 b6643e __dosmaperr 18431->18432 18431->18433 18432->18423 18433->18431 18433->18432 18435 b66dbe __dosmaperr 18434->18435 18437 b66de8 18434->18437 18436 b5d23f __dosmaperr RtlAllocateHeap 18435->18436 18435->18437 18436->18437 18437->18421 18439 b65a77 __Getctype 18438->18439 18442 b659af 18439->18442 18441 b65aa0 18441->18429 18443 b659bb __fread_nolock std::_Lockit::_Lockit 18442->18443 18446 b65b90 18443->18446 18445 b659dd __Getctype 18445->18441 18447 b65bc6 __Getctype 18446->18447 18448 b65b9f __Getctype 18446->18448 18447->18445 18448->18447 18450 b6f2a7 18448->18450 18451 b6f327 18450->18451 18454 b6f2bd 18450->18454 18452 b6f375 18451->18452 18455 b66db3 __freea RtlAllocateHeap 18451->18455 18518 b6f418 18452->18518 18454->18451 18456 b6f2f0 18454->18456 18461 b66db3 __freea RtlAllocateHeap 18454->18461 18457 b6f349 18455->18457 18458 b6f312 18456->18458 18466 b66db3 __freea RtlAllocateHeap 18456->18466 18459 b66db3 __freea RtlAllocateHeap 18457->18459 18460 b66db3 __freea RtlAllocateHeap 18458->18460 18462 b6f35c 18459->18462 18463 b6f31c 18460->18463 18465 b6f2e5 18461->18465 18467 b66db3 __freea RtlAllocateHeap 18462->18467 18468 b66db3 __freea RtlAllocateHeap 18463->18468 18464 b6f3e3 18469 b66db3 __freea RtlAllocateHeap 18464->18469 18478 b6e5ab 18465->18478 18471 b6f307 18466->18471 18472 b6f36a 18467->18472 18468->18451 18473 b6f3e9 18469->18473 18506 b6ea0a 18471->18506 18476 b66db3 __freea RtlAllocateHeap 18472->18476 18473->18447 18474 b6f383 18474->18464 18477 b66db3 RtlAllocateHeap __freea 18474->18477 18476->18452 18477->18474 18479 b6e6a5 18478->18479 18480 b6e5bc 18478->18480 18479->18456 18481 b6e5cd 18480->18481 18482 b66db3 __freea RtlAllocateHeap 18480->18482 18483 b6e5df 18481->18483 18485 b66db3 __freea RtlAllocateHeap 18481->18485 18482->18481 18484 b6e5f1 18483->18484 18486 b66db3 __freea RtlAllocateHeap 18483->18486 18487 b6e603 18484->18487 18488 b66db3 __freea RtlAllocateHeap 18484->18488 18485->18483 18486->18484 18489 b6e615 18487->18489 18490 b66db3 __freea RtlAllocateHeap 18487->18490 18488->18487 18491 b6e627 18489->18491 18493 b66db3 __freea RtlAllocateHeap 18489->18493 18490->18489 18492 b6e639 18491->18492 18494 b66db3 __freea RtlAllocateHeap 18491->18494 18495 b6e64b 18492->18495 18496 b66db3 __freea RtlAllocateHeap 18492->18496 18493->18491 18494->18492 18497 b6e65d 18495->18497 18498 b66db3 __freea RtlAllocateHeap 18495->18498 18496->18495 18499 b6e66f 18497->18499 18501 b66db3 __freea RtlAllocateHeap 18497->18501 18498->18497 18500 b6e681 18499->18500 18502 b66db3 __freea RtlAllocateHeap 18499->18502 18503 b6e693 18500->18503 18504 b66db3 __freea RtlAllocateHeap 18500->18504 18501->18499 18502->18500 18503->18479 18505 b66db3 __freea RtlAllocateHeap 18503->18505 18504->18503 18505->18479 18507 b6ea17 18506->18507 18508 b6ea6f 18506->18508 18509 b6ea27 18507->18509 18510 b66db3 __freea RtlAllocateHeap 18507->18510 18508->18458 18511 b6ea39 18509->18511 18513 b66db3 __freea RtlAllocateHeap 18509->18513 18510->18509 18512 b6ea4b 18511->18512 18514 b66db3 __freea RtlAllocateHeap 18511->18514 18515 b6ea5d 18512->18515 18516 b66db3 __freea RtlAllocateHeap 18512->18516 18513->18511 18514->18512 18515->18508 18517 b66db3 __freea RtlAllocateHeap 18515->18517 18516->18515 18517->18508 18519 b6f444 18518->18519 18520 b6f425 18518->18520 18519->18474 18520->18519 18521 b6ef31 __Getctype RtlAllocateHeap 18520->18521 18522 b6f43e 18521->18522 18523 b66db3 __freea RtlAllocateHeap 18522->18523 18523->18519 18525 b546fe ___std_exception_copy 18524->18525 18530 b54723 18525->18530 18527 b54716 18537 b544dc 18527->18537 18531 b54733 18530->18531 18534 b5473a ___std_exception_copy __Getctype 18530->18534 18543 b54541 18531->18543 18533 b54748 18533->18527 18534->18533 18535 b546ec ___std_exception_copy RtlAllocateHeap 18534->18535 18536 b547ac 18535->18536 18536->18527 18538 b544e8 18537->18538 18539 b544ff 18538->18539 18558 b54587 18538->18558 18541 b54512 18539->18541 18542 b54587 ___std_exception_copy RtlAllocateHeap 18539->18542 18541->18407 18542->18541 18544 b54550 18543->18544 18547 b65ddd 18544->18547 18548 b65df0 __Getctype 18547->18548 18549 b54572 18548->18549 18550 b663f3 __Getctype RtlAllocateHeap 18548->18550 18549->18534 18551 b65e20 __Getctype 18550->18551 18552 b65e5c 18551->18552 18553 b65e28 __Getctype 18551->18553 18554 b65a09 __Getctype RtlAllocateHeap 18552->18554 18555 b66db3 __freea RtlAllocateHeap 18553->18555 18556 b65e67 18554->18556 18555->18549 18557 b66db3 __freea RtlAllocateHeap 18556->18557 18557->18549 18559 b54591 18558->18559 18560 b5459a 18558->18560 18561 b54541 ___std_exception_copy RtlAllocateHeap 18559->18561 18560->18539 18562 b54596 18561->18562 18562->18560 18565 b60259 18562->18565 18566 b6025e std::locale::_Setgloballocale 18565->18566 18570 b60269 std::locale::_Setgloballocale 18566->18570 18571 b6c7c6 18566->18571 18592 b5f224 18570->18592 18572 b6c7d2 __fread_nolock 18571->18572 18573 b65d2c __dosmaperr RtlAllocateHeap 18572->18573 18574 b6c822 18572->18574 18578 b6c803 std::locale::_Setgloballocale 18572->18578 18580 b6c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 18572->18580 18573->18578 18576 b5d23f __dosmaperr RtlAllocateHeap 18574->18576 18575 b6c80c 18575->18570 18577 b6c827 18576->18577 18579 b547a0 ___std_exception_copy RtlAllocateHeap 18577->18579 18578->18574 18578->18575 18578->18580 18579->18575 18581 b6c8a7 18580->18581 18582 b6c9a4 std::_Lockit::~_Lockit 18580->18582 18586 b6c8d5 std::locale::_Setgloballocale 18580->18586 18581->18586 18595 b65bdb 18581->18595 18583 b5f224 std::locale::_Setgloballocale RtlAllocateHeap 18582->18583 18585 b6c9b7 18583->18585 18586->18575 18588 b65bdb __Getctype RtlAllocateHeap 18586->18588 18590 b6c92a 18586->18590 18588->18590 18589 b65bdb __Getctype RtlAllocateHeap 18589->18586 18590->18575 18591 b65bdb __Getctype RtlAllocateHeap 18590->18591 18591->18575 18609 b5f094 18592->18609 18594 b5f235 18596 b65be4 __Getctype 18595->18596 18597 b663f3 __Getctype RtlAllocateHeap 18596->18597 18598 b65bfb 18596->18598 18600 b65c28 __Getctype 18597->18600 18599 b65c8b 18598->18599 18601 b60259 __Getctype RtlAllocateHeap 18598->18601 18599->18589 18602 b65c68 18600->18602 18604 b65c30 __Getctype 18600->18604 18603 b65c95 18601->18603 18606 b65a09 __Getctype RtlAllocateHeap 18602->18606 18605 b66db3 __freea RtlAllocateHeap 18604->18605 18605->18598 18607 b65c73 18606->18607 18608 b66db3 __freea RtlAllocateHeap 18607->18608 18608->18598 18610 b5f0c1 std::locale::_Setgloballocale 18609->18610 18611 b5ef23 std::locale::_Setgloballocale RtlAllocateHeap 18610->18611 18612 b5f10a std::locale::_Setgloballocale 18611->18612 18612->18594 18627 b4d6e9 18613->18627 18624 a721de Concurrency::cancel_current_task 18623->18624 18625 b50651 ___std_exception_copy RtlAllocateHeap 18624->18625 18626 a72213 18625->18626 18626->18355 18630 b4d4af 18627->18630 18629 b4d6fa Concurrency::cancel_current_task 18633 a73010 18630->18633 18634 b50651 ___std_exception_copy RtlAllocateHeap 18633->18634 18635 a7303d 18634->18635 18635->18629 18638 b552ac __fread_nolock 18636->18638 18637 b552b3 18639 b5d23f __dosmaperr RtlAllocateHeap 18637->18639 18638->18637 18640 b552d3 18638->18640 18641 b552b8 18639->18641 18642 b552e5 18640->18642 18643 b552d8 18640->18643 18644 b547a0 ___std_exception_copy RtlAllocateHeap 18641->18644 18650 b66688 18642->18650 18645 b5d23f __dosmaperr RtlAllocateHeap 18643->18645 18649 b552c3 18644->18649 18645->18649 18647 b552ee 18648 b5d23f __dosmaperr RtlAllocateHeap 18647->18648 18647->18649 18648->18649 18649->18365 18651 b66694 __fread_nolock std::_Lockit::_Lockit 18650->18651 18654 b6672c 18651->18654 18653 b666af 18653->18647 18658 b6674f __fread_nolock 18654->18658 18655 b663f3 __Getctype RtlAllocateHeap 18656 b667b0 18655->18656 18657 b66db3 __freea RtlAllocateHeap 18656->18657 18659 b66795 __fread_nolock 18657->18659 18658->18655 18658->18658 18658->18659 18659->18653 18662 b58e99 __fread_nolock 18660->18662 18661 b58e9f 18663 b54723 ___std_exception_copy RtlAllocateHeap 18661->18663 18662->18661 18664 b58ee2 __fread_nolock 18662->18664 18666 b58eba 18663->18666 18667 b59010 18664->18667 18666->18369 18668 b59036 18667->18668 18669 b59023 18667->18669 18676 b58f37 18668->18676 18669->18666 18671 b590e7 18671->18666 18672 b59059 18672->18671 18680 b555d3 18672->18680 18677 b58fa0 18676->18677 18678 b58f48 18676->18678 18677->18672 18678->18677 18689 b5e13d 18678->18689 18681 b555ec 18680->18681 18685 b55613 18680->18685 18681->18685 18716 b65f82 18681->18716 18683 b55608 18723 b6538b 18683->18723 18686 b5e17d 18685->18686 18687 b5e05c __fread_nolock 2 API calls 18686->18687 18688 b5e196 18687->18688 18688->18671 18690 b5e151 ___std_exception_copy 18689->18690 18695 b5e05c 18690->18695 18692 b5e166 18693 b544dc ___std_exception_copy RtlAllocateHeap 18692->18693 18694 b5e175 18693->18694 18694->18677 18700 b6a6de 18695->18700 18697 b5e06e 18698 b5e08a SetFilePointerEx 18697->18698 18699 b5e076 __fread_nolock 18697->18699 18698->18699 18699->18692 18701 b6a700 18700->18701 18702 b6a6eb 18700->18702 18704 b5d22c __dosmaperr RtlAllocateHeap 18701->18704 18708 b6a725 18701->18708 18713 b5d22c 18702->18713 18706 b6a730 18704->18706 18709 b5d23f __dosmaperr RtlAllocateHeap 18706->18709 18707 b5d23f __dosmaperr RtlAllocateHeap 18710 b6a6f8 18707->18710 18708->18697 18711 b6a738 18709->18711 18710->18697 18712 b547a0 ___std_exception_copy RtlAllocateHeap 18711->18712 18712->18710 18714 b65d2c __dosmaperr RtlAllocateHeap 18713->18714 18715 b5d231 18714->18715 18715->18707 18717 b65fa3 18716->18717 18718 b65f8e 18716->18718 18717->18683 18719 b5d23f __dosmaperr RtlAllocateHeap 18718->18719 18720 b65f93 18719->18720 18721 b547a0 ___std_exception_copy RtlAllocateHeap 18720->18721 18722 b65f9e 18721->18722 18722->18683 18724 b65397 __fread_nolock 18723->18724 18725 b653d8 18724->18725 18727 b6541e 18724->18727 18729 b6539f 18724->18729 18726 b54723 ___std_exception_copy RtlAllocateHeap 18725->18726 18726->18729 18727->18729 18730 b6549c 18727->18730 18729->18685 18731 b654c4 18730->18731 18743 b654e7 __fread_nolock 18730->18743 18732 b654c8 18731->18732 18734 b65523 18731->18734 18733 b54723 ___std_exception_copy RtlAllocateHeap 18732->18733 18733->18743 18735 b65541 18734->18735 18736 b5e17d 2 API calls 18734->18736 18744 b64fe1 18735->18744 18736->18735 18739 b655a0 18741 b65609 WriteFile 18739->18741 18739->18743 18740 b65559 18740->18743 18749 b64bb2 18740->18749 18741->18743 18743->18729 18755 b70d44 18744->18755 18746 b65021 18746->18739 18746->18740 18747 b64ff3 18747->18746 18764 b59d10 18747->18764 18750 b64c1a 18749->18750 18751 b59d10 std::_Locinfo::_Locinfo_ctor 2 API calls 18750->18751 18754 b64c2b std::_Locinfo::_Locinfo_ctor std::locale::_Locimp::_Locimp 18750->18754 18751->18754 18752 b684be RtlAllocateHeap RtlAllocateHeap 18752->18754 18753 b64ee1 _ValidateLocalCookies 18753->18743 18754->18752 18754->18753 18756 b70d51 18755->18756 18758 b70d5e 18755->18758 18757 b5d23f __dosmaperr RtlAllocateHeap 18756->18757 18759 b70d56 18757->18759 18760 b70d6a 18758->18760 18761 b5d23f __dosmaperr RtlAllocateHeap 18758->18761 18759->18747 18760->18747 18762 b70d8b 18761->18762 18763 b547a0 ___std_exception_copy RtlAllocateHeap 18762->18763 18763->18759 18765 b54587 ___std_exception_copy RtlAllocateHeap 18764->18765 18766 b59d20 18765->18766 18771 b65ef3 18766->18771 18772 b65f0a 18771->18772 18774 b59d3d 18771->18774 18772->18774 18779 b6f4f3 18772->18779 18775 b65f51 18774->18775 18776 b59d4a 18775->18776 18777 b65f68 18775->18777 18776->18746 18777->18776 18788 b6d81e 18777->18788 18780 b6f4ff __fread_nolock 18779->18780 18781 b65bdb __Getctype RtlAllocateHeap 18780->18781 18783 b6f508 std::_Lockit::_Lockit 18781->18783 18782 b6f54e 18782->18774 18783->18782 18784 b6f574 __Getctype RtlAllocateHeap 18783->18784 18785 b6f537 __Getctype 18784->18785 18785->18782 18786 b60259 __Getctype RtlAllocateHeap 18785->18786 18787 b6f573 18786->18787 18789 b65bdb __Getctype RtlAllocateHeap 18788->18789 18790 b6d823 18789->18790 18791 b6d736 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 18790->18791 18792 b6d82e 18791->18792 18792->18776 18794 b5480d __fread_nolock 18793->18794 18795 b54835 __fread_nolock 18794->18795 18796 b54814 18794->18796 18800 b54910 18795->18800 18797 b54723 ___std_exception_copy RtlAllocateHeap 18796->18797 18799 b5482d 18797->18799 18799->18375 18803 b54942 18800->18803 18802 b54922 18802->18799 18804 b54951 18803->18804 18805 b54979 18803->18805 18806 b54723 ___std_exception_copy RtlAllocateHeap 18804->18806 18807 b65f82 __fread_nolock RtlAllocateHeap 18805->18807 18815 b5496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18806->18815 18808 b54982 18807->18808 18816 b5e11f 18808->18816 18811 b54a2c 18819 b54cae 18811->18819 18813 b54a43 18813->18815 18827 b54ae3 18813->18827 18815->18802 18834 b5df37 18816->18834 18818 b549a0 18818->18811 18818->18813 18818->18815 18820 b54cbd 18819->18820 18821 b65f82 __fread_nolock RtlAllocateHeap 18820->18821 18822 b54cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18821->18822 18823 b5e11f 2 API calls 18822->18823 18826 b54ce5 _ValidateLocalCookies 18822->18826 18824 b54d39 18823->18824 18825 b5e11f 2 API calls 18824->18825 18824->18826 18825->18826 18826->18815 18828 b65f82 __fread_nolock RtlAllocateHeap 18827->18828 18829 b54af6 18828->18829 18830 b5e11f 2 API calls 18829->18830 18833 b54b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18829->18833 18831 b54b9d 18830->18831 18832 b5e11f 2 API calls 18831->18832 18831->18833 18832->18833 18833->18815 18836 b5df43 __fread_nolock 18834->18836 18835 b5df86 18837 b54723 ___std_exception_copy RtlAllocateHeap 18835->18837 18836->18835 18838 b5dfcc 18836->18838 18839 b5df4b 18836->18839 18837->18839 18838->18839 18840 b5e05c __fread_nolock 2 API calls 18838->18840 18839->18818 18840->18839 18842 ae06a9 18841->18842 18846 ae0585 18841->18846 18843 a72270 RtlAllocateHeap 18842->18843 18844 ae06ae 18843->18844 18845 a721d0 Concurrency::cancel_current_task RtlAllocateHeap 18844->18845 18852 ae05aa __fread_nolock std::locale::_Locimp::_Locimp 18845->18852 18848 ae05e3 18846->18848 18849 ae05f0 18846->18849 18851 ae059a 18846->18851 18847 b4f290 std::_Facet_Register RtlAllocateHeap 18847->18852 18848->18844 18848->18851 18849->18852 18854 b4f290 std::_Facet_Register RtlAllocateHeap 18849->18854 18850 b547b0 RtlAllocateHeap 18853 ae06b8 18850->18853 18851->18847 18852->18850 18855 ae0667 __fread_nolock std::locale::_Locimp::_Locimp 18852->18855 18854->18852 18855->18381 18857 b5dc08 __fread_nolock 18856->18857 18858 b5dc52 __fread_nolock 18857->18858 18859 b5dc1b __fread_nolock 18857->18859 18863 b5dc40 __fread_nolock 18857->18863 18865 b5da06 18858->18865 18860 b5d23f __dosmaperr RtlAllocateHeap 18859->18860 18862 b5dc35 18860->18862 18864 b547a0 ___std_exception_copy RtlAllocateHeap 18862->18864 18863->18385 18864->18863 18866 b5da35 18865->18866 18869 b5da18 __fread_nolock 18865->18869 18866->18863 18867 b5da25 18868 b5d23f __dosmaperr RtlAllocateHeap 18867->18868 18876 b5da2a 18868->18876 18869->18866 18869->18867 18871 b5da76 __fread_nolock 18869->18871 18870 b547a0 ___std_exception_copy RtlAllocateHeap 18870->18866 18871->18866 18872 b5dba1 __fread_nolock 18871->18872 18874 b65f82 __fread_nolock RtlAllocateHeap 18871->18874 18878 b64623 18871->18878 18937 b58a2b 18871->18937 18875 b5d23f __dosmaperr RtlAllocateHeap 18872->18875 18874->18871 18875->18876 18876->18870 18879 b64635 18878->18879 18880 b6464d 18878->18880 18882 b5d22c __dosmaperr RtlAllocateHeap 18879->18882 18881 b6498f 18880->18881 18886 b64690 18880->18886 18884 b5d22c __dosmaperr RtlAllocateHeap 18881->18884 18883 b6463a 18882->18883 18885 b5d23f __dosmaperr RtlAllocateHeap 18883->18885 18887 b64994 18884->18887 18888 b64642 18885->18888 18886->18888 18889 b6469b 18886->18889 18896 b646cb 18886->18896 18890 b5d23f __dosmaperr RtlAllocateHeap 18887->18890 18888->18871 18891 b5d22c __dosmaperr RtlAllocateHeap 18889->18891 18892 b646a8 18890->18892 18893 b646a0 18891->18893 18895 b547a0 ___std_exception_copy RtlAllocateHeap 18892->18895 18894 b5d23f __dosmaperr RtlAllocateHeap 18893->18894 18894->18892 18895->18888 18897 b646e4 18896->18897 18898 b646f1 18896->18898 18899 b6471f 18896->18899 18897->18898 18924 b6470d 18897->18924 18900 b5d22c __dosmaperr RtlAllocateHeap 18898->18900 18951 b66e2d 18899->18951 18901 b646f6 18900->18901 18903 b5d23f __dosmaperr RtlAllocateHeap 18901->18903 18907 b646fd 18903->18907 18904 b70d44 __fread_nolock RtlAllocateHeap 18911 b6486b 18904->18911 18906 b66db3 __freea RtlAllocateHeap 18908 b64739 18906->18908 18909 b547a0 ___std_exception_copy RtlAllocateHeap 18907->18909 18910 b66db3 __freea RtlAllocateHeap 18908->18910 18936 b64708 __fread_nolock 18909->18936 18913 b64740 18910->18913 18912 b648e3 ReadFile 18911->18912 18925 b6489b 18911->18925 18914 b64957 18912->18914 18915 b648fb 18912->18915 18916 b64765 18913->18916 18917 b6474a 18913->18917 18922 b64964 18914->18922 18933 b648b5 18914->18933 18915->18914 18918 b648d4 18915->18918 18921 b5e13d __fread_nolock 2 API calls 18916->18921 18919 b5d23f __dosmaperr RtlAllocateHeap 18917->18919 18927 b64937 18918->18927 18928 b64920 18918->18928 18918->18936 18923 b6474f 18919->18923 18920 b66db3 __freea RtlAllocateHeap 18920->18888 18921->18924 18926 b5d23f __dosmaperr RtlAllocateHeap 18922->18926 18929 b5d22c __dosmaperr RtlAllocateHeap 18923->18929 18924->18904 18925->18918 18925->18933 18930 b64969 18926->18930 18927->18936 18972 b6417b 18927->18972 18962 b64335 18928->18962 18929->18936 18934 b5d22c __dosmaperr RtlAllocateHeap 18930->18934 18933->18936 18957 b5d1e5 18933->18957 18934->18936 18936->18920 18938 b58a3c 18937->18938 18947 b58a38 std::locale::_Locimp::_Locimp 18937->18947 18939 b58a56 __fread_nolock 18938->18939 18940 b58a43 18938->18940 18944 b58a84 18939->18944 18945 b58a8d 18939->18945 18939->18947 18941 b5d23f __dosmaperr RtlAllocateHeap 18940->18941 18942 b58a48 18941->18942 18943 b547a0 ___std_exception_copy RtlAllocateHeap 18942->18943 18943->18947 18946 b5d23f __dosmaperr RtlAllocateHeap 18944->18946 18945->18947 18949 b5d23f __dosmaperr RtlAllocateHeap 18945->18949 18948 b58a89 18946->18948 18947->18871 18950 b547a0 ___std_exception_copy RtlAllocateHeap 18948->18950 18949->18948 18950->18947 18952 b66e6b 18951->18952 18956 b66e3b __Getctype std::_Facet_Register 18951->18956 18954 b5d23f __dosmaperr RtlAllocateHeap 18952->18954 18953 b66e56 RtlAllocateHeap 18955 b64730 18953->18955 18953->18956 18954->18955 18955->18906 18956->18952 18956->18953 18958 b5d22c __dosmaperr RtlAllocateHeap 18957->18958 18959 b5d1f0 __dosmaperr 18958->18959 18960 b5d23f __dosmaperr RtlAllocateHeap 18959->18960 18961 b5d203 18960->18961 18961->18936 18976 b6402e 18962->18976 18965 b643c7 18966 b5d23f __dosmaperr RtlAllocateHeap 18965->18966 18968 b6437d 18966->18968 18967 b643d7 18969 b5e13d __fread_nolock 2 API calls 18967->18969 18970 b64391 __fread_nolock 18967->18970 18968->18936 18969->18970 18970->18968 18971 b5d1e5 __dosmaperr RtlAllocateHeap 18970->18971 18971->18968 18974 b641b5 18972->18974 18973 b64246 18973->18936 18974->18973 18975 b5e13d __fread_nolock 2 API calls 18974->18975 18975->18973 18977 b64062 18976->18977 18978 b640ce 18977->18978 18979 b5e13d __fread_nolock 2 API calls 18977->18979 18978->18965 18978->18967 18978->18968 18978->18970 18979->18978 18981 b58acf __fread_nolock 18980->18981 18982 b58ad9 18981->18982 18984 b58afc __fread_nolock 18981->18984 18983 b54723 ___std_exception_copy RtlAllocateHeap 18982->18983 18986 b58af4 18983->18986 18984->18986 18987 b58b5a 18984->18987 18986->18389 18988 b58b67 18987->18988 18989 b58b8a 18987->18989 18990 b54723 ___std_exception_copy RtlAllocateHeap 18988->18990 18991 b555d3 4 API calls 18989->18991 18992 b58b82 18989->18992 18990->18992 18993 b58ba2 18991->18993 18992->18986 19001 b66ded 18993->19001 18996 b65f82 __fread_nolock RtlAllocateHeap 18997 b58bb6 18996->18997 19005 b64a3f 18997->19005 19000 b66db3 __freea RtlAllocateHeap 19000->18992 19002 b66e04 19001->19002 19004 b58baa 19001->19004 19003 b66db3 __freea RtlAllocateHeap 19002->19003 19002->19004 19003->19004 19004->18996 19007 b58bbd 19005->19007 19008 b64a68 19005->19008 19006 b64ab7 19009 b54723 ___std_exception_copy RtlAllocateHeap 19006->19009 19007->18992 19007->19000 19008->19006 19010 b64a8f 19008->19010 19009->19007 19012 b649ae 19010->19012 19013 b649ba __fread_nolock 19012->19013 19015 b649f9 19013->19015 19016 b64b12 19013->19016 19015->19007 19017 b6a6de __fread_nolock RtlAllocateHeap 19016->19017 19019 b64b22 19017->19019 19020 b6a6de __fread_nolock RtlAllocateHeap 19019->19020 19025 b64b28 19019->19025 19027 b64b5a 19019->19027 19023 b64b51 19020->19023 19021 b6a6de __fread_nolock RtlAllocateHeap 19024 b64b66 FindCloseChangeNotification 19021->19024 19022 b64b80 __fread_nolock 19022->19015 19026 b6a6de __fread_nolock RtlAllocateHeap 19023->19026 19024->19025 19028 b6a64d 19025->19028 19026->19027 19027->19021 19027->19025 19029 b6a65c 19028->19029 19030 b5d23f __dosmaperr RtlAllocateHeap 19029->19030 19033 b6a686 19029->19033 19031 b6a6c8 19030->19031 19032 b5d22c __dosmaperr RtlAllocateHeap 19031->19032 19032->19033 19033->19022 20216 55d0420 20217 55d0430 20216->20217 20220 55d0640 20217->20220 20221 55d0659 GetCurrentHwProfileW 20220->20221 20223 55d0717 20221->20223

                                  Executed Functions

                                  Function 00AD3A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 689 ad3a40-ad3a52 690 ad3a55-ad3a61 689->690 692 ad3b28-ad3b31 GetPEB 690->692 693 ad3a67-ad3a6d 690->693 694 ad3b34-ad3b48 692->694 693->692 695 ad3a73-ad3a7f GetPEB 693->695 697 ad3b99-ad3b9b 694->697 698 ad3b4a-ad3b4f 694->698 696 ad3a80-ad3a94 695->696 700 ad3ae4-ad3ae6 696->700 701 ad3a96-ad3a9b 696->701 697->694 698->697 699 ad3b51-ad3b59 698->699 702 ad3b60-ad3b73 699->702 700->696 701->700 703 ad3a9d-ad3aa3 701->703 704 ad3b75-ad3b88 702->704 705 ad3b92-ad3b97 702->705 706 ad3aa5-ad3ab8 703->706 704->704 707 ad3b8a-ad3b90 704->707 705->697 705->702 708 ad3add-ad3ae2 706->708 709 ad3aba 706->709 707->705 710 ad3b9d-ad3bc2 Sleep 707->710 708->700 708->706 711 ad3ac0-ad3ad3 709->711 710->690 711->711 712 ad3ad5-ad3adb 711->712 712->708 713 ad3ae8-ad3b0d Sleep 712->713 714 ad3b13-ad3b1a 713->714 714->692 715 ad3b1c-ad3b22 714->715 715->692 716 ad3bc7-ad3bd8 call a76bd0 715->716 719 ad3bde 716->719 720 ad3bda-ad3bdc 716->720 721 ad3be0-ad3bfd call a76bd0 719->721 720->721
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00AD3DB6), ref: 00AD3B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00AD3DB6), ref: 00AD3BBA
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 91568b4a504bffe5b6fdc4df9e7012cbfc543401a48ff9f3e657dcc2d4f9495c
                                  • Instruction ID: e23706940731cbf81a2ec8bd9f3f28546cb09a687f51ae1bc1ea789c49f39ac3
                                  • Opcode Fuzzy Hash: 91568b4a504bffe5b6fdc4df9e7012cbfc543401a48ff9f3e657dcc2d4f9495c
                                  • Instruction Fuzzy Hash: E851B936A042198FCF24CF58C8D0EAAB7B1FF45744B29859AD446AF352D732EE05CB91
                                  Function 00A8E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 a8e0a0-a8e0d2 WSAStartup 1 a8e0d8-a8e102 call a76bd0 * 2 0->1 2 a8e1b7-a8e1c0 0->2 7 a8e10e-a8e165 1->7 8 a8e104-a8e108 1->8 10 a8e1b1 7->10 11 a8e167-a8e16d 7->11 8->2 8->7 10->2 12 a8e16f 11->12 13 a8e1c5-a8e1cf 11->13 14 a8e175-a8e189 socket 12->14 13->10 17 a8e1d1-a8e1d9 13->17 14->10 16 a8e18b-a8e19b connect 14->16 18 a8e19d-a8e1a5 closesocket 16->18 19 a8e1c1 16->19 18->14 20 a8e1a7-a8e1ab 18->20 19->13 20->10
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 9cb1a79dac40c8c0370804db34e2bccc7a304f520968b10a493038a37a2615ac
                                  • Instruction ID: 821b6c66d26d3a8610d6925fc9e42edb9cbdf1a8fe02d888e7c51d2558d627b0
                                  • Opcode Fuzzy Hash: 9cb1a79dac40c8c0370804db34e2bccc7a304f520968b10a493038a37a2615ac
                                  • Instruction Fuzzy Hash: AA31B072605300ABE720EF258C4872BB7E4EBD6724F004F1DF9A8A62D0D33599048BA2
                                  Function 055D064A Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 269COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: 3489944f212bfc3cd61e472e8356420a94a88ab82866b526b89c107d3b55ca88
                                  • Instruction ID: dcd0158b48ee082afa4c2b73c5f5022ebca789ea5ba9d3af913b12b5b4c1b05d
                                  • Opcode Fuzzy Hash: 3489944f212bfc3cd61e472e8356420a94a88ab82866b526b89c107d3b55ca88
                                  • Instruction Fuzzy Hash: 6B5107EB54D111BCB172C1892B1CAFAE72FF6D6730B308C26F407DA6A1F2844A8941F1
                                  Function 055D0640 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 267COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: d5fe652bb89812e5160b66645c4eb8ae47d17176d52060ecdb5ba6d4ecc0f2bc
                                  • Instruction ID: e46cfe26da02f672fb2b79d292643f03c845e7af237cb4bb13fb06026d303325
                                  • Opcode Fuzzy Hash: d5fe652bb89812e5160b66645c4eb8ae47d17176d52060ecdb5ba6d4ecc0f2bc
                                  • Instruction Fuzzy Hash: 9B51C1EB54D111BCB171C18A2B1CAFAD72FF6D6730B308C26F407DA6A1F2844A8954F1
                                  Function 055D0674 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 254COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 139 55d0674-55d06f1 146 55d06f2-55d0707 GetCurrentHwProfileW 139->146 148 55d0717-55d0745 call 55d073e 146->148 154 55d0758-55d075c 148->154 155 55d075d-55d0a64 call 55d0807 154->155 156 55d0747-55d0755 154->156 156->154
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: 93685aaeb02ff8933b61abd0093dd3ea1315f9fa8ec310d2165d8709714f7bf5
                                  • Instruction ID: 85951f253e2250e581974c2fab1f0d73f6d65906185a9f2b1e907cb09affc9ea
                                  • Opcode Fuzzy Hash: 93685aaeb02ff8933b61abd0093dd3ea1315f9fa8ec310d2165d8709714f7bf5
                                  • Instruction Fuzzy Hash: DA51F3EB54D111ACB171D15A2B1CAFAE72FF2D6730B308C26F407DA6A1F2844A8954F1
                                  Function 055D0685 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 248COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 196 55d0685-55d06f1 203 55d06f2-55d0707 GetCurrentHwProfileW 196->203 205 55d0717-55d0745 call 55d073e 203->205 211 55d0758-55d075c 205->211 212 55d075d-55d0a64 call 55d0807 211->212 213 55d0747-55d0755 211->213 213->211
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: eefc1b25dc56a83a217207b281c6125666f0f038dec8cfd6fe209a7f9a5bc217
                                  • Instruction ID: 5fff87d127b276d087e1c30ad45bbac2ecea49a079bfca89b9bd77a919dacc1b
                                  • Opcode Fuzzy Hash: eefc1b25dc56a83a217207b281c6125666f0f038dec8cfd6fe209a7f9a5bc217
                                  • Instruction Fuzzy Hash: 1541C1EB54D111ACB171C15A2B1CAFADB2FF6D6730B308C26F407DA6A5F2844A8954F1
                                  Function 055D0694 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 245COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 253 55d0694-55d06f1 258 55d06f2-55d0707 GetCurrentHwProfileW 253->258 260 55d0717-55d0745 call 55d073e 258->260 266 55d0758-55d075c 260->266 267 55d075d-55d0a64 call 55d0807 266->267 268 55d0747-55d0755 266->268 268->266
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: c3874b166f398b03f86d05579e2d69b82d7e081dd26b22601825df6805dca525
                                  • Instruction ID: 3c35bdeff2d7c9981bff351fd22e911a696599d63c79ade86165a532a2695fa9
                                  • Opcode Fuzzy Hash: c3874b166f398b03f86d05579e2d69b82d7e081dd26b22601825df6805dca525
                                  • Instruction Fuzzy Hash: C841F2EB50D115BCB171C24A2B1CAFAD62FF6D6730B308C26F807DA6A1F2844A8950F1
                                  Function 055D06A6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 240COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 308 55d06a6-55d06f1 314 55d06f2-55d0707 GetCurrentHwProfileW 308->314 316 55d0717-55d0745 call 55d073e 314->316 322 55d0758-55d075c 316->322 323 55d075d-55d0a64 call 55d0807 322->323 324 55d0747-55d0755 322->324 324->322
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: 4b9aa86270f564a682eacbb92ef289f7f926ddd3b6f9d0a1703fd3912ea5946c
                                  • Instruction ID: f279393c95baf87770a8bdc6188c7ad1b119f8c6fc96d3081f100469125b77a3
                                  • Opcode Fuzzy Hash: 4b9aa86270f564a682eacbb92ef289f7f926ddd3b6f9d0a1703fd3912ea5946c
                                  • Instruction Fuzzy Hash: D341F4EB54D111BCB171C25E2B1CAFADA2FF2D6730B308C26F407DA6A1F2844A8954F1
                                  Function 055D06AB Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 238COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 364 55d06ab-55d06f1 369 55d06f2-55d0707 GetCurrentHwProfileW 364->369 371 55d0717-55d0745 call 55d073e 369->371 377 55d0758-55d075c 371->377 378 55d075d-55d0a64 call 55d0807 377->378 379 55d0747-55d0755 377->379 379->377
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: d470c3602e9d9a441ab1906f1e055538094173a3696cb07f6f9c4ac90ba07ca5
                                  • Instruction ID: 82dcfe4c28486744022c9bcfc58dbbc0f06d177760e98d14eb7608fa84f49b88
                                  • Opcode Fuzzy Hash: d470c3602e9d9a441ab1906f1e055538094173a3696cb07f6f9c4ac90ba07ca5
                                  • Instruction Fuzzy Hash: 9541E2EB54D111BCB171C25A2B1CAFADA2FF2D6730B308C26F407DA6A1F2844A8954F1
                                  Function 055D0708 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 233COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 472 55d0708-55d070c 473 55d070e-55d0715 472->473 474 55d06f2-55d0707 GetCurrentHwProfileW 472->474 476 55d071c-55d0723 473->476 477 55d0717-55d0719 473->477 474->477 478 55d0729-55d0745 call 55d073e 476->478 477->478 483 55d0758-55d075c 478->483 484 55d075d-55d0a64 call 55d0807 483->484 485 55d0747-55d0755 483->485 485->483
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: fdd43aa30f4488ad77a19eb38fd7a4a27a14d5d9689b15b9b53b95c5974ebe77
                                  • Instruction ID: 2438c203b7079c0e37caf038a43e85add1ed8b593fcba0ca0ad0af9e6a01a6dc
                                  • Opcode Fuzzy Hash: fdd43aa30f4488ad77a19eb38fd7a4a27a14d5d9689b15b9b53b95c5974ebe77
                                  • Instruction Fuzzy Hash: 2341F5EB50D115ACB172C2591B1CAF6EB2FF6D7730B308827F407DA6A2F2844A8955F1
                                  Function 055D06BF Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 233COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 419 55d06bf-55d06f1 422 55d06f2-55d0707 GetCurrentHwProfileW 419->422 424 55d0717-55d0745 call 55d073e 422->424 430 55d0758-55d075c 424->430 431 55d075d-55d0a64 call 55d0807 430->431 432 55d0747-55d0755 430->432 432->430
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: 0ac5cb8080cfd2401d84d48da43739d8de7c0d51415c66eb3c65d02be24d131a
                                  • Instruction ID: 7a95966bd7f775274303ea4a99161be5536c94b5ba97a1c5c56d7a3614282938
                                  • Opcode Fuzzy Hash: 0ac5cb8080cfd2401d84d48da43739d8de7c0d51415c66eb3c65d02be24d131a
                                  • Instruction Fuzzy Hash: 5C4112EB50D111ACB171C2592B1CAFAEB2FF6D6730B308C27F407DA6A1F2944A8944F1
                                  Function 055D06E5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 223COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 525 55d06e5-55d06f1 527 55d06f2-55d0707 GetCurrentHwProfileW 525->527 529 55d0717-55d0745 call 55d073e 527->529 535 55d0758-55d075c 529->535 536 55d075d-55d0a64 call 55d0807 535->536 537 55d0747-55d0755 535->537 537->535
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055D0702
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4119414398.00000000055D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 055D0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_55d0000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: k^[P
                                  • API String ID: 2104809126-2573564367
                                  • Opcode ID: 65eed830c4b30e7db03d0284babf1f7f6370018bdb7b2ef01d7ebe426f85a97f
                                  • Instruction ID: 0fcd92acd15da03139613c17eeb9ef42c51a622814224af4600d9939497b1776
                                  • Opcode Fuzzy Hash: 65eed830c4b30e7db03d0284babf1f7f6370018bdb7b2ef01d7ebe426f85a97f
                                  • Instruction Fuzzy Hash: 864113EB50D115BCB171C29D1B1CAFADA2FF6D6730B308C26F407DA6A1F2844A8914F1
                                  Function 00B64623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 577 b64623-b64633 578 b64635-b64648 call b5d22c call b5d23f 577->578 579 b6464d-b6464f 577->579 593 b649a7 578->593 580 b64655-b6465b 579->580 581 b6498f-b6499c call b5d22c call b5d23f 579->581 580->581 584 b64661-b6468a 580->584 600 b649a2 call b547a0 581->600 584->581 587 b64690-b64699 584->587 590 b646b3-b646b5 587->590 591 b6469b-b646ae call b5d22c call b5d23f 587->591 596 b6498b-b6498d 590->596 597 b646bb-b646bf 590->597 591->600 598 b649aa-b649ad 593->598 596->598 597->596 601 b646c5-b646c9 597->601 600->593 601->591 604 b646cb-b646e2 601->604 605 b64717-b6471d 604->605 606 b646e4-b646e7 604->606 610 b646f1-b64708 call b5d22c call b5d23f call b547a0 605->610 611 b6471f-b64726 605->611 608 b6470d-b64715 606->608 609 b646e9-b646ef 606->609 613 b6478a-b647a9 608->613 609->608 609->610 640 b648c2 610->640 614 b6472a-b64748 call b66e2d call b66db3 * 2 611->614 615 b64728 611->615 617 b64865-b6486e call b70d44 613->617 618 b647af-b647bb 613->618 644 b64765-b64788 call b5e13d 614->644 645 b6474a-b64760 call b5d23f call b5d22c 614->645 615->614 631 b64870-b64882 617->631 632 b648df 617->632 618->617 622 b647c1-b647c3 618->622 622->617 627 b647c9-b647ea 622->627 627->617 628 b647ec-b64802 627->628 628->617 633 b64804-b64806 628->633 631->632 636 b64884-b64893 631->636 637 b648e3-b648f9 ReadFile 632->637 633->617 638 b64808-b6482b 633->638 636->632 654 b64895-b64899 636->654 641 b64957-b64962 637->641 642 b648fb-b64901 637->642 638->617 643 b6482d-b64843 638->643 646 b648c5-b648cf call b66db3 640->646 656 b64964-b64976 call b5d23f call b5d22c 641->656 657 b6497b-b6497e 641->657 642->641 648 b64903 642->648 643->617 650 b64845-b64847 643->650 644->613 645->640 646->598 649 b64906-b64918 648->649 649->646 658 b6491a-b6491e 649->658 650->617 659 b64849-b64860 650->659 654->637 663 b6489b-b648b3 654->663 656->640 667 b64984-b64986 657->667 668 b648bb-b648c1 call b5d1e5 657->668 665 b64937-b64944 658->665 666 b64920-b64930 call b64335 658->666 659->617 677 b648d4-b648dd 663->677 678 b648b5-b648ba 663->678 674 b64946 call b6448c 665->674 675 b64950-b64955 call b6417b 665->675 685 b64933-b64935 666->685 667->646 668->640 686 b6494b-b6494e 674->686 675->686 677->649 678->668 685->646 686->685
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 90e2f91753fdaf5cc3f256f372292ae7b3fa733a08ed6bd0eed60f59928d8b14
                                  • Instruction ID: df57141529db011eeb272ec8824b7412a14a62fbacf043a97e78fdfc506c265b
                                  • Opcode Fuzzy Hash: 90e2f91753fdaf5cc3f256f372292ae7b3fa733a08ed6bd0eed60f59928d8b14
                                  • Instruction Fuzzy Hash: B0B114B0E04645AFDB11DFA8D881BAEBBF1EF46314F1442D8E854A7382CB799D45CB60
                                  Function 00A7A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 724 a7a210-a7a2ab call b4f290 call a72ae0 729 a7a2b0-a7a2bb 724->729 729->729 730 a7a2bd-a7a2c8 729->730 731 a7a2cd-a7a2de call b55362 730->731 732 a7a2ca 730->732 735 a7a351-a7a357 731->735 736 a7a2e0-a7a305 call b59136 call b54eeb call b59136 731->736 732->731 737 a7a381-a7a393 735->737 738 a7a359-a7a365 735->738 753 a7a307 736->753 754 a7a30c-a7a316 736->754 740 a7a377-a7a37e call b4f511 738->740 741 a7a367-a7a375 738->741 740->737 741->740 743 a7a394-a7a3ae call b547b0 741->743 752 a7a3b0-a7a3bb 743->752 752->752 755 a7a3bd-a7a3c8 752->755 753->754 756 a7a328-a7a32f call adcf60 754->756 757 a7a318-a7a31c 754->757 758 a7a3cd-a7a3df call b55362 755->758 759 a7a3ca 755->759 764 a7a334-a7a33a 756->764 760 a7a320-a7a326 757->760 761 a7a31e 757->761 766 a7a3e1-a7a3f9 call b59136 call b54eeb call b58be8 758->766 767 a7a3fc-a7a403 758->767 759->758 760->764 761->760 768 a7a33e-a7a349 call b5dbdf call b58be8 764->768 769 a7a33c 764->769 766->767 771 a7a405-a7a411 767->771 772 a7a42d-a7a433 767->772 785 a7a34e 768->785 769->768 775 a7a423-a7a42a call b4f511 771->775 776 a7a413-a7a421 771->776 775->772 776->775 779 a7a434-a7a45e call b547b0 776->779 791 a7a460-a7a464 779->791 792 a7a46f-a7a474 779->792 785->735 791->792 793 a7a466-a7a46e 791->793
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: da77661de617b226dddef21a0fe78c4bb16e92d24e271372ce46b838fadea3f9
                                  • Instruction ID: 6bd07c6d4404293b53f237bf1b55040bef0b3e2d0f01ae83a2b275ff12b824f5
                                  • Opcode Fuzzy Hash: da77661de617b226dddef21a0fe78c4bb16e92d24e271372ce46b838fadea3f9
                                  • Instruction Fuzzy Hash: 4B713A71900204BFDB14DF68CC49BAEBBE8EF81700F10C5ADF8099B682D7B59A45C792
                                  Function 00B6549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 794 b6549c-b654be 795 b654c4-b654c6 794->795 796 b656b1 794->796 798 b654f2-b65515 795->798 799 b654c8-b654e7 call b54723 795->799 797 b656b3-b656b7 796->797 800 b65517-b65519 798->800 801 b6551b-b65521 798->801 805 b654ea-b654ed 799->805 800->801 803 b65523-b65534 800->803 801->799 801->803 806 b65536-b65544 call b5e17d 803->806 807 b65547-b65557 call b64fe1 803->807 805->797 806->807 812 b655a0-b655b2 807->812 813 b65559-b6555f 807->813 814 b655b4-b655ba 812->814 815 b65609-b65629 WriteFile 812->815 816 b65561-b65564 813->816 817 b65588-b6559e call b64bb2 813->817 821 b655f5-b65607 call b6505e 814->821 822 b655bc-b655bf 814->822 818 b65634 815->818 819 b6562b-b65631 815->819 823 b65566-b65569 816->823 824 b6556f-b6557e call b64f79 816->824 835 b65581-b65583 817->835 827 b65637-b65642 818->827 819->818 841 b655dc-b655df 821->841 828 b655e1-b655f3 call b65222 822->828 829 b655c1-b655c4 822->829 823->824 830 b65649-b6564c 823->830 824->835 836 b65644-b65647 827->836 837 b656ac-b656af 827->837 828->841 838 b6564f-b65651 829->838 839 b655ca-b655d7 call b65139 829->839 830->838 835->827 836->830 837->797 843 b65653-b65658 838->843 844 b6567f-b6568b 838->844 839->841 841->835 848 b65671-b6567a call b5d208 843->848 849 b6565a-b6566c 843->849 846 b65695-b656a7 844->846 847 b6568d-b65693 844->847 846->805 847->796 847->846 848->805 849->805
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00B59087,?,00000000,00000000,00000000,?,00000000,?,00A7A3EB,00B59087,00000000,00A7A3EB,?,?), ref: 00B65621
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 324b8dbb2f1e50b3c9bbd8f9405b90681efa826abcf9a863f7a6ee11109b7753
                                  • Instruction ID: 5794ec207f20c80d4ac7d1ae923bc7fd30e86b432c2c1870688880926c0847a2
                                  • Opcode Fuzzy Hash: 324b8dbb2f1e50b3c9bbd8f9405b90681efa826abcf9a863f7a6ee11109b7753
                                  • Instruction Fuzzy Hash: 676191B2900519AFDF21DFA8C884AEEBBFAEF19304F5401C5E805A7215D779D961CBA0
                                  Function 00B54942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 873bb3c47b15d373126beefc2e09f71cf402ef20fe3bcf237f6867130a39263a
                                  • Instruction ID: 6fc1532634142dbf2a5e6b08e91f4269efd13529698e007af4e0160a2605a84e
                                  • Opcode Fuzzy Hash: 873bb3c47b15d373126beefc2e09f71cf402ef20fe3bcf237f6867130a39263a
                                  • Instruction Fuzzy Hash: B451B370A00108AFDB54CF58C881BAEBBF1EF49369F2481D8FC599B252D3719E95CB90
                                  Function 00AE0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00AE06AE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 629e8c71b86cef13bd0161e4997186ee116ec03c669648962dccb1b59c98d6d0
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 5B41E572A001549BCB15EF69DD80AAE7BE5EF88310F1441A9FC05DB302D7B0DEA09BE1
                                  Function 00B64B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00B649F9,00000000,CF830579,00BA1140,0000000C,00B64AB5,00B58BBD,?), ref: 00B64B68
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 923347577642978887aa79934a52a28c3e897c23ba802a5bb2e36b8e966d09a9
                                  • Instruction ID: 5dea869dad8ffd22051dd8d1fb65e4363e593b16acd65a780e231d519d7dc862
                                  • Opcode Fuzzy Hash: 923347577642978887aa79934a52a28c3e897c23ba802a5bb2e36b8e966d09a9
                                  • Instruction Fuzzy Hash: 07114433A415241ACB253674E846B7EB7CACB83770F2D02D9F818AB1C2EF69DC825255
                                  Function 00B5E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00BA0DF8,00A7A3EB,00000002,00A7A3EB,00000000,?,?,?,00B5E166,00000000,?,00A7A3EB,00000002,00BA0DF8), ref: 00B5E098
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 202f7ccf3dce39b11e72c7dfe58976f217a3b6526a764fa8619d1507d080072e
                                  • Instruction ID: acdaeefbefb67a953b65b99f763f46be9e8d7d41ed66e84cb347e5d43bad5a9f
                                  • Opcode Fuzzy Hash: 202f7ccf3dce39b11e72c7dfe58976f217a3b6526a764fa8619d1507d080072e
                                  • Instruction Fuzzy Hash: D3012B32614115AFCF199F59CC06D9E3B5ADB81330B2802C8FC60972D1E6B1EE45CBD0
                                  Function 00B4F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A7220E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 25e7954cbe89233ca00581d69169b55b070b8f2e6094e1840ebd59dd632e47d6
                                  • Instruction ID: 73c230ea496404db19ae85c01a08eaa18707b4370f9878e3341fd3e0e378dcf0
                                  • Opcode Fuzzy Hash: 25e7954cbe89233ca00581d69169b55b070b8f2e6094e1840ebd59dd632e47d6
                                  • Instruction Fuzzy Hash: B4012B7650430EABCB14AFA8DC0296977ECDA00310B54C5B9FE1DDB551EB70E9548794
                                  Function 00B663F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00B591F7,00000000,?,00B65D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00B5D244,00B589C3,00B591F7,00000000), ref: 00B66435
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 3d902fc4099ffd4f72bfb0d0542ca22001e8e34432318f478e69410e57793f1b
                                  • Instruction ID: 8b2dbbfdcec30f3d37f88cb9fd8ebbd939f702e83d853fa582264dfcf1bb4e8d
                                  • Opcode Fuzzy Hash: 3d902fc4099ffd4f72bfb0d0542ca22001e8e34432318f478e69410e57793f1b
                                  • Instruction Fuzzy Hash: BCF0E932505124669B216B62DC17B6B7BCCEF41760F1580D1EC0897280CF38EC0142F1
                                  Function 00B66E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00B6D635,4D88C033,?,00B6D635,00000220,?,00B657EF,4D88C033), ref: 00B66E60
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 1fc5deaabc80795d153a4d706f26bf79d3513ab1a861800642317d1edb1bb1ef
                                  • Instruction ID: f682c6a2a6edde1077892c69fdf5e9be412b2dc8e13d5ef253aadf0c76efe720
                                  • Opcode Fuzzy Hash: 1fc5deaabc80795d153a4d706f26bf79d3513ab1a861800642317d1edb1bb1ef
                                  • Instruction Fuzzy Hash: 67E0ED3A94562166DA302266CC01B6B7BC8CBA27A1F0505E1FC04D20D0CF2ACC0081A4

                                  Non-executed Functions

                                  Function 00B584A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 9ce32bd519990f92cdfb160b500c19bf8f6db6426940903da7a90d62eb7b9c32
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 4D022D71E012199BDF14CFA9D8807AEBBF1FF48315F2482A9D919F7380DB31A9458B90
                                  Function 00ADF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADF875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADF89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADF90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00ADF959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00ADF973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADFA08
                                  • std::_Facet_Register.LIBCPMT ref: 00ADFA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: e3d010db819d2ba949adbb9fd107647a8fe8e225c4fc84076c3ef0f27ac75fcf
                                  • Instruction ID: 38df27924287b8bdba71f8167509716181c8f6f3eff58b70e4349ee376f56cf7
                                  • Opcode Fuzzy Hash: e3d010db819d2ba949adbb9fd107647a8fe8e225c4fc84076c3ef0f27ac75fcf
                                  • Instruction Fuzzy Hash: DF616EB1D002489FEF20DFA4D845B9EBBF4AF15710F1841A9E816A7341EB74EA05CB92
                                  Function 00A739F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00A73A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A73AA4
                                  • __Getctype.LIBCPMT ref: 00A73ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A73AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00A73B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 7bb4de58a8d44943d33fb7d3e9407b12fee82f9a60f96baebc80b0d1b4934a9a
                                  • Instruction ID: 13f73beedc94de9d46bc43e4edce78056c9d25f3c738ebc1e0991ef726e0262d
                                  • Opcode Fuzzy Hash: 7bb4de58a8d44943d33fb7d3e9407b12fee82f9a60f96baebc80b0d1b4934a9a
                                  • Instruction Fuzzy Hash: 3D5130B2D012489BEF10DFA4DC45B9EBBF8AF54310F1481A9E809AB341E775DA08DB91
                                  Function 00B52E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00B52E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00B52E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00B52ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00B52F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00B52F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: e98551110e5a50f17180e0d3840e447a36147e15659089685c48d3cd1e519ec2
                                  • Instruction ID: bf72ab0f317d4a9128e7928f2bb9fafa319f065582c9d0588044997eb2c39fc9
                                  • Opcode Fuzzy Hash: e98551110e5a50f17180e0d3840e447a36147e15659089685c48d3cd1e519ec2
                                  • Instruction Fuzzy Hash: 29419130A012099BCF10DF68D885B9EBBF5EF46315F1480D5ED189B392D731DA49CB90
                                  Function 00ADDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADDE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00ADDEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADDED6
                                  • std::_Facet_Register.LIBCPMT ref: 00ADDF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00ADDF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00ADDF7B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: c03016c01924e7dd2e343f5316efa6c5528a095dcd9aa44fc0f0f2ae2c1e6e16
                                  • Instruction ID: 0fe2e2e8b9442f6f31ac3a41cd8a7d107d977768cc5ff9ec9ebf5790aac0b60a
                                  • Opcode Fuzzy Hash: c03016c01924e7dd2e343f5316efa6c5528a095dcd9aa44fc0f0f2ae2c1e6e16
                                  • Instruction Fuzzy Hash: 7C41B2B1900215DFCF14DF58D845AAEBBF4FB05710F14466AE8169B392DB31AE05CBD1
                                  Function 00A74C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A74F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A74FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A750C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 00A7504C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: f61041b02dcce777b7efb80a637ca91e61f23187c2b3a857c138110da9025674
                                  • Instruction ID: 1d223d151804ccf9954e84bfec9eb3b6e269fdb1fcddcbae671971f847aa0def
                                  • Opcode Fuzzy Hash: f61041b02dcce777b7efb80a637ca91e61f23187c2b3a857c138110da9025674
                                  • Instruction Fuzzy Hash: 82E1E0719002059FCB28DF68CD45BAEB7F9FF48710F108A6DE45A97781E774AA04CBA1
                                  Function 00A77820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A7799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A77B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 6bfa4a5049e065fe6ed3a58a1bfd0124992e5d7005f5817957fd539e0a02f634
                                  • Instruction ID: da9c46fa6771d612c9573084d4125abb46b7b1384140ed26eb9031cbb5b46f7e
                                  • Opcode Fuzzy Hash: 6bfa4a5049e065fe6ed3a58a1bfd0124992e5d7005f5817957fd539e0a02f634
                                  • Instruction Fuzzy Hash: 5FC157B1D002089FDB18DFA8D984B9DBBF5FF48300F14866AE419EB791E7749980CB54
                                  Function 00A773B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A775BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A775CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 9091a30999fdfebd5acf93302cc4f62311a63fcf42c23899d47e387fe6dc1cca
                                  • Instruction ID: 666b59668a73a8901c2a4ef0ca271b3ac13544a6a17c5819db1f196ace0c3bb4
                                  • Opcode Fuzzy Hash: 9091a30999fdfebd5acf93302cc4f62311a63fcf42c23899d47e387fe6dc1cca
                                  • Instruction Fuzzy Hash: 6961C171A042059FDB08DF68DD84BADBBF6FF44300F24C668E419A7782D774AA44CB91
                                  Function 00A73D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A73E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 28452488a43dcb035f3bf3b75a5b888a8a29e8abaa67a6f0c3779fcff7783aa4
                                  • Instruction ID: 059a8d05e346c8d8aa7e86a1f22bdcd0159f869fadf1bdf14e7aba4e97044fab
                                  • Opcode Fuzzy Hash: 28452488a43dcb035f3bf3b75a5b888a8a29e8abaa67a6f0c3779fcff7783aa4
                                  • Instruction Fuzzy Hash: 8641B4B3900209AFCB14DF68CC45BAEB7F8EF49310F14C56AF919D7641E770AA048BA4
                                  Function 00A73DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A73E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 424749cede513fc4d820d55567ff2eaf55e897bd98a72e7821cdb1c5453097bd
                                  • Instruction ID: 896b4465d931b0b46656993ec8364cea8a853c5827bd53b1dfbf60a5e67ae863
                                  • Opcode Fuzzy Hash: 424749cede513fc4d820d55567ff2eaf55e897bd98a72e7821cdb1c5453097bd
                                  • Instruction Fuzzy Hash: 5D2105B39047056FCB14DF58DC02B96B7E8AB04310F19C8BAFA6C8B641E770EA148B95
                                  Function 00A76F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00A77340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: a36752a6cab398645f967befd0bb0e6696d44aa2d6791be29b7def99e181634e
                                  • Instruction ID: 4ab7e2da644a007e83129b465b72869f213f801c41b6c6fb47aea9b8ae204e06
                                  • Opcode Fuzzy Hash: a36752a6cab398645f967befd0bb0e6696d44aa2d6791be29b7def99e181634e
                                  • Instruction Fuzzy Hash: B7E14E719042449FDB18CF68CD84B9DBBF1BF49304F24C2A9E419AB792D7749A81CF91
                                  Function 00A76C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A76F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00A76F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 8832be2fbdb71314eb89c9a2f451f452099b018f68f12edbacf093a47a539bae
                                  • Instruction ID: b1b1f4a20c4a095241b3334a6ac6a30061494df7035c7cad45ff5dcf89cd9f0d
                                  • Opcode Fuzzy Hash: 8832be2fbdb71314eb89c9a2f451f452099b018f68f12edbacf093a47a539bae
                                  • Instruction Fuzzy Hash: F591C370A006049FDB18CF68DD84BAEBBF5EF48300F20C56CE419AB792D771AA45CB91
                                  Function 00AEE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00AEE491
                                  Strings
                                  • type must be string, but is , xrefs: 00AEE4F8
                                  • type must be boolean, but is , xrefs: 00AEE582
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.4112086502.0000000000A71000.00000040.00000001.01000000.00000005.sdmp, Offset: 00A70000, based on PE: true
                                  • Associated: 00000006.00000002.4111980092.0000000000A70000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4112086502.0000000000BA3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113915489.0000000000BA8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000BAC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000D42000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E25000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E63000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4113956720.0000000000E72000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114588753.0000000000E73000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.4114920528.000000000101B000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_a70000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 916f9bc2e0b82d72467c8625bfd0a54e5b9316dac33056446fd169f5e19f6bc6
                                  • Instruction ID: 68a442044b90205a71fcba8720537a9ec575fad64cf3470a1dec716514d64847
                                  • Opcode Fuzzy Hash: 916f9bc2e0b82d72467c8625bfd0a54e5b9316dac33056446fd169f5e19f6bc6
                                  • Instruction Fuzzy Hash: 49417CB5904288AFCB14EBA4DD02B9EB7E8DB00310F1486B9F419D77D1EB36AD44C396

                                  Execution Graph

                                  Execution Coverage:3.3%
                                  Dynamic/Decrypted Code Coverage:1.8%
                                  Signature Coverage:0%
                                  Total number of Nodes:1369
                                  Total number of Limit Nodes:79
                                  execution_graph 18994 23e0a0 WSAStartup 18995 23e0d8 18994->18995 18999 23e1a7 18994->18999 18996 23e175 socket 18995->18996 18995->18999 18997 23e18b connect 18996->18997 18996->18999 18998 23e19d closesocket 18997->18998 18997->18999 18998->18996 18998->18999 19011 4be00b2 19012 4be00c5 19011->19012 19019 4be0103 19012->19019 19020 4be0114 19019->19020 19025 4be0167 19020->19025 19022 4be0160 GetCurrentHwProfileW 19024 4be0214 19022->19024 19026 4be019e GetCurrentHwProfileW 19025->19026 19028 4be0214 19026->19028 18515 22ab40 18521 22ab9c 18515->18521 18516 22ad96 18522 22adb3 18516->18522 18523 22ada6 18516->18523 18527 22ad60 18516->18527 18517 22ad0d 18518 22ae42 18517->18518 18519 22ad2c 18517->18519 18632 28dc60 18518->18632 18530 222ae0 RtlAllocateHeap 18519->18530 18521->18518 18521->18527 18528 222ae0 RtlAllocateHeap 18521->18528 18538 22acf1 18521->18538 18544 2972c0 18521->18544 18574 2973f0 18522->18574 18557 28a770 18523->18557 18526 3047b0 RtlAllocateHeap 18535 22ae4c 18526->18535 18527->18526 18529 22ae25 18527->18529 18528->18521 18531 22ad4d 18530->18531 18539 289630 18531->18539 18534 22ae80 18535->18534 18635 28cde0 18535->18635 18537 22ae9f 18538->18516 18538->18517 18540 28963e 18539->18540 18541 289690 18539->18541 18540->18527 18542 2972c0 RtlAllocateHeap 18541->18542 18543 289699 18542->18543 18543->18527 18545 2973e1 18544->18545 18547 297308 18544->18547 18672 222e40 18545->18672 18643 293460 18547->18643 18550 297346 18551 2973af 18550->18551 18658 29c540 18550->18658 18553 29c540 RtlAllocateHeap 18551->18553 18554 2973c4 18553->18554 18662 29aec0 18554->18662 18556 2973d6 18556->18521 18558 28a799 18557->18558 18559 28a851 18558->18559 18564 28a7aa 18558->18564 18561 222270 RtlAllocateHeap 18559->18561 18560 28a7b6 std::locale::_Locimp::_Locimp 18560->18527 18562 28a856 18561->18562 18563 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18562->18563 18568 28a7ee 18563->18568 18564->18560 18565 28a81d 18564->18565 18566 28a814 18564->18566 18570 28a7db 18564->18570 18572 2ff290 std::_Facet_Register RtlAllocateHeap 18565->18572 18573 28a7f5 std::locale::_Locimp::_Locimp 18565->18573 18566->18562 18566->18570 18567 2ff290 std::_Facet_Register RtlAllocateHeap 18567->18568 18569 3047b0 RtlAllocateHeap 18568->18569 18568->18573 18571 28a860 18569->18571 18570->18567 18571->18527 18572->18573 18573->18527 18575 297538 18574->18575 18577 297452 18574->18577 18576 222e40 RtlAllocateHeap 18575->18576 18583 29753d 18576->18583 18579 293460 RtlAllocateHeap 18577->18579 18578 2976f4 18581 222e40 RtlAllocateHeap 18578->18581 18582 29748c 18579->18582 18580 2976ef 18584 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18580->18584 18601 2975d5 18581->18601 18586 28a770 RtlAllocateHeap 18582->18586 18583->18578 18583->18580 18588 2975eb 18583->18588 18589 2975c4 18583->18589 18584->18578 18585 3047b0 RtlAllocateHeap 18597 2976fe 18585->18597 18587 2974b4 18586->18587 18590 2974c9 18587->18590 18593 29c540 RtlAllocateHeap 18587->18593 18592 2ff290 std::_Facet_Register RtlAllocateHeap 18588->18592 18588->18601 18589->18580 18591 2975cf 18589->18591 18594 29c540 RtlAllocateHeap 18590->18594 18595 2ff290 std::_Facet_Register RtlAllocateHeap 18591->18595 18592->18601 18593->18590 18596 2974da 18594->18596 18595->18601 18598 29aec0 RtlAllocateHeap 18596->18598 18602 29777f 18597->18602 18603 2978c7 18597->18603 18627 297766 18597->18627 18599 2974eb 18598->18599 18599->18527 18600 2976c1 18600->18527 18601->18585 18601->18600 18601->18601 18605 2ff290 std::_Facet_Register RtlAllocateHeap 18602->18605 18604 2fd6e9 std::_Xinvalid_argument RtlAllocateHeap 18603->18604 18606 2978d1 18604->18606 18607 29779a 18605->18607 18608 2979b0 18606->18608 18609 297905 18606->18609 18610 28a770 RtlAllocateHeap 18607->18610 18611 222e40 RtlAllocateHeap 18608->18611 18701 28ddd0 18609->18701 18616 2977ae 18610->18616 18612 2979b5 18611->18612 18613 297ad0 18612->18613 18618 2979fd 18612->18618 18615 222e40 RtlAllocateHeap 18613->18615 18631 297ad5 18615->18631 18616->18627 18686 3243d0 18616->18686 18619 28ddd0 RtlAllocateHeap 18618->18619 18621 297a26 18619->18621 18620 297939 18719 28dd50 18620->18719 18724 2884b0 18621->18724 18624 297805 18694 29b450 18624->18694 18625 2979a4 18625->18527 18627->18527 18628 297a48 18629 28dd50 RtlAllocateHeap 18628->18629 18630 297a80 18629->18630 18630->18527 18631->18527 18973 2fd709 18632->18973 18636 28cf4d 18635->18636 18639 28cdf9 18635->18639 18637 28dc60 RtlAllocateHeap 18636->18637 18638 28cf52 18637->18638 18642 28ce10 std::locale::_Locimp::_Locimp 18639->18642 18979 2903e0 18639->18979 18641 28cf44 18641->18537 18642->18537 18644 29346d 18643->18644 18645 2934b4 18643->18645 18646 29347a 18644->18646 18647 29349d 18644->18647 18648 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18645->18648 18646->18645 18649 293481 18646->18649 18650 2934ae 18647->18650 18652 2ff290 std::_Facet_Register RtlAllocateHeap 18647->18652 18655 293487 18648->18655 18651 2ff290 std::_Facet_Register RtlAllocateHeap 18649->18651 18650->18550 18651->18655 18656 2934a7 18652->18656 18653 3047b0 RtlAllocateHeap 18654 2934be 18653->18654 18655->18653 18657 293490 18655->18657 18656->18550 18657->18550 18659 29c54b 18658->18659 18675 28fa40 18659->18675 18661 29c5ac 18661->18551 18663 29aecc 18662->18663 18666 29af0f 18662->18666 18664 28fa40 RtlAllocateHeap 18663->18664 18665 29aed6 18664->18665 18665->18666 18667 3047b0 RtlAllocateHeap 18665->18667 18666->18556 18668 29af43 18667->18668 18670 29b02a 18668->18670 18683 2950a0 18668->18683 18670->18556 18673 2fd6e9 std::_Xinvalid_argument RtlAllocateHeap 18672->18673 18674 222e4a 18673->18674 18676 28fa97 18675->18676 18677 28fa4a 18675->18677 18676->18661 18677->18676 18678 3047b0 RtlAllocateHeap 18677->18678 18679 28fa9f 18678->18679 18680 28faae 18679->18680 18681 2972c0 RtlAllocateHeap 18679->18681 18680->18661 18682 28fb0e 18681->18682 18682->18661 18684 2fd6e9 std::_Xinvalid_argument RtlAllocateHeap 18683->18684 18685 2950aa 18684->18685 18687 3243dd 18686->18687 18691 324800 __floor_pentium4 18686->18691 18688 32440e 18687->18688 18687->18691 18689 324458 18688->18689 18761 3233ac 18688->18761 18689->18624 18690 32486a __floor_pentium4 18690->18624 18691->18690 18768 3194b3 18691->18768 18695 29b47a 18694->18695 18696 29b60d 18694->18696 18790 28d600 18695->18790 18698 2fd6e9 std::_Xinvalid_argument RtlAllocateHeap 18696->18698 18699 29b617 18698->18699 18699->18627 18700 29b49a 18700->18627 18702 28dddd 18701->18702 18703 28de21 18701->18703 18705 28de0a 18702->18705 18706 28dde7 18702->18706 18704 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18703->18704 18707 28ddf4 18704->18707 18709 28de1b 18705->18709 18712 2ff290 std::_Facet_Register RtlAllocateHeap 18705->18712 18706->18703 18708 28ddee 18706->18708 18710 3047b0 RtlAllocateHeap 18707->18710 18716 28ddfd 18707->18716 18711 2ff290 std::_Facet_Register RtlAllocateHeap 18708->18711 18709->18620 18713 28de2b 18710->18713 18711->18707 18714 28de14 18712->18714 18715 28de54 18713->18715 18717 3047b0 RtlAllocateHeap 18713->18717 18714->18620 18715->18620 18716->18620 18718 28de69 18717->18718 18720 28dd5d 18719->18720 18721 28dd96 18719->18721 18720->18721 18722 3047b0 RtlAllocateHeap 18720->18722 18721->18625 18723 28ddc8 18722->18723 18725 2884ef 18724->18725 18726 288553 std::locale::_Locimp::_Locimp 18724->18726 18725->18726 18727 2885af 18725->18727 18728 2886d1 18725->18728 18729 2884f6 18725->18729 18730 288666 18725->18730 18726->18628 18732 2ff290 std::_Facet_Register RtlAllocateHeap 18727->18732 18734 2ff290 std::_Facet_Register RtlAllocateHeap 18728->18734 18733 2ff290 std::_Facet_Register RtlAllocateHeap 18729->18733 18731 2ff290 std::_Facet_Register RtlAllocateHeap 18730->18731 18735 288670 18731->18735 18736 2885bc 18732->18736 18737 288500 18733->18737 18738 2886de 18734->18738 18739 28a770 RtlAllocateHeap 18735->18739 18736->18726 18741 2887ac 18736->18741 18742 288600 18736->18742 18740 2ff290 std::_Facet_Register RtlAllocateHeap 18737->18740 18738->18726 18744 28871c 18738->18744 18745 2887b1 18738->18745 18739->18726 18743 28852f 18740->18743 18748 222e40 RtlAllocateHeap 18741->18748 18746 28ddd0 RtlAllocateHeap 18742->18746 18961 2a1cf0 18743->18961 18749 288749 18744->18749 18750 288724 18744->18750 18751 222e40 RtlAllocateHeap 18745->18751 18760 288606 18746->18760 18748->18745 18753 2ff290 std::_Facet_Register RtlAllocateHeap 18749->18753 18752 2887b6 18750->18752 18754 28872f 18750->18754 18751->18752 18755 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18752->18755 18753->18726 18756 2ff290 std::_Facet_Register RtlAllocateHeap 18754->18756 18757 288735 18755->18757 18756->18757 18757->18726 18758 3047b0 RtlAllocateHeap 18757->18758 18758->18757 18759 2884b0 RtlAllocateHeap 18759->18760 18760->18726 18760->18759 18762 3233bf 18761->18762 18763 323413 18762->18763 18764 32345a 18762->18764 18765 3233fe 18762->18765 18763->18764 18766 30d23f __dosmaperr RtlAllocateHeap 18763->18766 18764->18689 18765->18764 18767 30d23f __dosmaperr RtlAllocateHeap 18765->18767 18766->18764 18767->18764 18770 3194ec __floor_pentium4 18768->18770 18769 319556 18783 319b15 18769->18783 18770->18769 18771 319531 18770->18771 18775 319b46 18771->18775 18774 319551 _ValidateLocalCookies __floor_pentium4 18774->18690 18776 319b53 18775->18776 18777 319b62 __floor_pentium4 18776->18777 18779 319b91 __floor_pentium4 18776->18779 18778 319b15 __floor_pentium4 RtlAllocateHeap 18777->18778 18780 319b7b 18778->18780 18781 319bdf 18779->18781 18782 319b15 __floor_pentium4 RtlAllocateHeap 18779->18782 18780->18774 18781->18774 18782->18781 18784 319b22 18783->18784 18785 319b39 18783->18785 18787 319b3e 18784->18787 18788 30d23f __dosmaperr RtlAllocateHeap 18784->18788 18786 30d23f __dosmaperr RtlAllocateHeap 18785->18786 18786->18787 18787->18774 18789 319b31 18788->18789 18789->18774 18791 28d620 18790->18791 18804 28d69a 18790->18804 18792 28d6e9 18791->18792 18794 28d65e 18791->18794 18796 28d637 18791->18796 18793 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18792->18793 18795 28d6ee 18793->18795 18797 2ff290 std::_Facet_Register RtlAllocateHeap 18794->18797 18800 28d648 18794->18800 18798 28d717 18795->18798 18801 3047b0 RtlAllocateHeap 18795->18801 18796->18792 18799 2ff290 std::_Facet_Register RtlAllocateHeap 18796->18799 18797->18800 18798->18700 18799->18800 18803 3047b0 RtlAllocateHeap 18800->18803 18800->18804 18802 28d72c 18801->18802 18805 28d7c8 18802->18805 18812 2fe5c1 18802->18812 18803->18792 18804->18700 18805->18700 18811 28d792 18811->18700 18813 2fe51d 18812->18813 18814 309136 4 API calls 18813->18814 18815 2fe57d 18813->18815 18817 28d761 18813->18817 18814->18815 18816 308be8 5 API calls 18815->18816 18815->18817 18816->18817 18817->18805 18818 28c640 18817->18818 18819 28c6de 18818->18819 18820 28c6b7 18818->18820 18822 28f810 18819->18822 18848 30cd4a 18820->18848 18823 28f838 std::_Lockit::~_Lockit std::_Lockit::_Lockit 18822->18823 18824 2ff290 std::_Facet_Register RtlAllocateHeap 18823->18824 18847 28f89c std::_Lockit::~_Lockit 18823->18847 18825 28f8e5 std::_Lockit::_Lockit 18824->18825 18826 28fa2f 18825->18826 18827 28f954 18825->18827 18871 2fd749 18826->18871 18855 2fe19e 18827->18855 18830 28fa39 18834 28f988 18836 28f99f 18834->18836 18837 30d7d6 __freea RtlAllocateHeap 18834->18837 18835 30d7d6 __freea RtlAllocateHeap 18835->18834 18838 28f9b6 18836->18838 18839 30d7d6 __freea RtlAllocateHeap 18836->18839 18837->18836 18840 28f9cd 18838->18840 18842 30d7d6 __freea RtlAllocateHeap 18838->18842 18839->18838 18841 28f9e4 18840->18841 18843 30d7d6 __freea RtlAllocateHeap 18840->18843 18844 28f9fb std::_Lockit::~_Lockit 18841->18844 18845 30d7d6 __freea RtlAllocateHeap 18841->18845 18842->18840 18843->18841 18868 2fe06c 18844->18868 18845->18844 18847->18811 18849 30cd56 18848->18849 18850 30cd6b 18848->18850 18851 30d23f __dosmaperr RtlAllocateHeap 18849->18851 18850->18819 18852 30cd5b 18851->18852 18853 3047a0 __fread_nolock RtlAllocateHeap 18852->18853 18854 30cd66 18853->18854 18854->18819 18874 30ffd4 18855->18874 18859 2fe1c2 18860 2fe1d2 18859->18860 18861 30ffd4 std::_Locinfo::_Locinfo_ctor 2 API calls 18859->18861 18862 289dc0 std::locale::_Locimp::_Locimp RtlAllocateHeap 18860->18862 18861->18860 18863 28f95e 18862->18863 18864 2fe1e9 18863->18864 18865 2fe1f5 18864->18865 18866 28f978 18864->18866 18867 30ffd4 std::_Locinfo::_Locinfo_ctor 2 API calls 18865->18867 18866->18834 18866->18835 18867->18866 18869 2ff290 std::_Facet_Register RtlAllocateHeap 18868->18869 18870 2fe077 18869->18870 18870->18847 18958 223050 18871->18958 18873 2fd75a Concurrency::cancel_current_task 18873->18830 18875 30ffe1 std::_Lockit::_Lockit 18874->18875 18882 30fd7f 18875->18882 18877 2fe1aa 18878 289dc0 18877->18878 18879 289dd0 18878->18879 18881 289dda ___std_exception_copy std::locale::_Locimp::_Locimp 18878->18881 18880 30d7d6 __freea RtlAllocateHeap 18879->18880 18879->18881 18880->18881 18881->18859 18883 30fd8b __fread_nolock std::_Lockit::_Lockit 18882->18883 18886 30fdda 18883->18886 18885 30fda6 std::_Locinfo::_Locinfo_ctor 18885->18877 18904 30ff39 18886->18904 18888 30fdf5 18889 315bdb __Getctype RtlAllocateHeap 18888->18889 18895 30fe2e __Getctype 18888->18895 18890 30fe02 18889->18890 18924 30eeb9 18890->18924 18893 316e2d __fread_nolock 2 API calls 18894 30fe53 18893->18894 18894->18895 18896 30eeb9 std::_Locinfo::_Locinfo_ctor 2 API calls 18894->18896 18895->18885 18897 30fe6f 18896->18897 18898 30fe76 18897->18898 18899 30fe91 18897->18899 18898->18895 18902 316db3 __freea RtlAllocateHeap 18898->18902 18900 30febc 18899->18900 18901 316db3 __freea RtlAllocateHeap 18899->18901 18900->18895 18903 316db3 __freea RtlAllocateHeap 18900->18903 18901->18900 18902->18895 18903->18895 18905 30ff53 18904->18905 18906 30ff45 18904->18906 18943 31ae11 18905->18943 18930 31329e 18906->18930 18909 30ff4f 18909->18888 18911 3163f3 __Getctype RtlAllocateHeap 18912 30ff85 18911->18912 18913 30ffad 18912->18913 18914 31ae11 std::_Locinfo::_Locinfo_ctor 2 API calls 18912->18914 18915 316db3 __freea RtlAllocateHeap 18913->18915 18917 30ff9c 18914->18917 18918 30ffc2 18915->18918 18916 30ffc9 std::_Lockit::_Lockit __Getctype 18921 30fd7f std::_Locinfo::_Locinfo_ctor 2 API calls 18916->18921 18919 30ffa3 18917->18919 18920 30ffaf 18917->18920 18918->18888 18919->18913 18919->18916 18922 31329e std::_Locinfo::_Locinfo_ctor 2 API calls 18920->18922 18923 31000a 18921->18923 18922->18913 18923->18888 18925 30eecd __fread_nolock 18924->18925 18949 30eb3d 18925->18949 18928 3044dc __fread_nolock RtlAllocateHeap 18929 30eef2 18928->18929 18929->18893 18929->18895 18931 3132b4 18930->18931 18932 3132c8 18930->18932 18933 30d23f __dosmaperr RtlAllocateHeap 18931->18933 18934 315bdb __Getctype RtlAllocateHeap 18932->18934 18935 3132b9 18933->18935 18937 3132cd std::_Lockit::_Lockit 18934->18937 18936 3047a0 __fread_nolock RtlAllocateHeap 18935->18936 18938 3132c4 18936->18938 18939 31f4f3 __Getctype RtlAllocateHeap 18937->18939 18938->18909 18940 3132da 18939->18940 18941 3128b9 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 18940->18941 18942 31331c 18941->18942 18942->18909 18944 31ae24 __fread_nolock 18943->18944 18945 31ab6e std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 18944->18945 18946 31ae3c 18945->18946 18947 3044dc __fread_nolock RtlAllocateHeap 18946->18947 18948 30ff6a 18947->18948 18948->18911 18948->18916 18950 30eb54 18949->18950 18951 30eb7e 18950->18951 18953 30eb58 18950->18953 18952 304723 __fread_nolock RtlAllocateHeap 18951->18952 18957 30eb96 18952->18957 18954 30ec12 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 18953->18954 18956 30eb76 18953->18956 18954->18956 18955 304723 __fread_nolock RtlAllocateHeap 18955->18957 18956->18955 18956->18957 18957->18928 18959 300651 ___std_exception_copy RtlAllocateHeap 18958->18959 18960 22307d 18959->18960 18960->18873 18962 2a1d2b 18961->18962 18972 2a1db8 18961->18972 18963 2ff290 std::_Facet_Register RtlAllocateHeap 18962->18963 18964 2a1d46 18963->18964 18965 28a770 RtlAllocateHeap 18964->18965 18966 2a1d5c 18965->18966 18967 2884b0 RtlAllocateHeap 18966->18967 18968 2a1d6c 18967->18968 18969 2a1cf0 RtlAllocateHeap 18968->18969 18970 2a1da8 18969->18970 18971 2a1cf0 RtlAllocateHeap 18970->18971 18971->18972 18972->18726 18976 2fd504 18973->18976 18975 2fd71a Concurrency::cancel_current_task 18977 223010 std::invalid_argument::invalid_argument RtlAllocateHeap 18976->18977 18978 2fd516 18977->18978 18978->18975 18980 290548 18979->18980 18983 290405 18979->18983 18981 222270 RtlAllocateHeap 18980->18981 18982 29054d 18981->18982 18984 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18982->18984 18986 29046e 18983->18986 18987 290461 18983->18987 18988 290418 18983->18988 18992 290428 std::locale::_Locimp::_Locimp 18984->18992 18985 2ff290 std::_Facet_Register RtlAllocateHeap 18985->18992 18991 2ff290 std::_Facet_Register RtlAllocateHeap 18986->18991 18986->18992 18987->18982 18987->18988 18988->18985 18989 3047b0 RtlAllocateHeap 18990 290557 18989->18990 18991->18992 18992->18989 18993 2904f8 std::locale::_Locimp::_Locimp 18992->18993 18993->18641 19000 283a40 19003 283a55 19000->19003 19001 283b28 GetPEB 19001->19003 19002 283a73 GetPEB 19002->19003 19003->19001 19003->19002 19004 283b9d Sleep 19003->19004 19005 283ae8 Sleep 19003->19005 19006 283bc7 19003->19006 19004->19003 19005->19003 17790 22a210 17823 2ff290 17790->17823 17792 22a248 17828 222ae0 17792->17828 17794 22a28b 17844 305362 17794->17844 17798 22a377 17800 22a34e 17800->17798 17873 3047b0 17800->17873 17804 309136 4 API calls 17805 22a2fc 17804->17805 17809 22a318 17805->17809 17859 28cf60 17805->17859 17864 30dbdf 17809->17864 17825 2221d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 17823->17825 17824 2ff2af 17824->17792 17825->17824 17876 300651 17825->17876 17829 222ba5 17828->17829 17834 222af6 17828->17834 18094 222270 17829->18094 17830 222b02 std::locale::_Locimp::_Locimp 17830->17794 17832 222baa 18104 2221d0 17832->18104 17834->17830 17837 222b65 17834->17837 17839 222b2a 17834->17839 17840 222b6e 17834->17840 17835 2ff290 std::_Facet_Register RtlAllocateHeap 17836 222b3d 17835->17836 17838 3047b0 RtlAllocateHeap 17836->17838 17843 222b46 std::locale::_Locimp::_Locimp 17836->17843 17837->17832 17837->17839 17842 222bb4 17838->17842 17839->17835 17841 2ff290 std::_Facet_Register RtlAllocateHeap 17840->17841 17840->17843 17841->17843 17843->17794 18117 3052a0 17844->18117 17846 22a2d7 17846->17800 17847 309136 17846->17847 17848 309149 __fread_nolock 17847->17848 18141 308e8d 17848->18141 17850 30915e 17851 3044dc __fread_nolock RtlAllocateHeap 17850->17851 17852 22a2ea 17851->17852 17853 304eeb 17852->17853 17854 304efe __fread_nolock 17853->17854 18274 304801 17854->18274 17856 304f0a 17857 3044dc __fread_nolock RtlAllocateHeap 17856->17857 17858 22a2f0 17857->17858 17858->17804 17860 28cfa7 17859->17860 17862 28cf78 __fread_nolock 17859->17862 18322 290560 17860->18322 17862->17809 17863 28cfba 17863->17809 18337 30dbfc 17864->18337 17866 22a348 17867 308be8 17866->17867 17868 308bfb __fread_nolock 17867->17868 18461 308ac3 17868->18461 17870 308c07 17871 3044dc __fread_nolock RtlAllocateHeap 17870->17871 17872 308c13 17871->17872 17872->17800 17874 3046ec __fread_nolock RtlAllocateHeap 17873->17874 17875 3047bf __Getctype 17874->17875 17877 222213 17876->17877 17878 30065e ___std_exception_copy 17876->17878 17877->17792 17878->17877 17879 30068b 17878->17879 17882 3156b8 17878->17882 17891 30d7d6 17879->17891 17883 3156d4 17882->17883 17884 3156c6 17882->17884 17894 30d23f 17883->17894 17884->17883 17889 3156ec 17884->17889 17886 3156dc 17897 3047a0 17886->17897 17888 3156e6 17888->17879 17889->17888 17890 30d23f __dosmaperr RtlAllocateHeap 17889->17890 17890->17886 17892 316db3 __freea RtlAllocateHeap 17891->17892 17893 30d7ee 17892->17893 17893->17877 17900 315d2c 17894->17900 18005 3046ec 17897->18005 17901 315d35 __Getctype 17900->17901 17908 30d244 17901->17908 17911 3163f3 17901->17911 17903 315d79 __Getctype 17904 315db9 17903->17904 17905 315d81 __Getctype 17903->17905 17919 315a09 17904->17919 17915 316db3 17905->17915 17908->17886 17910 316db3 __freea RtlAllocateHeap 17910->17908 17913 316400 __Getctype std::_Facet_Register 17911->17913 17912 31642b RtlAllocateHeap 17912->17913 17914 31643e __dosmaperr 17912->17914 17913->17912 17913->17914 17914->17903 17916 316dbe __dosmaperr 17915->17916 17918 316de8 17915->17918 17917 30d23f __dosmaperr RtlAllocateHeap 17916->17917 17916->17918 17917->17918 17918->17908 17920 315a77 __Getctype 17919->17920 17923 3159af 17920->17923 17922 315aa0 17922->17910 17924 3159bb __fread_nolock std::_Lockit::_Lockit 17923->17924 17927 315b90 17924->17927 17926 3159dd __Getctype 17926->17922 17928 315b9f __Getctype 17927->17928 17930 315bc6 __Getctype 17927->17930 17928->17930 17931 31f2a7 17928->17931 17930->17926 17932 31f327 17931->17932 17934 31f2bd 17931->17934 17935 316db3 __freea RtlAllocateHeap 17932->17935 17958 31f375 17932->17958 17934->17932 17936 31f2f0 17934->17936 17941 316db3 __freea RtlAllocateHeap 17934->17941 17937 31f349 17935->17937 17938 31f312 17936->17938 17947 316db3 __freea RtlAllocateHeap 17936->17947 17939 316db3 __freea RtlAllocateHeap 17937->17939 17940 316db3 __freea RtlAllocateHeap 17938->17940 17942 31f35c 17939->17942 17944 31f31c 17940->17944 17946 31f2e5 17941->17946 17948 316db3 __freea RtlAllocateHeap 17942->17948 17943 31f383 17945 31f3e3 17943->17945 17952 316db3 RtlAllocateHeap __freea 17943->17952 17949 316db3 __freea RtlAllocateHeap 17944->17949 17950 316db3 __freea RtlAllocateHeap 17945->17950 17959 31e5ab 17946->17959 17953 31f307 17947->17953 17954 31f36a 17948->17954 17949->17932 17955 31f3e9 17950->17955 17952->17943 17987 31ea0a 17953->17987 17957 316db3 __freea RtlAllocateHeap 17954->17957 17955->17930 17957->17958 17999 31f418 17958->17999 17960 31e5bc 17959->17960 17986 31e6a5 17959->17986 17961 31e5cd 17960->17961 17962 316db3 __freea RtlAllocateHeap 17960->17962 17963 31e5df 17961->17963 17964 316db3 __freea RtlAllocateHeap 17961->17964 17962->17961 17965 31e5f1 17963->17965 17967 316db3 __freea RtlAllocateHeap 17963->17967 17964->17963 17966 31e603 17965->17966 17968 316db3 __freea RtlAllocateHeap 17965->17968 17969 31e615 17966->17969 17970 316db3 __freea RtlAllocateHeap 17966->17970 17967->17965 17968->17966 17971 31e627 17969->17971 17972 316db3 __freea RtlAllocateHeap 17969->17972 17970->17969 17973 31e639 17971->17973 17975 316db3 __freea RtlAllocateHeap 17971->17975 17972->17971 17974 31e64b 17973->17974 17976 316db3 __freea RtlAllocateHeap 17973->17976 17977 31e65d 17974->17977 17978 316db3 __freea RtlAllocateHeap 17974->17978 17975->17973 17976->17974 17979 31e66f 17977->17979 17980 316db3 __freea RtlAllocateHeap 17977->17980 17978->17977 17981 316db3 __freea RtlAllocateHeap 17979->17981 17984 31e681 17979->17984 17980->17979 17981->17984 17982 316db3 __freea RtlAllocateHeap 17983 31e693 17982->17983 17985 316db3 __freea RtlAllocateHeap 17983->17985 17983->17986 17984->17982 17984->17983 17985->17986 17986->17936 17988 31ea17 17987->17988 17998 31ea6f 17987->17998 17989 31ea27 17988->17989 17990 316db3 __freea RtlAllocateHeap 17988->17990 17991 31ea39 17989->17991 17992 316db3 __freea RtlAllocateHeap 17989->17992 17990->17989 17993 316db3 __freea RtlAllocateHeap 17991->17993 17996 31ea4b 17991->17996 17992->17991 17993->17996 17994 316db3 __freea RtlAllocateHeap 17995 31ea5d 17994->17995 17997 316db3 __freea RtlAllocateHeap 17995->17997 17995->17998 17996->17994 17996->17995 17997->17998 17998->17938 18000 31f425 17999->18000 18001 31f444 17999->18001 18000->18001 18002 31ef31 __Getctype RtlAllocateHeap 18000->18002 18001->17943 18003 31f43e 18002->18003 18004 316db3 __freea RtlAllocateHeap 18003->18004 18004->18001 18006 3046fe __fread_nolock 18005->18006 18011 304723 18006->18011 18008 304716 18018 3044dc 18008->18018 18012 304733 18011->18012 18014 30473a __fread_nolock __Getctype 18011->18014 18024 304541 18012->18024 18015 304748 18014->18015 18016 3046ec __fread_nolock RtlAllocateHeap 18014->18016 18015->18008 18017 3047ac 18016->18017 18017->18008 18019 3044e8 18018->18019 18021 3044ff 18019->18021 18039 304587 18019->18039 18020 304512 18020->17888 18021->18020 18023 304587 __fread_nolock RtlAllocateHeap 18021->18023 18023->18020 18025 304550 18024->18025 18028 315ddd 18025->18028 18029 315df0 __Getctype 18028->18029 18030 3163f3 __Getctype RtlAllocateHeap 18029->18030 18038 304572 18029->18038 18031 315e20 __Getctype 18030->18031 18032 315e28 __Getctype 18031->18032 18033 315e5c 18031->18033 18034 316db3 __freea RtlAllocateHeap 18032->18034 18035 315a09 __Getctype RtlAllocateHeap 18033->18035 18034->18038 18036 315e67 18035->18036 18037 316db3 __freea RtlAllocateHeap 18036->18037 18037->18038 18038->18014 18040 304591 18039->18040 18041 30459a 18039->18041 18042 304541 __fread_nolock RtlAllocateHeap 18040->18042 18041->18021 18043 304596 18042->18043 18043->18041 18046 310259 18043->18046 18047 31025e std::locale::_Setgloballocale 18046->18047 18051 310269 std::locale::_Setgloballocale 18047->18051 18052 31c7c6 18047->18052 18073 30f224 18051->18073 18056 31c7d2 __fread_nolock 18052->18056 18053 315d2c __dosmaperr RtlAllocateHeap 18058 31c803 std::locale::_Setgloballocale 18053->18058 18054 31c822 18055 30d23f __dosmaperr RtlAllocateHeap 18054->18055 18057 31c827 18055->18057 18056->18053 18056->18054 18056->18058 18060 31c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 18056->18060 18059 3047a0 __fread_nolock RtlAllocateHeap 18057->18059 18058->18054 18058->18060 18072 31c80c 18058->18072 18059->18072 18061 31c9a4 std::_Lockit::~_Lockit 18060->18061 18062 31c8a7 18060->18062 18064 31c8d5 std::locale::_Setgloballocale 18060->18064 18063 30f224 std::locale::_Setgloballocale RtlAllocateHeap 18061->18063 18062->18064 18076 315bdb 18062->18076 18065 31c9b7 18063->18065 18068 315bdb __Getctype RtlAllocateHeap 18064->18068 18070 31c92a 18064->18070 18064->18072 18068->18070 18069 315bdb __Getctype RtlAllocateHeap 18069->18064 18071 315bdb __Getctype RtlAllocateHeap 18070->18071 18070->18072 18071->18072 18072->18051 18090 30f094 18073->18090 18075 30f235 18077 315be4 __Getctype 18076->18077 18078 3163f3 __Getctype RtlAllocateHeap 18077->18078 18079 315bfb 18077->18079 18081 315c28 __Getctype 18078->18081 18080 315c8b 18079->18080 18082 310259 __Getctype RtlAllocateHeap 18079->18082 18080->18069 18083 315c68 18081->18083 18086 315c30 __Getctype 18081->18086 18084 315c95 18082->18084 18085 315a09 __Getctype RtlAllocateHeap 18083->18085 18088 315c73 18085->18088 18087 316db3 __freea RtlAllocateHeap 18086->18087 18087->18079 18089 316db3 __freea RtlAllocateHeap 18088->18089 18089->18079 18091 30f0c1 std::locale::_Setgloballocale 18090->18091 18092 30ef23 std::locale::_Setgloballocale RtlAllocateHeap 18091->18092 18093 30f10a std::locale::_Setgloballocale 18092->18093 18093->18075 18108 2fd6e9 18094->18108 18105 2221de Concurrency::cancel_current_task 18104->18105 18106 300651 ___std_exception_copy RtlAllocateHeap 18105->18106 18107 222213 18106->18107 18107->17836 18111 2fd4af 18108->18111 18110 2fd6fa Concurrency::cancel_current_task 18114 223010 18111->18114 18115 300651 ___std_exception_copy RtlAllocateHeap 18114->18115 18116 22303d 18115->18116 18116->18110 18120 3052ac __fread_nolock 18117->18120 18118 3052b3 18119 30d23f __dosmaperr RtlAllocateHeap 18118->18119 18121 3052b8 18119->18121 18120->18118 18122 3052d3 18120->18122 18123 3047a0 __fread_nolock RtlAllocateHeap 18121->18123 18124 3052e5 18122->18124 18125 3052d8 18122->18125 18130 3052c3 18123->18130 18131 316688 18124->18131 18127 30d23f __dosmaperr RtlAllocateHeap 18125->18127 18127->18130 18128 3052ee 18129 30d23f __dosmaperr RtlAllocateHeap 18128->18129 18128->18130 18129->18130 18130->17846 18132 316694 __fread_nolock std::_Lockit::_Lockit 18131->18132 18135 31672c 18132->18135 18134 3166af 18134->18128 18140 31674f __fread_nolock 18135->18140 18136 316795 __fread_nolock 18136->18134 18137 3163f3 __Getctype RtlAllocateHeap 18138 3167b0 18137->18138 18139 316db3 __freea RtlAllocateHeap 18138->18139 18139->18136 18140->18136 18140->18137 18140->18140 18143 308e99 __fread_nolock 18141->18143 18142 308e9f 18144 304723 __fread_nolock RtlAllocateHeap 18142->18144 18143->18142 18145 308ee2 __fread_nolock 18143->18145 18147 308eba 18144->18147 18148 309010 18145->18148 18147->17850 18149 309023 18148->18149 18150 309036 18148->18150 18149->18147 18157 308f37 18150->18157 18152 3090e7 18152->18147 18153 309059 18153->18152 18161 3055d3 18153->18161 18158 308f48 18157->18158 18160 308fa0 18157->18160 18158->18160 18170 30e13d 18158->18170 18160->18153 18162 305613 18161->18162 18163 3055ec 18161->18163 18167 30e17d 18162->18167 18163->18162 18197 315f82 18163->18197 18165 305608 18204 31538b 18165->18204 18168 30e05c __fread_nolock 2 API calls 18167->18168 18169 30e196 18168->18169 18169->18152 18171 30e151 __fread_nolock 18170->18171 18176 30e05c 18171->18176 18173 30e166 18174 3044dc __fread_nolock RtlAllocateHeap 18173->18174 18175 30e175 18174->18175 18175->18160 18181 31a6de 18176->18181 18178 30e06e 18179 30e08a SetFilePointerEx 18178->18179 18180 30e076 __fread_nolock 18178->18180 18179->18180 18180->18173 18182 31a6eb 18181->18182 18183 31a700 18181->18183 18194 30d22c 18182->18194 18185 30d22c __dosmaperr RtlAllocateHeap 18183->18185 18188 31a725 18183->18188 18189 31a730 18185->18189 18187 30d23f __dosmaperr RtlAllocateHeap 18190 31a6f8 18187->18190 18188->18178 18191 30d23f __dosmaperr RtlAllocateHeap 18189->18191 18190->18178 18192 31a738 18191->18192 18193 3047a0 __fread_nolock RtlAllocateHeap 18192->18193 18193->18190 18195 315d2c __dosmaperr RtlAllocateHeap 18194->18195 18196 30d231 18195->18196 18196->18187 18198 315fa3 18197->18198 18199 315f8e 18197->18199 18198->18165 18200 30d23f __dosmaperr RtlAllocateHeap 18199->18200 18201 315f93 18200->18201 18202 3047a0 __fread_nolock RtlAllocateHeap 18201->18202 18203 315f9e 18202->18203 18203->18165 18206 315397 __fread_nolock 18204->18206 18205 3153d8 18207 304723 __fread_nolock RtlAllocateHeap 18205->18207 18206->18205 18208 31539f 18206->18208 18209 31541e 18206->18209 18207->18208 18208->18162 18209->18208 18211 31549c 18209->18211 18212 3154c4 18211->18212 18224 3154e7 __fread_nolock 18211->18224 18213 3154c8 18212->18213 18215 315523 18212->18215 18214 304723 __fread_nolock RtlAllocateHeap 18213->18214 18214->18224 18216 315541 18215->18216 18218 30e17d 2 API calls 18215->18218 18225 314fe1 18216->18225 18218->18216 18220 3155a0 18222 315609 WriteFile 18220->18222 18220->18224 18221 315559 18221->18224 18230 314bb2 18221->18230 18222->18224 18224->18208 18236 320d44 18225->18236 18227 315021 18227->18220 18227->18221 18228 314ff3 18228->18227 18245 309d10 18228->18245 18231 314c1a 18230->18231 18232 309d10 std::_Locinfo::_Locinfo_ctor 2 API calls 18231->18232 18235 314c2b std::_Locinfo::_Locinfo_ctor std::locale::_Locimp::_Locimp 18231->18235 18232->18235 18233 3184be RtlAllocateHeap RtlAllocateHeap 18233->18235 18234 314ee1 _ValidateLocalCookies 18234->18224 18234->18234 18235->18233 18235->18234 18237 320d51 18236->18237 18239 320d5e 18236->18239 18238 30d23f __dosmaperr RtlAllocateHeap 18237->18238 18240 320d56 18238->18240 18241 320d6a 18239->18241 18242 30d23f __dosmaperr RtlAllocateHeap 18239->18242 18240->18228 18241->18228 18243 320d8b 18242->18243 18244 3047a0 __fread_nolock RtlAllocateHeap 18243->18244 18244->18240 18246 304587 __fread_nolock RtlAllocateHeap 18245->18246 18247 309d20 18246->18247 18252 315ef3 18247->18252 18253 309d3d 18252->18253 18254 315f0a 18252->18254 18256 315f51 18253->18256 18254->18253 18260 31f4f3 18254->18260 18257 315f68 18256->18257 18258 309d4a 18256->18258 18257->18258 18269 31d81e 18257->18269 18258->18227 18261 31f4ff __fread_nolock 18260->18261 18262 315bdb __Getctype RtlAllocateHeap 18261->18262 18263 31f508 std::_Lockit::_Lockit 18262->18263 18264 31f574 __Getctype RtlAllocateHeap 18263->18264 18266 31f54e 18263->18266 18265 31f537 __Getctype 18264->18265 18265->18266 18267 310259 __Getctype RtlAllocateHeap 18265->18267 18266->18253 18268 31f573 18267->18268 18270 315bdb __Getctype RtlAllocateHeap 18269->18270 18271 31d823 18270->18271 18272 31d736 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 18271->18272 18273 31d82e 18272->18273 18273->18258 18275 30480d __fread_nolock 18274->18275 18276 304814 18275->18276 18278 304835 __fread_nolock 18275->18278 18277 304723 __fread_nolock RtlAllocateHeap 18276->18277 18280 30482d 18277->18280 18281 304910 18278->18281 18280->17856 18284 304942 18281->18284 18283 304922 18283->18280 18285 304951 18284->18285 18286 304979 18284->18286 18287 304723 __fread_nolock RtlAllocateHeap 18285->18287 18288 315f82 __fread_nolock RtlAllocateHeap 18286->18288 18289 30496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18287->18289 18290 304982 18288->18290 18289->18283 18297 30e11f 18290->18297 18293 304a2c 18300 304cae 18293->18300 18294 304a43 18294->18289 18308 304ae3 18294->18308 18315 30df37 18297->18315 18299 3049a0 18299->18289 18299->18293 18299->18294 18301 304cbd 18300->18301 18302 315f82 __fread_nolock RtlAllocateHeap 18301->18302 18303 304cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18302->18303 18304 30e11f 2 API calls 18303->18304 18307 304ce5 _ValidateLocalCookies 18303->18307 18305 304d39 18304->18305 18306 30e11f 2 API calls 18305->18306 18305->18307 18306->18307 18307->18289 18309 315f82 __fread_nolock RtlAllocateHeap 18308->18309 18310 304af6 18309->18310 18311 304b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 18310->18311 18312 30e11f 2 API calls 18310->18312 18311->18289 18313 304b9d 18312->18313 18313->18311 18314 30e11f 2 API calls 18313->18314 18314->18311 18317 30df43 __fread_nolock 18315->18317 18316 30df86 18318 304723 __fread_nolock RtlAllocateHeap 18316->18318 18317->18316 18319 30dfcc 18317->18319 18321 30df4b 18317->18321 18318->18321 18320 30e05c __fread_nolock 2 API calls 18319->18320 18319->18321 18320->18321 18321->18299 18323 2906a9 18322->18323 18326 290585 18322->18326 18324 222270 RtlAllocateHeap 18323->18324 18325 2906ae 18324->18325 18327 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 18325->18327 18328 2905f0 18326->18328 18329 2905e3 18326->18329 18332 29059a 18326->18332 18335 2905aa __fread_nolock std::locale::_Locimp::_Locimp 18327->18335 18334 2ff290 std::_Facet_Register RtlAllocateHeap 18328->18334 18328->18335 18329->18325 18329->18332 18330 2ff290 std::_Facet_Register RtlAllocateHeap 18330->18335 18331 3047b0 RtlAllocateHeap 18333 2906b8 18331->18333 18332->18330 18334->18335 18335->18331 18336 290667 __fread_nolock std::locale::_Locimp::_Locimp 18335->18336 18336->17863 18338 30dc08 __fread_nolock 18337->18338 18339 30dc52 __fread_nolock 18338->18339 18340 30dc1b __fread_nolock 18338->18340 18344 30dc40 __fread_nolock 18338->18344 18346 30da06 18339->18346 18341 30d23f __dosmaperr RtlAllocateHeap 18340->18341 18343 30dc35 18341->18343 18345 3047a0 __fread_nolock RtlAllocateHeap 18343->18345 18344->17866 18345->18344 18348 30da18 __fread_nolock 18346->18348 18352 30da35 18346->18352 18347 30da25 18349 30d23f __dosmaperr RtlAllocateHeap 18347->18349 18348->18347 18348->18352 18355 30da76 __fread_nolock 18348->18355 18350 30da2a 18349->18350 18351 3047a0 __fread_nolock RtlAllocateHeap 18350->18351 18351->18352 18352->18344 18353 30dba1 __fread_nolock 18356 30d23f __dosmaperr RtlAllocateHeap 18353->18356 18355->18352 18355->18353 18357 315f82 __fread_nolock RtlAllocateHeap 18355->18357 18359 314623 18355->18359 18418 308a2b 18355->18418 18356->18350 18357->18355 18360 314635 18359->18360 18361 31464d 18359->18361 18362 30d22c __dosmaperr RtlAllocateHeap 18360->18362 18363 31498f 18361->18363 18368 314690 18361->18368 18365 31463a 18362->18365 18364 30d22c __dosmaperr RtlAllocateHeap 18363->18364 18366 314994 18364->18366 18367 30d23f __dosmaperr RtlAllocateHeap 18365->18367 18369 30d23f __dosmaperr RtlAllocateHeap 18366->18369 18372 314642 18367->18372 18370 31469b 18368->18370 18368->18372 18377 3146cb 18368->18377 18371 3146a8 18369->18371 18373 30d22c __dosmaperr RtlAllocateHeap 18370->18373 18376 3047a0 __fread_nolock RtlAllocateHeap 18371->18376 18372->18355 18374 3146a0 18373->18374 18375 30d23f __dosmaperr RtlAllocateHeap 18374->18375 18375->18371 18376->18372 18378 3146e4 18377->18378 18379 3146f1 18377->18379 18380 31471f 18377->18380 18378->18379 18405 31470d 18378->18405 18381 30d22c __dosmaperr RtlAllocateHeap 18379->18381 18432 316e2d 18380->18432 18383 3146f6 18381->18383 18385 30d23f __dosmaperr RtlAllocateHeap 18383->18385 18388 3146fd 18385->18388 18386 320d44 __fread_nolock RtlAllocateHeap 18400 31486b 18386->18400 18387 316db3 __freea RtlAllocateHeap 18389 314739 18387->18389 18390 3047a0 __fread_nolock RtlAllocateHeap 18388->18390 18392 316db3 __freea RtlAllocateHeap 18389->18392 18417 314708 __fread_nolock 18390->18417 18391 3148e3 ReadFile 18393 314957 18391->18393 18394 3148fb 18391->18394 18395 314740 18392->18395 18403 314964 18393->18403 18415 3148b5 18393->18415 18394->18393 18404 3148d4 18394->18404 18396 314765 18395->18396 18397 31474a 18395->18397 18399 30e13d __fread_nolock 2 API calls 18396->18399 18401 30d23f __dosmaperr RtlAllocateHeap 18397->18401 18398 316db3 __freea RtlAllocateHeap 18398->18372 18399->18405 18400->18391 18402 31489b 18400->18402 18406 31474f 18401->18406 18402->18404 18402->18415 18407 30d23f __dosmaperr RtlAllocateHeap 18403->18407 18408 314920 18404->18408 18409 314937 18404->18409 18404->18417 18405->18386 18410 30d22c __dosmaperr RtlAllocateHeap 18406->18410 18411 314969 18407->18411 18443 314335 18408->18443 18409->18417 18453 31417b 18409->18453 18410->18417 18416 30d22c __dosmaperr RtlAllocateHeap 18411->18416 18415->18417 18438 30d1e5 18415->18438 18416->18417 18417->18398 18419 308a3c 18418->18419 18428 308a38 std::locale::_Locimp::_Locimp 18418->18428 18420 308a43 18419->18420 18423 308a56 __fread_nolock 18419->18423 18421 30d23f __dosmaperr RtlAllocateHeap 18420->18421 18422 308a48 18421->18422 18424 3047a0 __fread_nolock RtlAllocateHeap 18422->18424 18425 308a84 18423->18425 18426 308a8d 18423->18426 18423->18428 18424->18428 18427 30d23f __dosmaperr RtlAllocateHeap 18425->18427 18426->18428 18430 30d23f __dosmaperr RtlAllocateHeap 18426->18430 18429 308a89 18427->18429 18428->18355 18431 3047a0 __fread_nolock RtlAllocateHeap 18429->18431 18430->18429 18431->18428 18433 316e6b 18432->18433 18434 316e3b __Getctype std::_Facet_Register 18432->18434 18436 30d23f __dosmaperr RtlAllocateHeap 18433->18436 18434->18433 18435 316e56 RtlAllocateHeap 18434->18435 18435->18434 18437 314730 18435->18437 18436->18437 18437->18387 18439 30d22c __dosmaperr RtlAllocateHeap 18438->18439 18440 30d1f0 __dosmaperr 18439->18440 18441 30d23f __dosmaperr RtlAllocateHeap 18440->18441 18442 30d203 18441->18442 18442->18417 18457 31402e 18443->18457 18446 3143d7 18450 314391 __fread_nolock 18446->18450 18451 30e13d __fread_nolock 2 API calls 18446->18451 18447 3143c7 18448 30d23f __dosmaperr RtlAllocateHeap 18447->18448 18449 31437d 18448->18449 18449->18417 18450->18449 18452 30d1e5 __dosmaperr RtlAllocateHeap 18450->18452 18451->18450 18452->18449 18454 3141b5 18453->18454 18455 314246 18454->18455 18456 30e13d __fread_nolock 2 API calls 18454->18456 18455->18417 18456->18455 18458 314062 18457->18458 18459 3140ce 18458->18459 18460 30e13d __fread_nolock 2 API calls 18458->18460 18459->18446 18459->18447 18459->18449 18459->18450 18460->18459 18462 308acf __fread_nolock 18461->18462 18463 308ad9 18462->18463 18466 308afc __fread_nolock 18462->18466 18464 304723 __fread_nolock RtlAllocateHeap 18463->18464 18465 308af4 18464->18465 18465->17870 18466->18465 18468 308b5a 18466->18468 18469 308b67 18468->18469 18470 308b8a 18468->18470 18471 304723 __fread_nolock RtlAllocateHeap 18469->18471 18472 308b82 18470->18472 18473 3055d3 4 API calls 18470->18473 18471->18472 18472->18465 18474 308ba2 18473->18474 18482 316ded 18474->18482 18477 315f82 __fread_nolock RtlAllocateHeap 18478 308bb6 18477->18478 18486 314a3f 18478->18486 18481 316db3 __freea RtlAllocateHeap 18481->18472 18483 316e04 18482->18483 18485 308baa 18482->18485 18484 316db3 __freea RtlAllocateHeap 18483->18484 18483->18485 18484->18485 18485->18477 18487 314a68 18486->18487 18492 308bbd 18486->18492 18488 314ab7 18487->18488 18490 314a8f 18487->18490 18489 304723 __fread_nolock RtlAllocateHeap 18488->18489 18489->18492 18493 3149ae 18490->18493 18492->18472 18492->18481 18494 3149ba __fread_nolock 18493->18494 18496 3149f9 18494->18496 18497 314b12 18494->18497 18496->18492 18498 31a6de __fread_nolock RtlAllocateHeap 18497->18498 18500 314b22 18498->18500 18502 31a6de __fread_nolock RtlAllocateHeap 18500->18502 18507 314b5a 18500->18507 18508 314b28 18500->18508 18501 31a6de __fread_nolock RtlAllocateHeap 18503 314b66 FindCloseChangeNotification 18501->18503 18504 314b51 18502->18504 18503->18508 18505 31a6de __fread_nolock RtlAllocateHeap 18504->18505 18505->18507 18506 314b80 __fread_nolock 18506->18496 18507->18501 18507->18508 18509 31a64d 18508->18509 18510 31a65c 18509->18510 18511 30d23f __dosmaperr RtlAllocateHeap 18510->18511 18514 31a686 18510->18514 18512 31a6c8 18511->18512 18513 30d22c __dosmaperr RtlAllocateHeap 18512->18513 18513->18514 18514->18506 20203 4be018d 20204 4be01d5 GetCurrentHwProfileW 20203->20204 20206 4be0214 20204->20206 20316 239f50 20317 239f8c __fread_nolock 20316->20317 20318 23a27c 20317->20318 20319 23a0bc 20317->20319 20320 222270 RtlAllocateHeap 20318->20320 20321 2920e0 RtlAllocateHeap 20319->20321 20325 23a0f3 20320->20325 20323 23a0e2 20321->20323 20322 3047b0 RtlAllocateHeap 20330 23a167 20322->20330 20324 28a4f0 RtlAllocateHeap 20323->20324 20324->20325 20325->20322 20325->20330 20326 3047b0 RtlAllocateHeap 20328 23a28b 20326->20328 20327 3047b0 RtlAllocateHeap 20329 23c070 20327->20329 20333 222ae0 RtlAllocateHeap 20328->20333 20348 23bf26 Concurrency::cancel_current_task 20328->20348 20330->20326 20331 23a261 20330->20331 20332 23bfb6 20334 23a385 20333->20334 20335 28a770 RtlAllocateHeap 20334->20335 20336 23a398 20335->20336 20368 22ab40 20336->20368 20338 23bf1b 20406 28c860 20338->20406 20340 2884b0 RtlAllocateHeap 20355 23a3a7 20340->20355 20342 28e710 RtlAllocateHeap 20342->20355 20343 23bf59 20344 222980 RtlAllocateHeap 20343->20344 20349 23bf3b 20344->20349 20345 23bf28 20347 222980 RtlAllocateHeap 20345->20347 20346 227820 RtlAllocateHeap 20346->20348 20347->20349 20348->20327 20348->20332 20349->20346 20350 23c01a 20351 222980 RtlAllocateHeap 20350->20351 20351->20349 20352 22ab40 SetFilePointerEx FindCloseChangeNotification WriteFile RtlAllocateHeap RtlAllocateHeap 20352->20355 20353 28e840 RtlAllocateHeap 20353->20355 20354 222ae0 RtlAllocateHeap 20354->20355 20355->20338 20355->20340 20355->20342 20355->20343 20355->20345 20355->20348 20355->20350 20355->20352 20355->20353 20355->20354 20356 28c860 RtlAllocateHeap RtlAllocateHeap 20355->20356 20357 2ff290 RtlAllocateHeap std::_Facet_Register 20355->20357 20358 29e5c0 RtlAllocateHeap 20355->20358 20359 2875f0 RtlAllocateHeap 20355->20359 20360 28a770 RtlAllocateHeap 20355->20360 20361 23c015 20355->20361 20363 2896e0 RtlAllocateHeap 20355->20363 20364 295660 RtlAllocateHeap 20355->20364 20365 2336d0 SetFilePointerEx FindCloseChangeNotification WriteFile RtlAllocateHeap RtlAllocateHeap 20355->20365 20366 2920e0 RtlAllocateHeap 20355->20366 20367 2874e0 RtlAllocateHeap 20355->20367 20392 233480 20355->20392 20356->20355 20357->20355 20358->20355 20359->20355 20360->20355 20362 222270 RtlAllocateHeap 20361->20362 20362->20350 20363->20355 20364->20355 20365->20355 20366->20355 20367->20355 20374 22ab9c 20368->20374 20369 22ad96 20375 22adb3 20369->20375 20376 22ada6 20369->20376 20380 22ad60 20369->20380 20370 22ad0d 20371 22ae42 20370->20371 20372 22ad2c 20370->20372 20373 28dc60 RtlAllocateHeap 20371->20373 20383 222ae0 RtlAllocateHeap 20372->20383 20373->20380 20374->20371 20374->20380 20381 222ae0 RtlAllocateHeap 20374->20381 20385 2972c0 RtlAllocateHeap 20374->20385 20391 22acf1 20374->20391 20378 2973f0 5 API calls 20375->20378 20377 28a770 RtlAllocateHeap 20376->20377 20377->20380 20378->20380 20379 3047b0 RtlAllocateHeap 20388 22ae4c 20379->20388 20380->20379 20382 22ae25 20380->20382 20381->20374 20382->20355 20384 22ad4d 20383->20384 20386 289630 RtlAllocateHeap 20384->20386 20385->20374 20386->20380 20387 22ae80 20387->20355 20388->20387 20389 28cde0 RtlAllocateHeap 20388->20389 20390 22ae9f 20389->20390 20390->20355 20391->20369 20391->20370 20393 2334b4 20392->20393 20394 23362d 20392->20394 20423 2874e0 20393->20423 20395 233666 20394->20395 20397 3047b0 RtlAllocateHeap 20394->20397 20395->20355 20398 2336c0 20397->20398 20402 233668 20403 2884b0 RtlAllocateHeap 20402->20403 20403->20394 20404 233537 20404->20394 20404->20402 20405 2874e0 RtlAllocateHeap 20404->20405 20430 2875f0 20404->20430 20441 28e710 20404->20441 20457 28e840 20404->20457 20405->20404 20407 28c869 20406->20407 20408 28c8ac 20406->20408 20409 28fa40 RtlAllocateHeap 20407->20409 20408->20348 20410 28c873 20409->20410 20410->20408 20411 3047b0 RtlAllocateHeap 20410->20411 20412 28c8d4 20411->20412 20413 223de0 RtlAllocateHeap 20412->20413 20414 28c981 20413->20414 20415 2ff290 std::_Facet_Register RtlAllocateHeap 20414->20415 20416 28c988 20415->20416 20496 2fe09e 20416->20496 20418 28c99b 20504 28de70 20418->20504 20420 28c9ce 20421 28ca12 20420->20421 20422 223de0 RtlAllocateHeap 20420->20422 20421->20348 20422->20421 20424 28755c 20423->20424 20425 287504 20423->20425 20426 222980 RtlAllocateHeap 20424->20426 20425->20404 20427 287569 20426->20427 20466 227620 20427->20466 20429 287581 Concurrency::cancel_current_task 20429->20404 20431 28764c 20430->20431 20436 287615 Concurrency::cancel_current_task 20430->20436 20432 222980 RtlAllocateHeap 20431->20432 20434 287659 20432->20434 20433 287625 20433->20404 20435 227620 RtlAllocateHeap 20434->20435 20435->20436 20436->20433 20437 222980 RtlAllocateHeap 20436->20437 20438 28768f 20437->20438 20439 227620 RtlAllocateHeap 20438->20439 20440 2876a7 Concurrency::cancel_current_task 20439->20440 20440->20404 20442 28e741 20441->20442 20443 28e734 20441->20443 20444 28e7e0 20442->20444 20445 28e756 20442->20445 20446 28c030 RtlAllocateHeap 20443->20446 20447 222980 RtlAllocateHeap 20444->20447 20448 222ae0 RtlAllocateHeap 20445->20448 20446->20442 20450 28e7f0 20447->20450 20449 28e788 20448->20449 20481 291a00 20449->20481 20453 227820 RtlAllocateHeap 20450->20453 20452 28e79a Concurrency::cancel_current_task 20454 28e7c2 20452->20454 20455 3047b0 RtlAllocateHeap 20452->20455 20453->20452 20454->20404 20456 28e830 20455->20456 20458 28e8bc 20457->20458 20459 28e88e 20457->20459 20462 222980 RtlAllocateHeap 20458->20462 20460 28e8a9 20459->20460 20461 28a350 RtlAllocateHeap 20459->20461 20460->20404 20461->20460 20463 28e8ca 20462->20463 20464 227820 RtlAllocateHeap 20463->20464 20465 28e8f4 Concurrency::cancel_current_task 20464->20465 20465->20404 20467 2ff290 std::_Facet_Register RtlAllocateHeap 20466->20467 20468 227656 20467->20468 20469 226c60 RtlAllocateHeap 20468->20469 20470 2276a5 20469->20470 20471 28a4f0 RtlAllocateHeap 20470->20471 20472 2276b6 20471->20472 20473 22780b 20472->20473 20477 227770 20472->20477 20474 3047b0 RtlAllocateHeap 20473->20474 20476 2277b9 20474->20476 20475 300651 ___std_exception_copy RtlAllocateHeap 20475->20476 20478 3047b0 RtlAllocateHeap 20476->20478 20479 2277ef 20476->20479 20477->20475 20480 227815 20478->20480 20479->20429 20482 291a30 20481->20482 20483 291b2a 20482->20483 20484 291a76 20482->20484 20492 291af5 20482->20492 20493 226c10 20483->20493 20486 2ff290 std::_Facet_Register RtlAllocateHeap 20484->20486 20487 291a93 20486->20487 20489 28c030 RtlAllocateHeap 20487->20489 20489->20492 20490 2ff290 std::_Facet_Register RtlAllocateHeap 20491 291b4e 20490->20491 20491->20452 20492->20452 20494 2fd6e9 std::_Xinvalid_argument RtlAllocateHeap 20493->20494 20495 226c1a 20494->20495 20495->20490 20497 2fe0aa __EH_prolog3 std::_Lockit::_Lockit 20496->20497 20503 2fe0e6 std::_Lockit::~_Lockit std::locale::_Init 20497->20503 20518 2fe203 20497->20518 20499 2fe0c8 20524 2fe226 20499->20524 20502 289dc0 std::locale::_Locimp::_Locimp RtlAllocateHeap 20502->20503 20503->20418 20506 28de98 std::_Lockit::~_Lockit std::_Lockit::_Lockit 20504->20506 20505 28df28 std::_Lockit::~_Lockit 20505->20420 20506->20505 20537 2239f0 20506->20537 20508 28df38 20509 28df7b 20508->20509 20510 28df40 20508->20510 20565 223780 20509->20565 20511 2fe06c std::_Facet_Register RtlAllocateHeap 20510->20511 20511->20505 20519 2ff290 std::_Facet_Register RtlAllocateHeap 20518->20519 20520 2fe20e 20519->20520 20521 2fe222 20520->20521 20528 2fdf86 20520->20528 20521->20499 20525 2fe0d0 20524->20525 20526 2fe232 20524->20526 20525->20502 20531 2fef90 20526->20531 20529 289dc0 std::locale::_Locimp::_Locimp RtlAllocateHeap 20528->20529 20530 2fdfc0 20529->20530 20530->20499 20532 2fefa0 std::locale::_Setgloballocale 20531->20532 20532->20525 20533 31c7c6 std::locale::_Setgloballocale RtlAllocateHeap 20532->20533 20536 310269 std::locale::_Setgloballocale 20532->20536 20533->20536 20534 30f224 std::locale::_Setgloballocale RtlAllocateHeap 20535 31029c 20534->20535 20536->20534 20538 223a19 20537->20538 20564 223b6e std::_Lockit::~_Lockit 20537->20564 20539 2ff290 std::_Facet_Register RtlAllocateHeap 20538->20539 20538->20564 20540 223a29 std::_Lockit::_Lockit 20539->20540 20541 223b96 20540->20541 20542 223a9f 20540->20542 20544 2fd749 RtlAllocateHeap 20541->20544 20543 2fe19e std::_Locinfo::_Locinfo_ctor 2 API calls 20542->20543 20545 223aa9 20543->20545 20546 223ba0 20544->20546 20585 2fe84e 20545->20585 20597 2fe8b9 20546->20597 20551 2fe1e9 std::_Locinfo::_Locinfo_dtor 2 API calls 20552 223aeb 20551->20552 20553 223afb 20552->20553 20554 30d7d6 __freea RtlAllocateHeap 20552->20554 20555 223b12 20553->20555 20557 30d7d6 __freea RtlAllocateHeap 20553->20557 20554->20553 20556 223b29 20555->20556 20558 30d7d6 __freea RtlAllocateHeap 20555->20558 20559 223b40 20556->20559 20560 30d7d6 __freea RtlAllocateHeap 20556->20560 20557->20555 20558->20556 20561 223b57 20559->20561 20562 30d7d6 __freea RtlAllocateHeap 20559->20562 20560->20559 20563 30d7d6 __freea RtlAllocateHeap 20561->20563 20561->20564 20562->20561 20563->20564 20564->20508 20566 22378e Concurrency::cancel_current_task 20565->20566 20567 300651 ___std_exception_copy RtlAllocateHeap 20566->20567 20568 2237c3 20567->20568 20569 2fd803 20568->20569 20570 30f7be __Getctype RtlAllocateHeap 20569->20570 20571 28dfad 20570->20571 20572 28dfd0 20571->20572 20573 28dfb7 20572->20573 20574 28e026 20572->20574 20573->20420 20575 28e02d 20574->20575 20576 28e096 20574->20576 20578 28e09b 20575->20578 20580 28e041 20575->20580 20651 223410 20576->20651 20657 2243e0 20578->20657 20581 28cf60 RtlAllocateHeap 20580->20581 20584 28e048 20580->20584 20581->20584 20582 2243e0 RtlAllocateHeap 20583 28e0a9 20582->20583 20584->20573 20584->20582 20609 30f7be 20585->20609 20587 2fe857 __Getctype 20588 2fe88f 20587->20588 20589 2fe871 20587->20589 20591 31029d __Getctype RtlAllocateHeap 20588->20591 20590 31029d __Getctype RtlAllocateHeap 20589->20590 20592 2fe878 20590->20592 20591->20592 20614 30f808 20592->20614 20595 223abf 20595->20551 20598 2fe8c8 20597->20598 20601 2fe8d5 20597->20601 20599 30f808 __Getctype RtlAllocateHeap 20598->20599 20600 2fe8cd 20599->20600 20602 30f7be __Getctype RtlAllocateHeap 20600->20602 20604 223bc1 20601->20604 20605 2fe921 20601->20605 20607 2fe916 20601->20607 20632 304410 20601->20632 20602->20601 20604->20508 20605->20604 20641 2fecff 20605->20641 20606 31029d __Getctype RtlAllocateHeap 20606->20605 20607->20604 20607->20605 20607->20606 20610 315bdb __Getctype RtlAllocateHeap 20609->20610 20611 30f7c9 20610->20611 20612 315ec6 __Getctype RtlAllocateHeap 20611->20612 20613 30f7d9 20612->20613 20613->20587 20615 315bdb __Getctype RtlAllocateHeap 20614->20615 20616 30f813 20615->20616 20617 315ec6 __Getctype RtlAllocateHeap 20616->20617 20618 2fe8a0 20617->20618 20618->20595 20619 3102c1 20618->20619 20620 3102ce ___std_exception_copy 20619->20620 20622 310302 __Getctype 20619->20622 20620->20622 20623 31a092 20620->20623 20622->20595 20624 31a0a0 20623->20624 20625 31a0ae 20623->20625 20624->20625 20627 31a0c8 20624->20627 20626 30d23f __dosmaperr RtlAllocateHeap 20625->20626 20631 31a0b8 20626->20631 20629 31a0c2 20627->20629 20630 30d23f __dosmaperr RtlAllocateHeap 20627->20630 20628 3047a0 __fread_nolock RtlAllocateHeap 20628->20629 20629->20622 20630->20631 20631->20628 20633 304441 20632->20633 20634 304427 20632->20634 20635 315bdb __Getctype RtlAllocateHeap 20633->20635 20634->20607 20636 304446 20635->20636 20637 315ec6 __Getctype RtlAllocateHeap 20636->20637 20638 304456 20637->20638 20638->20634 20639 3157d2 2 API calls 20638->20639 20640 304483 20639->20640 20640->20607 20646 2fed19 std::_Locinfo::_Locinfo_ctor ___std_exception_copy 20641->20646 20642 2feeb7 _ValidateLocalCookies 20642->20604 20643 2fece6 RtlAllocateHeap 20643->20642 20644 2fedea 20644->20643 20646->20642 20646->20644 20647 2fece6 20646->20647 20648 2fecfd 20647->20648 20649 2fecec 20647->20649 20648->20644 20649->20648 20650 30d7d6 __freea RtlAllocateHeap 20649->20650 20650->20648 20652 22341e 20651->20652 20661 223370 20652->20661 20654 22342b Concurrency::cancel_current_task 20655 300651 ___std_exception_copy RtlAllocateHeap 20654->20655 20656 223464 20655->20656 20656->20578 20658 2243f0 20657->20658 20659 223370 RtlAllocateHeap 20658->20659 20660 2243fd Concurrency::cancel_current_task 20659->20660 20662 223190 RtlAllocateHeap 20661->20662 20664 2233be 20662->20664 20663 2233e4 20663->20654 20664->20663 20665 3047b0 RtlAllocateHeap 20664->20665 20666 22340c 20665->20666 20667 223370 RtlAllocateHeap 20666->20667 20668 22342b Concurrency::cancel_current_task 20667->20668 20669 300651 ___std_exception_copy RtlAllocateHeap 20668->20669 20670 223464 20669->20670 20670->20654 20723 4be0144 20724 4be0151 20723->20724 20725 4be0167 GetCurrentHwProfileW 20724->20725 20726 4be0160 GetCurrentHwProfileW 20725->20726 20728 4be0214 20726->20728 20016 4be0000 20017 4be001c 20016->20017 20018 4be0103 2 API calls 20017->20018 20019 4be00f7 20018->20019 20020 4be0167 GetCurrentHwProfileW 20019->20020 20021 4be0160 GetCurrentHwProfileW 20020->20021 20023 4be0214 20021->20023

                                  Executed Functions

                                  Function 00283A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 270 283a40-283a52 271 283a55-283a61 270->271 273 283b28-283b31 GetPEB 271->273 274 283a67-283a6d 271->274 275 283b34-283b48 273->275 274->273 276 283a73-283a7f GetPEB 274->276 277 283b99-283b9b 275->277 278 283b4a-283b4f 275->278 279 283a80-283a94 276->279 277->275 278->277 280 283b51-283b59 278->280 281 283ae4-283ae6 279->281 282 283a96-283a9b 279->282 284 283b60-283b73 280->284 281->279 282->281 283 283a9d-283aa3 282->283 287 283aa5-283ab8 283->287 285 283b92-283b97 284->285 286 283b75-283b88 284->286 285->277 285->284 286->286 288 283b8a-283b90 286->288 289 283aba 287->289 290 283add-283ae2 287->290 288->285 291 283b9d-283bc2 Sleep 288->291 292 283ac0-283ad3 289->292 290->281 290->287 291->271 292->292 293 283ad5-283adb 292->293 293->290 294 283ae8-283b0d Sleep 293->294 295 283b13-283b1a 294->295 295->273 296 283b1c-283b22 295->296 296->273 297 283bc7-283bd8 call 226bd0 296->297 300 283bda-283bdc 297->300 301 283bde 297->301 302 283be0-283bfd call 226bd0 300->302 301->302
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00283DB6), ref: 00283B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00283DB6), ref: 00283BBA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: c48ebb536889ffc06822d6d7de18641272100b2fe5f2821103d8f3fdcf9d6751
                                  • Instruction ID: 846ee1bd7b1c16da99e592af9241a5c266f4264b1dd9a9f6fe825da95d4745a3
                                  • Opcode Fuzzy Hash: c48ebb536889ffc06822d6d7de18641272100b2fe5f2821103d8f3fdcf9d6751
                                  • Instruction Fuzzy Hash: EC51CC39A152168FCB28DF58C4D0EA9B3B1FF44B08F284599D845AF392D731EE16CB80
                                  Function 0023E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 23e0a0-23e0d2 WSAStartup 1 23e1b7-23e1c0 0->1 2 23e0d8-23e102 call 226bd0 * 2 0->2 7 23e104-23e108 2->7 8 23e10e-23e165 2->8 7->1 7->8 10 23e1b1 8->10 11 23e167-23e16d 8->11 10->1 12 23e1c5-23e1cf 11->12 13 23e16f 11->13 12->10 17 23e1d1-23e1d9 12->17 14 23e175-23e189 socket 13->14 14->10 16 23e18b-23e19b connect 14->16 18 23e1c1 16->18 19 23e19d-23e1a5 closesocket 16->19 18->12 19->14 20 23e1a7-23e1b0 19->20 20->10
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 8c76401eaa658f031ddc59ecedf3e4b7a25d2cd5a165d4f9f05e29dd6c89aa47
                                  • Instruction ID: aaf35fe4c3da819b3218d2bf218a879c007f468a940f234f788848a109d45653
                                  • Opcode Fuzzy Hash: 8c76401eaa658f031ddc59ecedf3e4b7a25d2cd5a165d4f9f05e29dd6c89aa47
                                  • Instruction Fuzzy Hash: AE31D2B26053116BDB209F28DC4872BB7E4EB85734F110B1DF9E8A32D0D3359D188AA2
                                  Function 002FF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 22 2ff290-2ff293 23 2ff2a2-2ff2a5 call 30df2c 22->23 25 2ff2aa-2ff2ad 23->25 26 2ff2af-2ff2b0 25->26 27 2ff295-2ff2a0 call 3117d8 25->27 27->23 30 2ff2b1-2ff2b5 27->30 31 2221d0-222220 call 2221b0 call 300efb call 300651 30->31 32 2ff2bb 30->32 32->32
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022220E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: 36ec796986fb541a9252a135b842b418aa9656e4c26b8627fbc9e1bbf839fe65
                                  • Instruction ID: 711bbf83e50ea414fc4eef3d085cc69a644d0c00beb8b0452bddc74780f95ce5
                                  • Opcode Fuzzy Hash: 36ec796986fb541a9252a135b842b418aa9656e4c26b8627fbc9e1bbf839fe65
                                  • Instruction Fuzzy Hash: E101A77551030DBBCB19AFA8E8119A9B7ACDE00350B508435FF18DB591E770E9648791
                                  Function 04BE000A Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 237COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID: `
                                  • API String ID: 0-2679148245
                                  • Opcode ID: c34e028ecd2b0eb330c9312ad9f483b1da1397786046fd778876c89e651e6118
                                  • Instruction ID: 13206eb7c0e32ca19c7e7bf56e18fba4f9e9c5d4201fc7273828c4d5b5f9ea52
                                  • Opcode Fuzzy Hash: c34e028ecd2b0eb330c9312ad9f483b1da1397786046fd778876c89e651e6118
                                  • Instruction Fuzzy Hash: F25117F730C2307DB602A5526B94AFB67ADE6C673073088ABF407D6507F3D52A5A6132
                                  Function 04BE00CD Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 218COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: `
                                  • API String ID: 2104809126-2679148245
                                  • Opcode ID: f93ff4e9d4c17b6135028367b4f18974f15c6f0235019ae25c5f270af6540740
                                  • Instruction ID: a4a1cb4441145a70581ce4ba8cc9a269c7313aecfc4192c33975b01c5e035995
                                  • Opcode Fuzzy Hash: f93ff4e9d4c17b6135028367b4f18974f15c6f0235019ae25c5f270af6540740
                                  • Instruction Fuzzy Hash: F94129F730C2306DB602E5926A94AFB6BADD6C673073088ABF407D6503E3D56A5A2131
                                  Function 00304942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 115 304942-30494f 116 304951-304974 call 304723 115->116 117 304979-30498d call 315f82 115->117 122 304ae0-304ae2 116->122 123 304992-30499b call 30e11f 117->123 124 30498f 117->124 126 3049a0-3049af 123->126 124->123 127 3049b1 126->127 128 3049bf-3049c8 126->128 129 3049b7-3049b9 127->129 130 304a89-304a8e 127->130 131 3049ca-3049d7 128->131 132 3049dc-304a10 128->132 129->128 129->130 133 304ade-304adf 130->133 134 304adc 131->134 135 304a12-304a1c 132->135 136 304a6d-304a79 132->136 133->122 134->133 139 304a43-304a4f 135->139 140 304a1e-304a2a 135->140 137 304a90-304a93 136->137 138 304a7b-304a82 136->138 141 304a96-304a9e 137->141 138->130 139->137 143 304a51-304a6b call 304e59 139->143 140->139 142 304a2c-304a3e call 304cae 140->142 144 304aa0-304aa6 141->144 145 304ada 141->145 142->133 143->141 149 304aa8-304abc call 304ae3 144->149 150 304abe-304ac2 144->150 145->134 149->133 153 304ac4-304ad2 call 324a10 150->153 154 304ad5-304ad7 150->154 153->154 154->145
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O0
                                  • API String ID: 0-2750300066
                                  • Opcode ID: 4bf654208c2f4472802baa332f28a80ef4d18b107f99797f6d08dc08d37bf2ca
                                  • Instruction ID: 394063c2e7de0e5e58f7e0a0bad31c35c5d25527e322a32eb358e18e342f4d88
                                  • Opcode Fuzzy Hash: 4bf654208c2f4472802baa332f28a80ef4d18b107f99797f6d08dc08d37bf2ca
                                  • Instruction Fuzzy Hash: 4151C7B0B01208AFDF16CF58CC51AAA7BB5EF49354F258158F9499B292D371DF41CB90
                                  Function 00314623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 158 314623-314633 159 314635-314648 call 30d22c call 30d23f 158->159 160 31464d-31464f 158->160 177 3149a7 159->177 162 314655-31465b 160->162 163 31498f-31499c call 30d22c call 30d23f 160->163 162->163 166 314661-31468a 162->166 180 3149a2 call 3047a0 163->180 166->163 169 314690-314699 166->169 172 3146b3-3146b5 169->172 173 31469b-3146ae call 30d22c call 30d23f 169->173 175 31498b-31498d 172->175 176 3146bb-3146bf 172->176 173->180 182 3149aa-3149ad 175->182 176->175 181 3146c5-3146c9 176->181 177->182 180->177 181->173 185 3146cb-3146e2 181->185 187 3146e4-3146e7 185->187 188 314717-31471d 185->188 191 3146e9-3146ef 187->191 192 31470d-314715 187->192 189 3146f1-314708 call 30d22c call 30d23f call 3047a0 188->189 190 31471f-314726 188->190 219 3148c2 189->219 194 314728 190->194 195 31472a-31472b call 316e2d 190->195 191->189 191->192 193 31478a-3147a9 192->193 197 314865-31486e call 320d44 193->197 198 3147af-3147bb 193->198 194->195 202 314730-314748 call 316db3 * 2 195->202 209 314870-314882 197->209 210 3148df 197->210 198->197 201 3147c1-3147c3 198->201 201->197 205 3147c9-3147ea 201->205 227 314765-314788 call 30e13d 202->227 228 31474a-314760 call 30d23f call 30d22c 202->228 205->197 211 3147ec-314802 205->211 209->210 214 314884-314893 209->214 215 3148e3-3148f9 ReadFile 210->215 211->197 216 314804-314806 211->216 214->210 232 314895-314899 214->232 220 314957-314962 215->220 221 3148fb-314901 215->221 216->197 222 314808-31482b 216->222 229 3148c5-3148cf call 316db3 219->229 240 314964-314976 call 30d23f call 30d22c 220->240 241 31497b-31497e 220->241 221->220 225 314903 221->225 222->197 226 31482d-314843 222->226 234 314906-314918 225->234 226->197 235 314845-314847 226->235 227->193 228->219 229->182 232->215 239 31489b-3148b3 232->239 234->229 242 31491a-31491e 234->242 235->197 243 314849-314860 235->243 259 3148b5-3148ba 239->259 260 3148d4-3148dd 239->260 240->219 248 314984-314986 241->248 249 3148bb-3148c1 call 30d1e5 241->249 246 314920-314930 call 314335 242->246 247 314937-314944 242->247 243->197 268 314933-314935 246->268 255 314950-314955 call 31417b 247->255 256 314946 call 31448c 247->256 248->229 249->219 265 31494b-31494e 255->265 256->265 259->249 260->234 265->268 268->229
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a04726c7e9921fdb3c0edea9a4e771df6f60af71ec93422dee5745386de71999
                                  • Instruction ID: 203721b8e10f6b7b23999dfc3a7c63e3f89b60cb1046cdc51def157c707d6f0e
                                  • Opcode Fuzzy Hash: a04726c7e9921fdb3c0edea9a4e771df6f60af71ec93422dee5745386de71999
                                  • Instruction Fuzzy Hash: 90B13470E04249AFDB1BDFA8D851BEEBBB9AF4D304F154158F450AB292C771AD81CB60
                                  Function 0022A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 305 22a210-22a2ab call 2ff290 call 222ae0 310 22a2b0-22a2bb 305->310 310->310 311 22a2bd-22a2c8 310->311 312 22a2ca 311->312 313 22a2cd-22a2de call 305362 311->313 312->313 316 22a2e0-22a305 call 309136 call 304eeb call 309136 313->316 317 22a351-22a357 313->317 335 22a307 316->335 336 22a30c-22a316 316->336 319 22a381-22a393 317->319 320 22a359-22a365 317->320 322 22a377-22a37e call 2ff511 320->322 323 22a367-22a375 320->323 322->319 323->322 325 22a394-22a3ae call 3047b0 323->325 332 22a3b0-22a3bb 325->332 332->332 334 22a3bd-22a3c8 332->334 337 22a3ca 334->337 338 22a3cd-22a3df call 305362 334->338 335->336 339 22a328-22a32f call 28cf60 336->339 340 22a318-22a31c 336->340 337->338 349 22a3e1-22a3f9 call 309136 call 304eeb call 308be8 338->349 350 22a3fc-22a403 338->350 345 22a334-22a33a 339->345 343 22a320-22a326 340->343 344 22a31e 340->344 343->345 344->343 347 22a33e-22a349 call 30dbdf call 308be8 345->347 348 22a33c 345->348 365 22a34e 347->365 348->347 349->350 351 22a405-22a411 350->351 352 22a42d-22a433 350->352 355 22a423-22a42a call 2ff511 351->355 356 22a413-22a421 351->356 355->352 356->355 359 22a434-22a45e call 3047b0 356->359 372 22a460-22a464 359->372 373 22a46f-22a474 359->373 365->317 372->373 374 22a466-22a46e 372->374
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 0de9245aa8b6cc1f0f036b69a85f6912dfdf545f45e94ec95c033cdb8199f636
                                  • Instruction ID: 8f799d7945475ea88ea231ea5de9556110343e469126e506eea610a928eeb966
                                  • Opcode Fuzzy Hash: 0de9245aa8b6cc1f0f036b69a85f6912dfdf545f45e94ec95c033cdb8199f636
                                  • Instruction Fuzzy Hash: 5A714870911214BFDB18DFA8EC45BAEBBE8EF41700F1085ADF8059B682D7B5DA50C792
                                  Function 0031549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 375 31549c-3154be 376 3156b1 375->376 377 3154c4-3154c6 375->377 380 3156b3-3156b7 376->380 378 3154f2-315515 377->378 379 3154c8-3154e7 call 304723 377->379 382 315517-315519 378->382 383 31551b-315521 378->383 386 3154ea-3154ed 379->386 382->383 385 315523-315534 382->385 383->379 383->385 387 315547-315557 call 314fe1 385->387 388 315536-315544 call 30e17d 385->388 386->380 393 3155a0-3155b2 387->393 394 315559-31555f 387->394 388->387 397 3155b4-3155ba 393->397 398 315609-315629 WriteFile 393->398 395 315561-315564 394->395 396 315588-31559e call 314bb2 394->396 401 315566-315569 395->401 402 31556f-31557e call 314f79 395->402 420 315581-315583 396->420 399 3155f5-315607 call 31505e 397->399 400 3155bc-3155bf 397->400 404 315634 398->404 405 31562b-315631 398->405 426 3155dc-3155df 399->426 407 3155e1-3155f3 call 315222 400->407 408 3155c1-3155c4 400->408 401->402 409 315649-31564c 401->409 402->420 406 315637-315642 404->406 405->404 413 315644-315647 406->413 414 3156ac-3156af 406->414 407->426 415 3155ca-3155d7 call 315139 408->415 416 31564f-315651 408->416 409->416 413->409 414->380 415->426 423 315653-315658 416->423 424 31567f-31568b 416->424 420->406 427 315671-31567a call 30d208 423->427 428 31565a-31566c 423->428 429 315695-3156a7 424->429 430 31568d-315693 424->430 426->420 427->386 428->386 429->386 430->376 430->429
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00309087,?,00000000,00000000,00000000,?,00000000,?,0022A3EB,00309087,00000000,0022A3EB,?,?), ref: 00315621
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 72070c3e869d4366e0716d46c95cf3a2cd50a8a0b32ea45f10ba0c1887f6a2d3
                                  • Instruction ID: a7da6d64203dd7cce2c417072bf3c317c24349e641c245cc797b4d4c5ef42907
                                  • Opcode Fuzzy Hash: 72070c3e869d4366e0716d46c95cf3a2cd50a8a0b32ea45f10ba0c1887f6a2d3
                                  • Instruction Fuzzy Hash: 6761E471D00509EFDF1ADFA8C884EEEBBBAAF8D304F550145E800AB252D731D991CBA0
                                  Function 04BE0167 Relevance: 1.7, APIs: 1, Instructions: 175COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 433 4be0167-4be01e2 436 4be01ee-4be0204 GetCurrentHwProfileW 433->436 438 4be0214-4be02aa 436->438 444 4be02c2-4be031a call 4be0329 438->444 453 4be031c-4be0327 444->453 454 4be02b4-4be02c1 444->454 454->444
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE01FF
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 88febe3a796360c36d12b4d0b88d8f22a8ff52e48fa9159ec05f67ada43fd32e
                                  • Instruction ID: 5810a021a4f13feb2bff6b4d27e1cdca854d44c8a4b9f50ab9a19f447c328648
                                  • Opcode Fuzzy Hash: 88febe3a796360c36d12b4d0b88d8f22a8ff52e48fa9159ec05f67ada43fd32e
                                  • Instruction Fuzzy Hash: 083128F760C225AEF602A5529B90AFA67BDD7C673073049ABF407C6103E3D51A8A6172
                                  Function 04BE0103 Relevance: 1.7, APIs: 1, Instructions: 169COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 456 4be0103-4be01e2 call 4be0167 464 4be01ee-4be0204 GetCurrentHwProfileW 456->464 466 4be0214-4be02aa 464->466 472 4be02c2-4be031a call 4be0329 466->472 481 4be031c-4be0327 472->481 482 4be02b4-4be02c1 472->482 482->472
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 4d23038514bed05ab958165bdbba610985f5e3e9a228df7597f2db22c3138776
                                  • Instruction ID: c8e9f2253e434feaf3d24f1fc30b0e84b3ffa98fa2183dc0f8304af79392de1e
                                  • Opcode Fuzzy Hash: 4d23038514bed05ab958165bdbba610985f5e3e9a228df7597f2db22c3138776
                                  • Instruction Fuzzy Hash: AC31C4EB20C2307DB642A4836B90AFB57ADD6C673073089ABF407D5506F3D52E9D2032
                                  Function 04BE0144 Relevance: 1.6, APIs: 1, Instructions: 150COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 484 4be0144-4be01e2 call 4be0167 491 4be01ee-4be0204 GetCurrentHwProfileW 484->491 493 4be0214-4be02aa 491->493 499 4be02c2-4be031a call 4be0329 493->499 508 4be031c-4be0327 499->508 509 4be02b4-4be02c1 499->509 509->499
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE01FF
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e601816dd4c78b7a800bba4dccf7feb64ed27dd42bd04f4884e8e6e1044c8e6f
                                  • Instruction ID: 653715feb6fcd0ab5e774b32a6c0a296591fcd340978939e01dca57c06c103b0
                                  • Opcode Fuzzy Hash: e601816dd4c78b7a800bba4dccf7feb64ed27dd42bd04f4884e8e6e1044c8e6f
                                  • Instruction Fuzzy Hash: D121BFEB20C1307D7602A5436B90AFB67AED6CA73073089ABF407D6506F3D56E992032
                                  Function 04BE014D Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 511 4be014d-4be01e2 call 4be0167 517 4be01ee-4be0204 GetCurrentHwProfileW 511->517 519 4be0214-4be02aa 517->519 525 4be02c2-4be031a call 4be0329 519->525 534 4be031c-4be0327 525->534 535 4be02b4-4be02c1 525->535 535->525
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 5c7eb8214813ca476e98682de1d00fd8c0b4ae73db1de26c9c6e4c757b9ec4de
                                  • Instruction ID: 213bd5b4af8a440febe48bbc57524164ef8c74191b812265312f7d2780e97707
                                  • Opcode Fuzzy Hash: 5c7eb8214813ca476e98682de1d00fd8c0b4ae73db1de26c9c6e4c757b9ec4de
                                  • Instruction Fuzzy Hash: AF21E4FB20C1307DB642A5436B90AFB67ADD6D673073089ABF407D5506F7D52E992031
                                  Function 00290560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 537 290560-29057f 538 2906a9 call 222270 537->538 539 290585-290598 537->539 546 2906ae call 2221d0 538->546 540 29059a 539->540 541 2905c0-2905c8 539->541 545 29059c-2905a1 540->545 543 2905ca-2905cf 541->543 544 2905d1-2905d5 541->544 543->545 547 2905d9-2905e1 544->547 548 2905d7 544->548 549 2905a4-2905a5 call 2ff290 545->549 551 2906b3-2906b8 call 3047b0 546->551 552 2905f0-2905f2 547->552 553 2905e3-2905e8 547->553 548->547 559 2905aa-2905af 549->559 557 290601 552->557 558 2905f4-2905ff call 2ff290 552->558 553->546 556 2905ee 553->556 556->549 562 290603-290629 557->562 558->562 559->551 563 2905b5-2905be 559->563 565 29062b-290655 call 300f70 call 3014f0 562->565 566 290680-2906a6 call 300f70 call 3014f0 562->566 563->562 575 290669-29067d call 2ff511 565->575 576 290657-290665 565->576 576->551 577 290667 576->577 577->575
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 002906AE
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 8afb4dda31499439c88a46ee23b62ada0dab2499db7e3ac0cf80573aa4e67c72
                                  • Instruction ID: 12052af80230345eb13ed6e6d9b2918ed2bb9a18aaaed4ea6a9ee2bb06d4a994
                                  • Opcode Fuzzy Hash: 8afb4dda31499439c88a46ee23b62ada0dab2499db7e3ac0cf80573aa4e67c72
                                  • Instruction Fuzzy Hash: 4F411472A101189FCF15DF68D980AAEBBA9AF89340F150169FC05EB342D730DE709BE1
                                  Function 04BE01F4 Relevance: 1.6, APIs: 1, Instructions: 127COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 580 4be01f4-4be01f5 581 4be01f7-4be01f9 580->581 582 4be0194-4be01ef 580->582 581->582 584 4be01fb-4be01fd 581->584 585 4be01ff-4be0204 GetCurrentHwProfileW 582->585 584->585 587 4be0214-4be02aa 585->587 593 4be02c2-4be031a call 4be0329 587->593 602 4be031c-4be0327 593->602 603 4be02b4-4be02c1 593->603 603->593
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE01FF
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 5a8425bb488e4c3cedbbd81b49f29e92e20392cd1b01e0a3110b27fdf221dcd8
                                  • Instruction ID: 80c0e7bebade4de3605ba16987b4901dca4cb9807a9737dad6c131e730efc2f2
                                  • Opcode Fuzzy Hash: 5a8425bb488e4c3cedbbd81b49f29e92e20392cd1b01e0a3110b27fdf221dcd8
                                  • Instruction Fuzzy Hash: D921F8EB60C1307D7A01E443AB90AFA57ADE6CA730730859BF407C5506F3D56A8A6031
                                  Function 04BE018D Relevance: 1.6, APIs: 1, Instructions: 121COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE01FF
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 903f3ea0eb584a98c996988e557482d5f1dbf3e68354f70e285e5cbbee3c0593
                                  • Instruction ID: bb7f732c2d6ba25ea8285c6221c266b19d9fc8c915874c8f2c50119f41088e75
                                  • Opcode Fuzzy Hash: 903f3ea0eb584a98c996988e557482d5f1dbf3e68354f70e285e5cbbee3c0593
                                  • Instruction Fuzzy Hash: 5B21D7FB60C1317D7641E042AB90AFA57AEE6CA73073085ABF807D5507F3D56E896071
                                  Function 04BE01CE Relevance: 1.6, APIs: 1, Instructions: 88COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE01FF
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 80177f990a6084f336a8dcf750d560eacdcb1cb07c9acd7c0973cb2f9aa7c293
                                  • Instruction ID: 5a093b0ce06e4a2704f89b235c0d8a34c7193b41f8b8b94cf7447cff097387d8
                                  • Opcode Fuzzy Hash: 80177f990a6084f336a8dcf750d560eacdcb1cb07c9acd7c0973cb2f9aa7c293
                                  • Instruction Fuzzy Hash: 1A1129AB70C1306DAA41F193A7906FA2BEDD7DA73073089E7E407C9507F3D56A892031
                                  Function 04BE01E7 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE01FF
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4119527691.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_4be0000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ff15d8ad6ec721dfb1abc20ba35c57cb8a1d6d502e1a95cb2092ac7e30783774
                                  • Instruction ID: 9b7ed1a8cf972988ae0a6ec1cfcf1ae206745f03e7406ce149939d0f68b7aa9a
                                  • Opcode Fuzzy Hash: ff15d8ad6ec721dfb1abc20ba35c57cb8a1d6d502e1a95cb2092ac7e30783774
                                  • Instruction Fuzzy Hash: 200149EB70C1306DAA42B0539A846FA1BADD7DA730B304996E40785503F3D57E852471
                                  Function 00314B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003149F9,00000000,CF830579,00351140,0000000C,00314AB5,00308BBD,?), ref: 00314B68
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: b3aa3f07f189473ee2a180f8edf222e22b62106be0e742c759fc86bd7f61838b
                                  • Instruction ID: dbae4278f7d4d4c3673a9bf33609c4219558eff71a1128b544e49e76efcc49ac
                                  • Opcode Fuzzy Hash: b3aa3f07f189473ee2a180f8edf222e22b62106be0e742c759fc86bd7f61838b
                                  • Instruction Fuzzy Hash: 8611483264911416D62F22746C02FFE6B998B8E775F3A8249F8889B1D2EE60E8C14295
                                  Function 0030E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00350DF8,0022A3EB,00000002,0022A3EB,00000000,?,?,?,0030E166,00000000,?,0022A3EB,00000002,00350DF8), ref: 0030E098
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 94b07340c25b3b508a635ea21005d3fee66eec0f6c05d3eb58db2ec087f411cb
                                  • Instruction ID: 3cd1fa9094af53aa60056ecc96dc52291a82c0780220770a4a8f366552c8c555
                                  • Opcode Fuzzy Hash: 94b07340c25b3b508a635ea21005d3fee66eec0f6c05d3eb58db2ec087f411cb
                                  • Instruction Fuzzy Hash: AE014932711105AFCF169F5ACC11C9E3B69DB81334F250248F8909B2D1EAB1ED418BD0
                                  Function 003163F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,003091F7,00000000,?,00315D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0030D244,003089C3,003091F7,00000000), ref: 00316434
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: faf66a4cec5286b6318975abbe6052cae69d23731e0576caf6ac0a43bb822310
                                  • Instruction ID: 3d3a34c0fd0f1280ada0400a5900162ee3773fcc191f02bc06abaa63e1ddb0dc
                                  • Opcode Fuzzy Hash: faf66a4cec5286b6318975abbe6052cae69d23731e0576caf6ac0a43bb822310
                                  • Instruction Fuzzy Hash: A1F0B43250522467DB2B6BE39C03BDA3B8C9F49760B268025A804AA590CF20EC8186E1
                                  Function 00293460 Relevance: 1.5, APIs: 1, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 002934B4
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 004e3c030bac6900f95d76ad2c7de421effcc3f162b0ab6b557a499adc87367b
                                  • Instruction ID: c343b50dce8ab253c4b56dedb7556423beb5945c45a76d9b94ea362ec13b9317
                                  • Opcode Fuzzy Hash: 004e3c030bac6900f95d76ad2c7de421effcc3f162b0ab6b557a499adc87367b
                                  • Instruction Fuzzy Hash: 6BF027B602010D0EEF19EBF0A51696FB3D88E50390B01443AF919CB653EB2AEAB8C555
                                  Function 00316E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0031D635,4D88C033,?,0031D635,00000220,?,003157EF,4D88C033), ref: 00316E60
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: f1af0a3a61052c6efc4f1c5bb2d39bf6101b4a19208d4edb17e0049a7d701f56
                                  • Instruction ID: 7364399333abbc1d2bf84f2982510842ef5cd810fb5caed085f94f780bf5ab7b
                                  • Opcode Fuzzy Hash: f1af0a3a61052c6efc4f1c5bb2d39bf6101b4a19208d4edb17e0049a7d701f56
                                  • Instruction Fuzzy Hash: 87E0ED3910162166DE3B22E5EF12BDB768CCF8A3A1F060720BC049A4D0CB20C88081F8

                                  Non-executed Functions

                                  Function 003084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 0e15362745e9895f8ab240e5826507b9ac65b879297298c3367d227b04ef3e85
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 3C024B71E012199BDF15CFA8C890AAEFBF1FF48314F258269D959E7380DB31A941CB94
                                  Function 0028F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0028F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0028F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0028FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"4
                                  • API String ID: 3375549084-3434465823
                                  • Opcode ID: 71fba6ae293065c26d60798ac707a56392d14a75954feca8c2b23fbb2cbb4de1
                                  • Instruction ID: 18db57f2bd5518f666affe7b4f0954cc542d08fb880fb98e6cca806cae104b0f
                                  • Opcode Fuzzy Hash: 71fba6ae293065c26d60798ac707a56392d14a75954feca8c2b23fbb2cbb4de1
                                  • Instruction Fuzzy Hash: 5461DFB5D212099FEF11EFA4D945BAEBBF4AF14750F140078E804AB391EB70E914CBA1
                                  Function 00223D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00223E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3"$@3"$G>"$G>"$`!"$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-956037866
                                  • Opcode ID: a1fe4e812b8e86c6d114c96cb5ad3332a1beff58a750652e6eae57fc1b7f87a2
                                  • Instruction ID: 986d62206dc3efda9b4777cd9f4f06cdcfb15efe0b8aa0efb497171fb41f4d6a
                                  • Opcode Fuzzy Hash: a1fe4e812b8e86c6d114c96cb5ad3332a1beff58a750652e6eae57fc1b7f87a2
                                  • Instruction Fuzzy Hash: DE41F8B6910218AFCB04DF98D841BEEB7F8EF49710F14852AF915E7741E774AA14CBA0
                                  Function 00302E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00302E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00302E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00302ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00302F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00302F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: i5$csm
                                  • API String ID: 1170836740-665140769
                                  • Opcode ID: 24dc7c5519611c1b2c5330928abfa050b3e30bd1fd132f159d93054b5f048e2e
                                  • Instruction ID: 1005daeedd59d601c45edfb1bda55eeab5e4755c0a8d9ac856e6e131d8afa9f9
                                  • Opcode Fuzzy Hash: 24dc7c5519611c1b2c5330928abfa050b3e30bd1fd132f159d93054b5f048e2e
                                  • Instruction Fuzzy Hash: 0741E630A01209ABCF12DF68C8A9A9FBBB9AF44324F148055FD149B3D2D731EE55CB90
                                  Function 00223DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00223E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3"$@3"$`!"$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-108183131
                                  • Opcode ID: 461ff189b6c88cecf971a462d53dfdf55009d5550d66a07e872c03249abfd1e5
                                  • Instruction ID: f22101a67cea087efa947bca2f41254cd4062ed22376cce1c43ad23371f4dcc8
                                  • Opcode Fuzzy Hash: 461ff189b6c88cecf971a462d53dfdf55009d5550d66a07e872c03249abfd1e5
                                  • Instruction Fuzzy Hash: 75212BB65107157FC715DF98E801B96B7E8AF04310F18883AFE689B641E7B4EA24CB90
                                  Function 00224C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00224F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00224FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 002250C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: @3"$`!"$recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-441038987
                                  • Opcode ID: 3c984c599464f7708f9a11be158730619733e06ae9cd25c8ae5d3464386aa76b
                                  • Instruction ID: 78f2408fc358ae00273829a6351693c7bdcccca4771ba7aff86d824053450d83
                                  • Opcode Fuzzy Hash: 3c984c599464f7708f9a11be158730619733e06ae9cd25c8ae5d3464386aa76b
                                  • Instruction Fuzzy Hash: 85E12571910214AFDB28EFA8E845BAEF7F9FF44700F104A2DE41697781D774AA14CBA1
                                  Function 00227820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00227B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$out_of_range$type_error
                                  • API String ID: 2659868963-4088840996
                                  • Opcode ID: f3b2904c7ad04a7ac26de578cebcebc3c67b60ed228da715b889a3c6e6570d98
                                  • Instruction ID: a488cffb622bd771bccbdff74e65bfa1e5a8606fb203ab48ebbe0496e6bab297
                                  • Opcode Fuzzy Hash: f3b2904c7ad04a7ac26de578cebcebc3c67b60ed228da715b889a3c6e6570d98
                                  • Instruction Fuzzy Hash: 7CC179B19142189FDB08CFA8E98479DFBF5FF49300F148269E419EB781E774A980CB50
                                  Function 00223190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 002232C6
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00223350
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: +4"$@3"$`!"$`!"
                                  • API String ID: 2970364248-3171281168
                                  • Opcode ID: 2eb47523b7142958c8b9aa88e4e25dcd8b2ad4c7b5ec5d3c62be4b49343335b2
                                  • Instruction ID: 00cf95ea5ebe82e96ce617bb3b05538e7ef1e5bb76d3e8dd5ff559daa5f46100
                                  • Opcode Fuzzy Hash: 2eb47523b7142958c8b9aa88e4e25dcd8b2ad4c7b5ec5d3c62be4b49343335b2
                                  • Instruction Fuzzy Hash: 0651BF71910218AFDB09CF98D885BEEBBF9FF49300F14812AF815A7391D7749A51CB90
                                  Function 002239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00223A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00223AA4
                                  • __Getctype.LIBCPMT ref: 00223ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00223AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00223B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: b9475e10338f316e019946b472dbda58da4f4792c532a06e9da8655e7e36e937
                                  • Instruction ID: e8af071b252a381c908e1e6f86a2bcf6d018afac982573c46d7ec8f59dfefc19
                                  • Opcode Fuzzy Hash: b9475e10338f316e019946b472dbda58da4f4792c532a06e9da8655e7e36e937
                                  • Instruction Fuzzy Hash: C65181B1D10218AFDF11DFE4D845B9EBBF8AF14714F144069E909AB381E778EA14CB51
                                  Function 0028DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0028DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0028DF7B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 4bf9923af9929af9c5b3fa4f5861fb0739ba4e48b2c9d48728e64774f23a2dcd
                                  • Instruction ID: 184aa7d673d33c7614ee78ee66dd4f2f2d896911e9055e273597f9a2fe0b1d11
                                  • Opcode Fuzzy Hash: 4bf9923af9929af9c5b3fa4f5861fb0739ba4e48b2c9d48728e64774f23a2dcd
                                  • Instruction Fuzzy Hash: 3B4105799212199FCB15EF54D841B6EBBB8FB20750F144268E9059B3E2D730AD24CFD1
                                  Function 00226F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00227340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$parse error$parse_error
                                  • API String ID: 2659868963-1134234602
                                  • Opcode ID: 2ef8bf996febb9c94f310b0fdee7bf64d21bff3fc4d048e43420e337dc1e9f68
                                  • Instruction ID: 3417f8d2c26fedfdd2d6587d85a1960698b9eb99bc6f3a773e9d7849250630d2
                                  • Opcode Fuzzy Hash: 2ef8bf996febb9c94f310b0fdee7bf64d21bff3fc4d048e43420e337dc1e9f68
                                  • Instruction Fuzzy Hash: 42E190709142189FDB18CFA8D88479DBBF5FF49300F2482A9E418EB792D774AA91CF50
                                  Function 002273B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 002275BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 002275CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column $`!"
                                  • API String ID: 4194217158-499326956
                                  • Opcode ID: 1ca339b7b9ff87553616978a5407d908f03393d105e50057efdc78fd177fb5f8
                                  • Instruction ID: 26e38b049060c617f4fa516276590e1da6a8faead548e671300e916148965055
                                  • Opcode Fuzzy Hash: 1ca339b7b9ff87553616978a5407d908f03393d105e50057efdc78fd177fb5f8
                                  • Instruction Fuzzy Hash: 4961F670A14215AFDB08DFA8EC84B9DFBB5FF45300F644628F415A7781D774AA64CB90
                                  Function 00223370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00223190: ___std_exception_copy.LIBVCRUNTIME ref: 002232C6
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4"$@3"$@3"$`!"
                                  • API String ID: 2659868963-1017541404
                                  • Opcode ID: c19bda138227c8b4acceac0ca2bd67c40c9f503f6edb03bcdd0f8b1b3daee13d
                                  • Instruction ID: 3205a8271c47af3353714eb4ca41e5790bf7fd0a4e32b948ef78b225f2aabc7c
                                  • Opcode Fuzzy Hash: c19bda138227c8b4acceac0ca2bd67c40c9f503f6edb03bcdd0f8b1b3daee13d
                                  • Instruction Fuzzy Hash: 563183B5900219AFCB19DFA8D841AEEFBF9FF08710F10856AE514E7641E774A650CB90
                                  Function 00223410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4"$@3"$@3"$`!"
                                  • API String ID: 2659868963-1017541404
                                  • Opcode ID: d793f92d6042dd36f368130d28799db8ba156c61fc86472878c747998e233332
                                  • Instruction ID: fade0ed19c5f945895701664d35b1001620c689d2cde3220a1238a0c7af254f6
                                  • Opcode Fuzzy Hash: d793f92d6042dd36f368130d28799db8ba156c61fc86472878c747998e233332
                                  • Instruction Fuzzy Hash: B3014FB6500219AFC709DFA9E401C96FBFCEF04310B00843AE51987611E7B0E524CF90
                                  Function 00226C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00226F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00226F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.$`!"
                                  • API String ID: 4194217158-420608075
                                  • Opcode ID: 471a0a8a1c272b6679b0abf4be0f88dd43bab17b3e691e82889d128d9e07e211
                                  • Instruction ID: 8f14c163d8835d78a84180a1d1423fd15f9dac5543cb5e01b9405dc96e774017
                                  • Opcode Fuzzy Hash: 471a0a8a1c272b6679b0abf4be0f88dd43bab17b3e691e82889d128d9e07e211
                                  • Instruction Fuzzy Hash: 39910771A10208AFDB18CFA8D988B9EFBF6FF45300F20856DE415AB792D771A951CB50
                                  Function 00222270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00222275
                                    • Part of subcall function 002FD6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 002FD6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$L5$L5
                                  • API String ID: 1997705970-1140454669
                                  • Opcode ID: d94d1c15d1a66b5b0bf520cb64902a36cd69095d3af785b71fc7813d7feaddf0
                                  • Instruction ID: 5cacd00fe4389ce65c05a25c450b1b729eff51fe102f69f3c70f23506ec5785d
                                  • Opcode Fuzzy Hash: d94d1c15d1a66b5b0bf520cb64902a36cd69095d3af785b71fc7813d7feaddf0
                                  • Instruction Fuzzy Hash: 1E816535A14295FFCB06CFA8D450BEDBFB5EF5A300F1841AAC894A7342C3768559CBA0
                                  Function 00227620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 002277B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$invalid_iterator
                                  • API String ID: 2659868963-1673871702
                                  • Opcode ID: ccb096bec8da88c106f77c3f486662282cf30bb80f81ea9d879bd81075e8a9bf
                                  • Instruction ID: dd387d85dee1a9859ed81ce90c4265556f528f5f52ff579137c5f7e5a704497b
                                  • Opcode Fuzzy Hash: ccb096bec8da88c106f77c3f486662282cf30bb80f81ea9d879bd81075e8a9bf
                                  • Instruction Fuzzy Hash: 555168B49042089FDB09CFA8E99479DFBF5FF49300F148669E419EB791E774A980CB90
                                  Function 00227BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00227D67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$other_error
                                  • API String ID: 2659868963-3199201282
                                  • Opcode ID: 17eebf203d6030155c347d50f0291e1ac3aa68219c72c3ed550d4aa9e0d19f14
                                  • Instruction ID: 0ee71784a0b786b9b5d724684520ee3120ca85e69f4cb07922fad4009ed80f6f
                                  • Opcode Fuzzy Hash: 17eebf203d6030155c347d50f0291e1ac3aa68219c72c3ed550d4aa9e0d19f14
                                  • Instruction Fuzzy Hash: 165179B09142489FDB08CFA8E8847ADFBF5BF49300F148669E419EB781E774A980CB50
                                  Function 0028D050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0028D06F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0028D096
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: c886cba7ef34ed4228f1c193cedb79fe3252122ec382d1db4ccb85de395db2b2
                                  • Instruction ID: d379381fc1f5333b32ac03d168196148b142be1afa0a52b2a4e9f2b3a98f55c9
                                  • Opcode Fuzzy Hash: c886cba7ef34ed4228f1c193cedb79fe3252122ec382d1db4ccb85de395db2b2
                                  • Instruction Fuzzy Hash: EE01A8B6500615AFC709DF59D545982FBF8FB45710710853BA529CBB10D7B0E528CFA0
                                  Function 0029B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0029B3DF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0029B406
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: 4ed869cd28622bbe04335a28791b862d9e8429a9bd1df1d0924bad16bca0d694
                                  • Instruction ID: bd724b32999c924496ba743e8e350f03ab66022f47ad07c0342fa7268dc48b55
                                  • Opcode Fuzzy Hash: 4ed869cd28622bbe04335a28791b862d9e8429a9bd1df1d0924bad16bca0d694
                                  • Instruction Fuzzy Hash: DBF0C4BA50061AAFC70ADF58D505986FBF8FA45710711853BE52ACBB00E7B0E528CBA0
                                  Function 0029B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 0029B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Px)$invalid hash bucket count
                                  • API String ID: 909987262-2882725661
                                  • Opcode ID: bc1779a20507995047b1f04cf97864b136526bed1ea292dd695f1395653cb32b
                                  • Instruction ID: 1d0d4d6c25f1d13771709ff56b2ce79c70110adcc62f35d9fb36ab0c997405bb
                                  • Opcode Fuzzy Hash: bc1779a20507995047b1f04cf97864b136526bed1ea292dd695f1395653cb32b
                                  • Instruction Fuzzy Hash: C67110B4A10609DFCB15CF49D28086AFBF9FF88300764C5AAD8599B355D731EA61CF90
                                  Function 0029E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0029E491
                                  Strings
                                  • type must be boolean, but is , xrefs: 0029E582
                                  • type must be string, but is , xrefs: 0029E4F8
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 4973d79152d5a37eb04f31c3fddb097e915a87e1c9a59012b12a41f86b9b92e3
                                  • Instruction ID: b4659b11eadb704cd7ac288c66c27dd43deebaa412c11008431f9dafdaff37d7
                                  • Opcode Fuzzy Hash: 4973d79152d5a37eb04f31c3fddb097e915a87e1c9a59012b12a41f86b9b92e3
                                  • Instruction Fuzzy Hash: 87417AB5910248AFCF15EBA4E812B9EB7A8DB10300F144678F815D76C2EB35A964CB92
                                  Function 00223050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00223078
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.4113799274.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000007.00000002.4112190733.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4113799274.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114042787.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114084490.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114695578.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000007.00000002.4114965276.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: 5598f2895bf776948ad46e180210ecdefcbfe18d5f2ea42864490af7bc983e19
                                  • Instruction ID: e8dfa3865ee76a8725314a5707e52fbdc186ffbbf71bae73a93a11b7ae5cb687
                                  • Opcode Fuzzy Hash: 5598f2895bf776948ad46e180210ecdefcbfe18d5f2ea42864490af7bc983e19
                                  • Instruction Fuzzy Hash: A9E0EDB69012189FC711DFA8990598AFBF8AB19701F1086BAE948DB200F6B195548BD1

                                  Execution Graph

                                  Execution Coverage:3%
                                  Dynamic/Decrypted Code Coverage:3.2%
                                  Signature Coverage:0%
                                  Total number of Nodes:682
                                  Total number of Limit Nodes:75
                                  execution_graph 20999 4b707b6 21000 4b707bd 20999->21000 21001 4b7077e 20999->21001 21000->21001 21003 4b707c0 GetCurrentHwProfileW 21000->21003 21002 4b707b0 GetCurrentHwProfileW 21001->21002 21004 4b707a7 21002->21004 21006 4b70858 21003->21006 19838 23e0a0 WSAStartup 19839 23e0d8 19838->19839 19842 23e1a7 19838->19842 19840 23e175 socket 19839->19840 19839->19842 19841 23e18b connect 19840->19841 19840->19842 19841->19842 19843 23e19d closesocket 19841->19843 19843->19840 19843->19842 19914 4b706b8 19915 4b706d2 19914->19915 19918 4b707b0 19915->19918 19919 4b707c3 GetCurrentHwProfileW 19918->19919 19921 4b70858 19919->19921 19903 315d2c 19905 315d35 __dosmaperr 19903->19905 19904 315d4c 19905->19904 19906 3163f3 __dosmaperr RtlAllocateHeap 19905->19906 19908 315d79 __dosmaperr 19906->19908 19907 315d81 __dosmaperr 19910 316db3 __freea RtlAllocateHeap 19907->19910 19908->19907 19909 315db9 19908->19909 19911 315a09 __dosmaperr RtlAllocateHeap 19909->19911 19910->19904 19912 315dc4 19911->19912 19913 316db3 __freea RtlAllocateHeap 19912->19913 19913->19904 19110 22a210 19143 2ff290 19110->19143 19112 22a248 19148 222ae0 19112->19148 19114 22a28b 19164 305362 19114->19164 19118 22a377 19120 22a34e 19120->19118 19193 3047b0 19120->19193 19124 309136 4 API calls 19125 22a2fc 19124->19125 19130 22a318 19125->19130 19179 28cf60 19125->19179 19184 30dbdf 19130->19184 19145 2221d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 19143->19145 19144 2ff2af 19144->19112 19145->19144 19196 300651 19145->19196 19149 222ba5 19148->19149 19155 222af6 19148->19155 19414 222270 19149->19414 19150 222b02 std::_Locinfo::_Locinfo_ctor 19150->19114 19152 222baa 19424 2221d0 19152->19424 19153 222b2a 19159 2ff290 std::_Facet_Register RtlAllocateHeap 19153->19159 19155->19150 19155->19153 19157 222b65 19155->19157 19158 222b6e 19155->19158 19156 222b3d 19160 3047b0 RtlAllocateHeap 19156->19160 19163 222b46 std::_Locinfo::_Locinfo_ctor 19156->19163 19157->19152 19157->19153 19162 2ff290 std::_Facet_Register RtlAllocateHeap 19158->19162 19158->19163 19159->19156 19161 222bb4 19160->19161 19162->19163 19163->19114 19437 3052a0 19164->19437 19166 22a2d7 19166->19120 19167 309136 19166->19167 19168 309149 ___std_exception_copy 19167->19168 19461 308e8d 19168->19461 19170 30915e 19171 3044dc ___std_exception_copy RtlAllocateHeap 19170->19171 19172 22a2ea 19171->19172 19173 304eeb 19172->19173 19174 304efe ___std_exception_copy 19173->19174 19594 304801 19174->19594 19176 304f0a 19177 3044dc ___std_exception_copy RtlAllocateHeap 19176->19177 19178 22a2f0 19177->19178 19178->19124 19180 28cfa7 19179->19180 19182 28cf78 __fread_nolock 19179->19182 19642 290560 19180->19642 19182->19130 19183 28cfba 19183->19130 19657 30dbfc 19184->19657 19186 22a348 19187 308be8 19186->19187 19188 308bfb ___std_exception_copy 19187->19188 19781 308ac3 19188->19781 19190 308c07 19191 3044dc ___std_exception_copy RtlAllocateHeap 19190->19191 19192 308c13 19191->19192 19192->19120 19194 3046ec ___std_exception_copy RtlAllocateHeap 19193->19194 19195 3047bf __Getctype 19194->19195 19197 30065e ___std_exception_copy 19196->19197 19201 222213 19196->19201 19198 30068b 19197->19198 19197->19201 19202 3156b8 19197->19202 19211 30d7d6 19198->19211 19201->19112 19203 3156d4 19202->19203 19204 3156c6 19202->19204 19214 30d23f 19203->19214 19204->19203 19209 3156ec 19204->19209 19206 3156dc 19217 3047a0 19206->19217 19208 3156e6 19208->19198 19209->19208 19210 30d23f __dosmaperr RtlAllocateHeap 19209->19210 19210->19206 19212 316db3 __freea RtlAllocateHeap 19211->19212 19213 30d7ee 19212->19213 19213->19201 19220 315d2c 19214->19220 19325 3046ec 19217->19325 19222 315d35 __dosmaperr 19220->19222 19221 30d244 19221->19206 19222->19221 19231 3163f3 19222->19231 19224 315d81 __dosmaperr 19235 316db3 19224->19235 19225 315d79 __dosmaperr 19225->19224 19226 315db9 19225->19226 19239 315a09 19226->19239 19230 316db3 __freea RtlAllocateHeap 19230->19221 19234 316400 __dosmaperr std::_Facet_Register 19231->19234 19232 31642b RtlAllocateHeap 19233 31643e __dosmaperr 19232->19233 19232->19234 19233->19225 19234->19232 19234->19233 19236 316de8 19235->19236 19237 316dbe __dosmaperr 19235->19237 19236->19221 19237->19236 19238 30d23f __dosmaperr RtlAllocateHeap 19237->19238 19238->19236 19240 315a77 __dosmaperr 19239->19240 19243 3159af 19240->19243 19242 315aa0 19242->19230 19244 3159bb __fread_nolock std::_Lockit::_Lockit 19243->19244 19247 315b90 19244->19247 19246 3159dd __dosmaperr 19246->19242 19248 315b9f __Getctype 19247->19248 19250 315bc6 __Getctype 19247->19250 19248->19250 19251 31f2a7 19248->19251 19250->19246 19252 31f2bd 19251->19252 19253 31f327 19251->19253 19252->19253 19257 31f2f0 19252->19257 19262 316db3 __freea RtlAllocateHeap 19252->19262 19255 316db3 __freea RtlAllocateHeap 19253->19255 19278 31f375 19253->19278 19256 31f349 19255->19256 19258 316db3 __freea RtlAllocateHeap 19256->19258 19259 31f312 19257->19259 19264 316db3 __freea RtlAllocateHeap 19257->19264 19260 31f35c 19258->19260 19261 316db3 __freea RtlAllocateHeap 19259->19261 19263 316db3 __freea RtlAllocateHeap 19260->19263 19265 31f31c 19261->19265 19267 31f2e5 19262->19267 19269 31f36a 19263->19269 19270 31f307 19264->19270 19271 316db3 __freea RtlAllocateHeap 19265->19271 19266 31f3e3 19272 316db3 __freea RtlAllocateHeap 19266->19272 19279 31e5ab 19267->19279 19274 316db3 __freea RtlAllocateHeap 19269->19274 19307 31ea0a 19270->19307 19271->19253 19277 31f3e9 19272->19277 19273 31f383 19273->19266 19276 316db3 RtlAllocateHeap __freea 19273->19276 19274->19278 19276->19273 19277->19250 19319 31f418 19278->19319 19280 31e5bc 19279->19280 19306 31e6a5 19279->19306 19281 316db3 __freea RtlAllocateHeap 19280->19281 19285 31e5cd 19280->19285 19281->19285 19282 316db3 __freea RtlAllocateHeap 19284 31e5df 19282->19284 19283 31e5f1 19287 31e603 19283->19287 19288 316db3 __freea RtlAllocateHeap 19283->19288 19284->19283 19286 316db3 __freea RtlAllocateHeap 19284->19286 19285->19282 19285->19284 19286->19283 19289 31e615 19287->19289 19291 316db3 __freea RtlAllocateHeap 19287->19291 19288->19287 19290 31e627 19289->19290 19292 316db3 __freea RtlAllocateHeap 19289->19292 19293 31e639 19290->19293 19294 316db3 __freea RtlAllocateHeap 19290->19294 19291->19289 19292->19290 19295 31e64b 19293->19295 19296 316db3 __freea RtlAllocateHeap 19293->19296 19294->19293 19297 31e65d 19295->19297 19299 316db3 __freea RtlAllocateHeap 19295->19299 19296->19295 19298 31e66f 19297->19298 19300 316db3 __freea RtlAllocateHeap 19297->19300 19301 31e681 19298->19301 19302 316db3 __freea RtlAllocateHeap 19298->19302 19299->19297 19300->19298 19303 31e693 19301->19303 19304 316db3 __freea RtlAllocateHeap 19301->19304 19302->19301 19305 316db3 __freea RtlAllocateHeap 19303->19305 19303->19306 19304->19303 19305->19306 19306->19257 19308 31ea6f 19307->19308 19309 31ea17 19307->19309 19308->19259 19310 31ea27 19309->19310 19311 316db3 __freea RtlAllocateHeap 19309->19311 19312 31ea39 19310->19312 19314 316db3 __freea RtlAllocateHeap 19310->19314 19311->19310 19313 31ea4b 19312->19313 19315 316db3 __freea RtlAllocateHeap 19312->19315 19316 31ea5d 19313->19316 19317 316db3 __freea RtlAllocateHeap 19313->19317 19314->19312 19315->19313 19316->19308 19318 316db3 __freea RtlAllocateHeap 19316->19318 19317->19316 19318->19308 19320 31f425 19319->19320 19321 31f444 19319->19321 19320->19321 19322 31ef31 __Getctype RtlAllocateHeap 19320->19322 19321->19273 19323 31f43e 19322->19323 19324 316db3 __freea RtlAllocateHeap 19323->19324 19324->19321 19326 3046fe ___std_exception_copy 19325->19326 19331 304723 19326->19331 19328 304716 19338 3044dc 19328->19338 19332 304733 19331->19332 19335 30473a ___std_exception_copy __Getctype 19331->19335 19344 304541 19332->19344 19334 304748 19334->19328 19335->19334 19336 3046ec ___std_exception_copy RtlAllocateHeap 19335->19336 19337 3047ac 19336->19337 19337->19328 19339 3044e8 19338->19339 19340 3044ff 19339->19340 19359 304587 19339->19359 19342 304512 19340->19342 19343 304587 ___std_exception_copy RtlAllocateHeap 19340->19343 19342->19208 19343->19342 19345 304550 19344->19345 19348 315ddd 19345->19348 19349 315df0 __dosmaperr 19348->19349 19350 304572 19349->19350 19351 3163f3 __dosmaperr RtlAllocateHeap 19349->19351 19350->19335 19352 315e20 __dosmaperr 19351->19352 19353 315e5c 19352->19353 19354 315e28 __dosmaperr 19352->19354 19356 315a09 __dosmaperr RtlAllocateHeap 19353->19356 19355 316db3 __freea RtlAllocateHeap 19354->19355 19355->19350 19357 315e67 19356->19357 19358 316db3 __freea RtlAllocateHeap 19357->19358 19358->19350 19360 304591 19359->19360 19361 30459a 19359->19361 19362 304541 ___std_exception_copy RtlAllocateHeap 19360->19362 19361->19340 19363 304596 19362->19363 19363->19361 19366 310259 19363->19366 19367 31025e std::locale::_Setgloballocale 19366->19367 19371 310269 std::locale::_Setgloballocale 19367->19371 19372 31c7c6 19367->19372 19393 30f224 19371->19393 19376 31c7d2 __fread_nolock 19372->19376 19373 315d2c __dosmaperr RtlAllocateHeap 19378 31c803 std::locale::_Setgloballocale 19373->19378 19374 31c822 19375 30d23f __dosmaperr RtlAllocateHeap 19374->19375 19377 31c827 19375->19377 19376->19373 19376->19374 19376->19378 19380 31c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 19376->19380 19379 3047a0 ___std_exception_copy RtlAllocateHeap 19377->19379 19378->19374 19378->19380 19392 31c80c 19378->19392 19379->19392 19381 31c9a4 std::_Lockit::~_Lockit 19380->19381 19382 31c8a7 19380->19382 19384 31c8d5 std::locale::_Setgloballocale 19380->19384 19383 30f224 std::locale::_Setgloballocale RtlAllocateHeap 19381->19383 19382->19384 19396 315bdb 19382->19396 19385 31c9b7 19383->19385 19388 315bdb __Getctype RtlAllocateHeap 19384->19388 19390 31c92a 19384->19390 19384->19392 19388->19390 19389 315bdb __Getctype RtlAllocateHeap 19389->19384 19391 315bdb __Getctype RtlAllocateHeap 19390->19391 19390->19392 19391->19392 19392->19371 19410 30f094 19393->19410 19395 30f235 19397 315be4 __dosmaperr 19396->19397 19398 3163f3 __dosmaperr RtlAllocateHeap 19397->19398 19400 315bfb 19397->19400 19402 315c28 __dosmaperr 19398->19402 19399 315c30 __dosmaperr 19406 316db3 __freea RtlAllocateHeap 19399->19406 19401 315c8b 19400->19401 19403 310259 __Getctype RtlAllocateHeap 19400->19403 19401->19389 19402->19399 19404 315c68 19402->19404 19405 315c95 19403->19405 19407 315a09 __dosmaperr RtlAllocateHeap 19404->19407 19406->19400 19408 315c73 19407->19408 19409 316db3 __freea RtlAllocateHeap 19408->19409 19409->19400 19411 30f0c1 std::locale::_Setgloballocale 19410->19411 19412 30ef23 std::locale::_Setgloballocale RtlAllocateHeap 19411->19412 19413 30f10a std::locale::_Setgloballocale 19412->19413 19413->19395 19428 2fd6e9 19414->19428 19425 2221de Concurrency::cancel_current_task 19424->19425 19426 300651 ___std_exception_copy RtlAllocateHeap 19425->19426 19427 222213 19426->19427 19427->19156 19431 2fd4af 19428->19431 19430 2fd6fa Concurrency::cancel_current_task 19434 223010 19431->19434 19435 300651 ___std_exception_copy RtlAllocateHeap 19434->19435 19436 22303d 19435->19436 19436->19430 19439 3052ac __fread_nolock 19437->19439 19438 3052b3 19440 30d23f __dosmaperr RtlAllocateHeap 19438->19440 19439->19438 19442 3052d3 19439->19442 19441 3052b8 19440->19441 19443 3047a0 ___std_exception_copy RtlAllocateHeap 19441->19443 19444 3052e5 19442->19444 19445 3052d8 19442->19445 19450 3052c3 19443->19450 19451 316688 19444->19451 19446 30d23f __dosmaperr RtlAllocateHeap 19445->19446 19446->19450 19448 3052ee 19449 30d23f __dosmaperr RtlAllocateHeap 19448->19449 19448->19450 19449->19450 19450->19166 19452 316694 __fread_nolock std::_Lockit::_Lockit 19451->19452 19455 31672c 19452->19455 19454 3166af 19454->19448 19456 31674f __fread_nolock 19455->19456 19457 3163f3 __dosmaperr RtlAllocateHeap 19456->19457 19460 316795 __fread_nolock 19456->19460 19458 3167b0 19457->19458 19459 316db3 __freea RtlAllocateHeap 19458->19459 19459->19460 19460->19454 19463 308e99 __fread_nolock 19461->19463 19462 308e9f 19464 304723 ___std_exception_copy RtlAllocateHeap 19462->19464 19463->19462 19465 308ee2 __fread_nolock 19463->19465 19467 308eba 19464->19467 19468 309010 19465->19468 19467->19170 19469 309023 19468->19469 19470 309036 19468->19470 19469->19467 19477 308f37 19470->19477 19472 3090e7 19472->19467 19473 309059 19473->19472 19481 3055d3 19473->19481 19478 308f48 19477->19478 19480 308fa0 19477->19480 19478->19480 19490 30e13d 19478->19490 19480->19473 19482 3055ec 19481->19482 19486 305613 19481->19486 19482->19486 19517 315f82 19482->19517 19484 305608 19524 31538b 19484->19524 19487 30e17d 19486->19487 19488 30e05c __fread_nolock 2 API calls 19487->19488 19489 30e196 19488->19489 19489->19472 19491 30e151 ___std_exception_copy 19490->19491 19496 30e05c 19491->19496 19493 30e166 19494 3044dc ___std_exception_copy RtlAllocateHeap 19493->19494 19495 30e175 19494->19495 19495->19480 19501 31a6de 19496->19501 19498 30e06e 19499 30e08a SetFilePointerEx 19498->19499 19500 30e076 __fread_nolock 19498->19500 19499->19500 19500->19493 19502 31a700 19501->19502 19503 31a6eb 19501->19503 19506 30d22c __dosmaperr RtlAllocateHeap 19502->19506 19508 31a725 19502->19508 19514 30d22c 19503->19514 19509 31a730 19506->19509 19507 30d23f __dosmaperr RtlAllocateHeap 19510 31a6f8 19507->19510 19508->19498 19511 30d23f __dosmaperr RtlAllocateHeap 19509->19511 19510->19498 19512 31a738 19511->19512 19513 3047a0 ___std_exception_copy RtlAllocateHeap 19512->19513 19513->19510 19515 315d2c __dosmaperr RtlAllocateHeap 19514->19515 19516 30d231 19515->19516 19516->19507 19518 315fa3 19517->19518 19519 315f8e 19517->19519 19518->19484 19520 30d23f __dosmaperr RtlAllocateHeap 19519->19520 19521 315f93 19520->19521 19522 3047a0 ___std_exception_copy RtlAllocateHeap 19521->19522 19523 315f9e 19522->19523 19523->19484 19526 315397 __fread_nolock 19524->19526 19525 3153d8 19527 304723 ___std_exception_copy RtlAllocateHeap 19525->19527 19526->19525 19528 31541e 19526->19528 19530 31539f 19526->19530 19527->19530 19528->19530 19531 31549c 19528->19531 19530->19486 19532 3154c4 19531->19532 19544 3154e7 __fread_nolock 19531->19544 19533 3154c8 19532->19533 19535 315523 19532->19535 19534 304723 ___std_exception_copy RtlAllocateHeap 19533->19534 19534->19544 19536 315541 19535->19536 19537 30e17d 2 API calls 19535->19537 19545 314fe1 19536->19545 19537->19536 19540 3155a0 19542 315609 WriteFile 19540->19542 19540->19544 19541 315559 19541->19544 19550 314bb2 19541->19550 19542->19544 19544->19530 19556 320d44 19545->19556 19547 315021 19547->19540 19547->19541 19548 314ff3 19548->19547 19565 309d10 19548->19565 19551 314c1a 19550->19551 19552 309d10 std::_Locinfo::_Locinfo_dtor 2 API calls 19551->19552 19555 314c2b std::_Locinfo::_Locinfo_dtor std::_Locinfo::_Locinfo_ctor 19551->19555 19552->19555 19553 3184be RtlAllocateHeap RtlAllocateHeap 19553->19555 19554 314ee1 _ValidateLocalCookies 19554->19544 19554->19554 19555->19553 19555->19554 19557 320d51 19556->19557 19558 320d5e 19556->19558 19559 30d23f __dosmaperr RtlAllocateHeap 19557->19559 19560 30d23f __dosmaperr RtlAllocateHeap 19558->19560 19562 320d6a 19558->19562 19561 320d56 19559->19561 19563 320d8b 19560->19563 19561->19548 19562->19548 19564 3047a0 ___std_exception_copy RtlAllocateHeap 19563->19564 19564->19561 19566 304587 ___std_exception_copy RtlAllocateHeap 19565->19566 19567 309d20 19566->19567 19572 315ef3 19567->19572 19573 309d3d 19572->19573 19574 315f0a 19572->19574 19576 315f51 19573->19576 19574->19573 19580 31f4f3 19574->19580 19577 315f68 19576->19577 19578 309d4a 19576->19578 19577->19578 19589 31d81e 19577->19589 19578->19547 19581 31f4ff __fread_nolock 19580->19581 19582 315bdb __Getctype RtlAllocateHeap 19581->19582 19584 31f508 std::_Lockit::_Lockit 19582->19584 19583 31f54e 19583->19573 19584->19583 19585 31f574 __Getctype RtlAllocateHeap 19584->19585 19586 31f537 __Getctype 19585->19586 19586->19583 19587 310259 __Getctype RtlAllocateHeap 19586->19587 19588 31f573 19587->19588 19590 315bdb __Getctype RtlAllocateHeap 19589->19590 19591 31d823 19590->19591 19592 31d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 19591->19592 19593 31d82e 19592->19593 19593->19578 19595 30480d __fread_nolock 19594->19595 19596 304814 19595->19596 19597 304835 __fread_nolock 19595->19597 19598 304723 ___std_exception_copy RtlAllocateHeap 19596->19598 19601 304910 19597->19601 19599 30482d 19598->19599 19599->19176 19604 304942 19601->19604 19603 304922 19603->19599 19605 304951 19604->19605 19606 304979 19604->19606 19608 304723 ___std_exception_copy RtlAllocateHeap 19605->19608 19607 315f82 __fread_nolock RtlAllocateHeap 19606->19607 19609 304982 19607->19609 19615 30496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19608->19615 19617 30e11f 19609->19617 19612 304a2c 19620 304cae 19612->19620 19614 304a43 19614->19615 19628 304ae3 19614->19628 19615->19603 19635 30df37 19617->19635 19619 3049a0 19619->19612 19619->19614 19619->19615 19621 304cbd 19620->19621 19622 315f82 __fread_nolock RtlAllocateHeap 19621->19622 19623 304cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19622->19623 19624 30e11f 2 API calls 19623->19624 19627 304ce5 _ValidateLocalCookies 19623->19627 19625 304d39 19624->19625 19626 30e11f 2 API calls 19625->19626 19625->19627 19626->19627 19627->19615 19629 315f82 __fread_nolock RtlAllocateHeap 19628->19629 19630 304af6 19629->19630 19631 30e11f 2 API calls 19630->19631 19634 304b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19630->19634 19632 304b9d 19631->19632 19633 30e11f 2 API calls 19632->19633 19632->19634 19633->19634 19634->19615 19636 30df43 __fread_nolock 19635->19636 19637 30df86 19636->19637 19639 30dfcc 19636->19639 19641 30df4b 19636->19641 19638 304723 ___std_exception_copy RtlAllocateHeap 19637->19638 19638->19641 19640 30e05c __fread_nolock 2 API calls 19639->19640 19639->19641 19640->19641 19641->19619 19643 2906a9 19642->19643 19646 290585 19642->19646 19644 222270 RtlAllocateHeap 19643->19644 19645 2906ae 19644->19645 19647 2221d0 Concurrency::cancel_current_task RtlAllocateHeap 19645->19647 19649 2905f0 19646->19649 19650 2905e3 19646->19650 19652 29059a 19646->19652 19655 2905aa __fread_nolock std::_Locinfo::_Locinfo_ctor 19647->19655 19648 2ff290 std::_Facet_Register RtlAllocateHeap 19648->19655 19654 2ff290 std::_Facet_Register RtlAllocateHeap 19649->19654 19649->19655 19650->19645 19650->19652 19651 3047b0 RtlAllocateHeap 19653 2906b8 19651->19653 19652->19648 19654->19655 19655->19651 19656 290667 __fread_nolock std::_Locinfo::_Locinfo_ctor 19655->19656 19656->19183 19658 30dc08 __fread_nolock 19657->19658 19659 30dc52 __fread_nolock 19658->19659 19660 30dc1b __fread_nolock 19658->19660 19665 30dc40 __fread_nolock 19658->19665 19666 30da06 19659->19666 19661 30d23f __dosmaperr RtlAllocateHeap 19660->19661 19663 30dc35 19661->19663 19664 3047a0 ___std_exception_copy RtlAllocateHeap 19663->19664 19664->19665 19665->19186 19668 30da18 __fread_nolock 19666->19668 19672 30da35 19666->19672 19667 30da25 19669 30d23f __dosmaperr RtlAllocateHeap 19667->19669 19668->19667 19668->19672 19675 30da76 __fread_nolock 19668->19675 19670 30da2a 19669->19670 19671 3047a0 ___std_exception_copy RtlAllocateHeap 19670->19671 19671->19672 19672->19665 19673 30dba1 __fread_nolock 19677 30d23f __dosmaperr RtlAllocateHeap 19673->19677 19675->19672 19675->19673 19676 315f82 __fread_nolock RtlAllocateHeap 19675->19676 19679 314623 19675->19679 19738 308a2b 19675->19738 19676->19675 19677->19670 19680 314635 19679->19680 19681 31464d 19679->19681 19682 30d22c __dosmaperr RtlAllocateHeap 19680->19682 19683 31498f 19681->19683 19688 314690 19681->19688 19685 31463a 19682->19685 19684 30d22c __dosmaperr RtlAllocateHeap 19683->19684 19686 314994 19684->19686 19687 30d23f __dosmaperr RtlAllocateHeap 19685->19687 19690 30d23f __dosmaperr RtlAllocateHeap 19686->19690 19693 314642 19687->19693 19689 31469b 19688->19689 19688->19693 19697 3146cb 19688->19697 19691 30d22c __dosmaperr RtlAllocateHeap 19689->19691 19692 3146a8 19690->19692 19694 3146a0 19691->19694 19696 3047a0 ___std_exception_copy RtlAllocateHeap 19692->19696 19693->19675 19695 30d23f __dosmaperr RtlAllocateHeap 19694->19695 19695->19692 19696->19693 19698 3146e4 19697->19698 19699 3146f1 19697->19699 19700 31471f 19697->19700 19698->19699 19705 31470d 19698->19705 19701 30d22c __dosmaperr RtlAllocateHeap 19699->19701 19752 316e2d 19700->19752 19703 3146f6 19701->19703 19707 30d23f __dosmaperr RtlAllocateHeap 19703->19707 19704 320d44 __fread_nolock RtlAllocateHeap 19721 31486b 19704->19721 19705->19704 19709 3146fd 19707->19709 19708 316db3 __freea RtlAllocateHeap 19711 314739 19708->19711 19710 3047a0 ___std_exception_copy RtlAllocateHeap 19709->19710 19731 314708 __fread_nolock 19710->19731 19713 316db3 __freea RtlAllocateHeap 19711->19713 19712 3148e3 ReadFile 19714 314957 19712->19714 19715 3148fb 19712->19715 19716 314740 19713->19716 19724 314964 19714->19724 19725 3148b5 19714->19725 19715->19714 19736 3148d4 19715->19736 19717 314765 19716->19717 19718 31474a 19716->19718 19720 30e13d __fread_nolock 2 API calls 19717->19720 19722 30d23f __dosmaperr RtlAllocateHeap 19718->19722 19719 316db3 __freea RtlAllocateHeap 19719->19693 19720->19705 19721->19712 19723 31489b 19721->19723 19726 31474f 19722->19726 19723->19725 19723->19736 19728 30d23f __dosmaperr RtlAllocateHeap 19724->19728 19725->19731 19758 30d1e5 19725->19758 19727 30d22c __dosmaperr RtlAllocateHeap 19726->19727 19727->19731 19732 314969 19728->19732 19729 314920 19763 314335 19729->19763 19730 314937 19730->19731 19773 31417b 19730->19773 19731->19719 19737 30d22c __dosmaperr RtlAllocateHeap 19732->19737 19736->19729 19736->19730 19736->19731 19737->19731 19739 308a3c 19738->19739 19742 308a38 std::_Locinfo::_Locinfo_ctor 19738->19742 19740 308a43 19739->19740 19744 308a56 __fread_nolock 19739->19744 19741 30d23f __dosmaperr RtlAllocateHeap 19740->19741 19743 308a48 19741->19743 19742->19675 19745 3047a0 ___std_exception_copy RtlAllocateHeap 19743->19745 19744->19742 19746 308a84 19744->19746 19748 308a8d 19744->19748 19745->19742 19747 30d23f __dosmaperr RtlAllocateHeap 19746->19747 19749 308a89 19747->19749 19748->19742 19750 30d23f __dosmaperr RtlAllocateHeap 19748->19750 19751 3047a0 ___std_exception_copy RtlAllocateHeap 19749->19751 19750->19749 19751->19742 19753 316e6b 19752->19753 19757 316e3b __dosmaperr std::_Facet_Register 19752->19757 19754 30d23f __dosmaperr RtlAllocateHeap 19753->19754 19756 314730 19754->19756 19755 316e56 RtlAllocateHeap 19755->19756 19755->19757 19756->19708 19757->19753 19757->19755 19759 30d22c __dosmaperr RtlAllocateHeap 19758->19759 19760 30d1f0 __dosmaperr 19759->19760 19761 30d23f __dosmaperr RtlAllocateHeap 19760->19761 19762 30d203 19761->19762 19762->19731 19777 31402e 19763->19777 19765 31437d 19765->19731 19767 314391 __fread_nolock 19767->19765 19772 30d1e5 __dosmaperr RtlAllocateHeap 19767->19772 19768 3143d7 19768->19767 19771 30e13d __fread_nolock 2 API calls 19768->19771 19769 3143c7 19770 30d23f __dosmaperr RtlAllocateHeap 19769->19770 19770->19765 19771->19767 19772->19765 19774 3141b5 19773->19774 19775 314246 19774->19775 19776 30e13d __fread_nolock 2 API calls 19774->19776 19775->19731 19776->19775 19778 314062 19777->19778 19779 3140ce 19778->19779 19780 30e13d __fread_nolock 2 API calls 19778->19780 19779->19765 19779->19767 19779->19768 19779->19769 19780->19779 19782 308acf __fread_nolock 19781->19782 19783 308ad9 19782->19783 19786 308afc __fread_nolock 19782->19786 19784 304723 ___std_exception_copy RtlAllocateHeap 19783->19784 19785 308af4 19784->19785 19785->19190 19786->19785 19788 308b5a 19786->19788 19789 308b67 19788->19789 19790 308b8a 19788->19790 19791 304723 ___std_exception_copy RtlAllocateHeap 19789->19791 19792 308b82 19790->19792 19793 3055d3 4 API calls 19790->19793 19791->19792 19792->19785 19794 308ba2 19793->19794 19802 316ded 19794->19802 19797 315f82 __fread_nolock RtlAllocateHeap 19798 308bb6 19797->19798 19806 314a3f 19798->19806 19801 316db3 __freea RtlAllocateHeap 19801->19792 19803 316e04 19802->19803 19805 308baa 19802->19805 19804 316db3 __freea RtlAllocateHeap 19803->19804 19803->19805 19804->19805 19805->19797 19807 308bbd 19806->19807 19808 314a68 19806->19808 19807->19792 19807->19801 19809 314ab7 19808->19809 19811 314a8f 19808->19811 19810 304723 ___std_exception_copy RtlAllocateHeap 19809->19810 19810->19807 19813 3149ae 19811->19813 19814 3149ba __fread_nolock 19813->19814 19816 3149f9 19814->19816 19817 314b12 19814->19817 19816->19807 19818 31a6de __fread_nolock RtlAllocateHeap 19817->19818 19819 314b22 19818->19819 19821 314b5a 19819->19821 19823 31a6de __fread_nolock RtlAllocateHeap 19819->19823 19827 314b28 19819->19827 19822 31a6de __fread_nolock RtlAllocateHeap 19821->19822 19821->19827 19824 314b66 FindCloseChangeNotification 19822->19824 19825 314b51 19823->19825 19824->19827 19826 31a6de __fread_nolock RtlAllocateHeap 19825->19826 19826->19821 19829 31a64d 19827->19829 19828 314b80 __fread_nolock 19828->19816 19830 31a65c 19829->19830 19831 30d23f __dosmaperr RtlAllocateHeap 19830->19831 19834 31a686 19830->19834 19832 31a6c8 19831->19832 19833 30d22c __dosmaperr RtlAllocateHeap 19832->19833 19833->19834 19834->19828 21184 4b707e2 21185 4b707fa GetCurrentHwProfileW 21184->21185 21187 4b70858 21185->21187 19851 30d168 19852 30d17b ___std_exception_copy 19851->19852 19857 30cf4a 19852->19857 19854 30d190 19855 3044dc ___std_exception_copy RtlAllocateHeap 19854->19855 19856 30d19d 19855->19856 19858 30cf58 19857->19858 19863 30cf80 19857->19863 19859 30cf65 19858->19859 19860 30cf87 19858->19860 19858->19863 19861 304723 ___std_exception_copy RtlAllocateHeap 19859->19861 19865 30cea3 19860->19865 19861->19863 19863->19854 19864 30cfbf 19864->19854 19866 30ceaf __fread_nolock 19865->19866 19869 30cefe 19866->19869 19868 30ceca 19868->19864 19876 318644 19869->19876 19896 318606 19876->19896 19878 30cf16 19883 30cfc1 19878->19883 19879 318655 19879->19878 19880 316e2d std::_Locinfo::_Locinfo_dtor 2 API calls 19879->19880 19881 3186ae 19880->19881 19882 316db3 __freea RtlAllocateHeap 19881->19882 19882->19878 19884 30cf34 19883->19884 19886 30cfd3 19883->19886 19892 3186ef 19884->19892 19885 30cfe1 19887 304723 ___std_exception_copy RtlAllocateHeap 19885->19887 19886->19884 19886->19885 19891 30d017 std::_Locinfo::_Locinfo_ctor 19886->19891 19887->19884 19888 3055d3 4 API calls 19888->19891 19889 315f82 __fread_nolock RtlAllocateHeap 19889->19891 19890 31538b 4 API calls 19890->19891 19891->19884 19891->19888 19891->19889 19891->19890 19893 30cf40 19892->19893 19894 3186fa 19892->19894 19893->19868 19894->19893 19895 3055d3 4 API calls 19894->19895 19895->19893 19897 318612 19896->19897 19898 31863c 19897->19898 19899 315f82 __fread_nolock RtlAllocateHeap 19897->19899 19898->19879 19900 31862d 19899->19900 19901 320d44 __fread_nolock RtlAllocateHeap 19900->19901 19902 318633 19901->19902 19902->19879 21973 4b70752 21974 4b70755 21973->21974 21976 4b7075c 21973->21976 21974->21976 21978 4b707d3 GetCurrentHwProfileW 21974->21978 21975 4b707b0 GetCurrentHwProfileW 21977 4b707a7 21975->21977 21976->21975 21980 4b70858 21978->21980 19844 283a40 19847 283a55 19844->19847 19845 283b28 GetPEB 19845->19847 19846 283a73 GetPEB 19846->19847 19847->19845 19847->19846 19848 283b9d Sleep 19847->19848 19849 283ae8 Sleep 19847->19849 19850 283bc7 19847->19850 19848->19847 19849->19847

                                  Executed Functions

                                  Function 00283A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 194 283a40-283a52 195 283a55-283a61 194->195 197 283b28-283b31 GetPEB 195->197 198 283a67-283a6d 195->198 200 283b34-283b48 197->200 198->197 199 283a73-283a7f GetPEB 198->199 203 283a80-283a94 199->203 201 283b99-283b9b 200->201 202 283b4a-283b4f 200->202 201->200 202->201 204 283b51-283b59 202->204 205 283ae4-283ae6 203->205 206 283a96-283a9b 203->206 207 283b60-283b73 204->207 205->203 206->205 208 283a9d-283aa3 206->208 209 283b92-283b97 207->209 210 283b75-283b88 207->210 211 283aa5-283ab8 208->211 209->201 209->207 210->210 212 283b8a-283b90 210->212 213 283aba 211->213 214 283add-283ae2 211->214 212->209 215 283b9d-283bc2 Sleep 212->215 216 283ac0-283ad3 213->216 214->205 214->211 215->195 216->216 217 283ad5-283adb 216->217 217->214 218 283ae8-283b0d Sleep 217->218 219 283b13-283b1a 218->219 219->197 220 283b1c-283b22 219->220 220->197 221 283bc7-283bd8 call 226bd0 220->221 224 283bda-283bdc 221->224 225 283bde 221->225 226 283be0-283bfd call 226bd0 224->226 225->226
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00283DB6), ref: 00283B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00283DB6), ref: 00283BBA
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 5b0a46ea9cdfacd049f92b825fb4cee0e62af97ad1ee6963ec02ac3e2b40bd7b
                                  • Instruction ID: f890273ac973af59f1212fdc7b768015b94ca05982a0335733a44a02accbf926
                                  • Opcode Fuzzy Hash: 5b0a46ea9cdfacd049f92b825fb4cee0e62af97ad1ee6963ec02ac3e2b40bd7b
                                  • Instruction Fuzzy Hash: 4751CC39A152168FCB28DF58C4D0EA9B3B1FF44B08F28459AD845AF391D731EE15CB80
                                  Function 0023E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 23e0a0-23e0d2 WSAStartup 1 23e1b7-23e1c0 0->1 2 23e0d8-23e102 call 226bd0 * 2 0->2 7 23e104-23e108 2->7 8 23e10e-23e165 2->8 7->1 7->8 10 23e1b1 8->10 11 23e167-23e16d 8->11 10->1 12 23e1c5-23e1cf 11->12 13 23e16f 11->13 12->10 19 23e1d1-23e1d9 12->19 14 23e175-23e189 socket 13->14 14->10 15 23e18b-23e19b connect 14->15 17 23e1c1 15->17 18 23e19d-23e1a5 closesocket 15->18 17->12 18->14 20 23e1a7-23e1b0 18->20 20->10
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 07cb1ac4c525f5a54b9cfc399f1bbe1c25f7888098408c3acd241ab47776ec21
                                  • Instruction ID: 64aa15dbdec2dd0ce14611932baec1de1b7e020c0b3bb7427cdaee33eaa294e2
                                  • Opcode Fuzzy Hash: 07cb1ac4c525f5a54b9cfc399f1bbe1c25f7888098408c3acd241ab47776ec21
                                  • Instruction Fuzzy Hash: 9831B2B26153116BDB209F68D84872BB7E4EB85734F014F1DF9E8A72D0D3359D188BA2
                                  Function 002FF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 22 2ff290-2ff293 23 2ff2a2-2ff2a5 call 30df2c 22->23 25 2ff2aa-2ff2ad 23->25 26 2ff2af-2ff2b0 25->26 27 2ff295-2ff2a0 call 3117d8 25->27 27->23 30 2ff2b1-2ff2b5 27->30 31 2221d0-222220 call 2221b0 call 300efb call 300651 30->31 32 2ff2bb 30->32 32->32
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022220E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: 36ec796986fb541a9252a135b842b418aa9656e4c26b8627fbc9e1bbf839fe65
                                  • Instruction ID: 711bbf83e50ea414fc4eef3d085cc69a644d0c00beb8b0452bddc74780f95ce5
                                  • Opcode Fuzzy Hash: 36ec796986fb541a9252a135b842b418aa9656e4c26b8627fbc9e1bbf839fe65
                                  • Instruction Fuzzy Hash: E101A77551030DBBCB19AFA8E8119A9B7ACDE00350B508435FF18DB591E770E9648791
                                  Function 00304942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 39 304942-30494f 40 304951-304974 call 304723 39->40 41 304979-30498d call 315f82 39->41 46 304ae0-304ae2 40->46 47 304992-30499b call 30e11f 41->47 48 30498f 41->48 50 3049a0-3049af 47->50 48->47 51 3049b1 50->51 52 3049bf-3049c8 50->52 53 3049b7-3049b9 51->53 54 304a89-304a8e 51->54 55 3049ca-3049d7 52->55 56 3049dc-304a10 52->56 53->52 53->54 57 304ade-304adf 54->57 58 304adc 55->58 59 304a12-304a1c 56->59 60 304a6d-304a79 56->60 57->46 58->57 63 304a43-304a4f 59->63 64 304a1e-304a2a 59->64 61 304a90-304a93 60->61 62 304a7b-304a82 60->62 66 304a96-304a9e 61->66 62->54 63->61 65 304a51-304a6b call 304e59 63->65 64->63 67 304a2c-304a3e call 304cae 64->67 65->66 70 304aa0-304aa6 66->70 71 304ada 66->71 67->57 74 304aa8-304abc call 304ae3 70->74 75 304abe-304ac2 70->75 71->58 74->57 76 304ac4-304ad2 call 324a10 75->76 77 304ad5-304ad7 75->77 76->77 77->71
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: O0
                                  • API String ID: 0-2750300066
                                  • Opcode ID: 4bf654208c2f4472802baa332f28a80ef4d18b107f99797f6d08dc08d37bf2ca
                                  • Instruction ID: 394063c2e7de0e5e58f7e0a0bad31c35c5d25527e322a32eb358e18e342f4d88
                                  • Opcode Fuzzy Hash: 4bf654208c2f4472802baa332f28a80ef4d18b107f99797f6d08dc08d37bf2ca
                                  • Instruction Fuzzy Hash: 4151C7B0B01208AFDF16CF58CC51AAA7BB5EF49354F258158F9499B292D371DF41CB90
                                  Function 00314623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 82 314623-314633 83 314635-314648 call 30d22c call 30d23f 82->83 84 31464d-31464f 82->84 102 3149a7 83->102 86 314655-31465b 84->86 87 31498f-31499c call 30d22c call 30d23f 84->87 86->87 90 314661-31468a 86->90 105 3149a2 call 3047a0 87->105 90->87 93 314690-314699 90->93 94 3146b3-3146b5 93->94 95 31469b-3146ae call 30d22c call 30d23f 93->95 100 31498b-31498d 94->100 101 3146bb-3146bf 94->101 95->105 103 3149aa-3149ad 100->103 101->100 106 3146c5-3146c9 101->106 102->103 105->102 106->95 109 3146cb-3146e2 106->109 111 3146e4-3146e7 109->111 112 314717-31471d 109->112 115 3146e9-3146ef 111->115 116 31470d-314715 111->116 113 3146f1-314708 call 30d22c call 30d23f call 3047a0 112->113 114 31471f-314726 112->114 143 3148c2 113->143 118 314728 114->118 119 31472a-314748 call 316e2d call 316db3 * 2 114->119 115->113 115->116 117 31478a-3147a9 116->117 121 314865-31486e call 320d44 117->121 122 3147af-3147bb 117->122 118->119 152 314765-314788 call 30e13d 119->152 153 31474a-314760 call 30d23f call 30d22c 119->153 134 314870-314882 121->134 135 3148df 121->135 122->121 126 3147c1-3147c3 122->126 126->121 130 3147c9-3147ea 126->130 130->121 136 3147ec-314802 130->136 134->135 139 314884-314893 134->139 140 3148e3-3148f9 ReadFile 135->140 136->121 141 314804-314806 136->141 139->135 156 314895-314899 139->156 144 314957-314962 140->144 145 3148fb-314901 140->145 141->121 146 314808-31482b 141->146 148 3148c5-3148cf call 316db3 143->148 164 314964-314976 call 30d23f call 30d22c 144->164 165 31497b-31497e 144->165 145->144 150 314903 145->150 146->121 151 31482d-314843 146->151 148->103 158 314906-314918 150->158 151->121 159 314845-314847 151->159 152->117 153->143 156->140 163 31489b-3148b3 156->163 158->148 166 31491a-31491e 158->166 159->121 167 314849-314860 159->167 184 3148b5-3148ba 163->184 185 3148d4-3148dd 163->185 164->143 173 314984-314986 165->173 174 3148bb-3148c1 call 30d1e5 165->174 171 314920-314930 call 314335 166->171 172 314937-314944 166->172 167->121 192 314933-314935 171->192 175 314950-314955 call 31417b 172->175 176 314946 call 31448c 172->176 173->148 174->143 189 31494b-31494e 175->189 176->189 184->174 185->158 189->192 192->148
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 97b0726e1d9e11fc743ff026170cd08c18a1f0f01e838ce2e9cad46a90fc1377
                                  • Instruction ID: 55d5d82ba1fafec90fe5094a13b0643d64abcfdf7844795ac76b5ff2a8300ec8
                                  • Opcode Fuzzy Hash: 97b0726e1d9e11fc743ff026170cd08c18a1f0f01e838ce2e9cad46a90fc1377
                                  • Instruction Fuzzy Hash: C3B13470E04249AFDB1BDFA8D851BEEBBB9AF4D300F144158F550AB292C771AD81CB60
                                  Function 04B707B6 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 277 4b707b6-4b707bb 278 4b70780-4b707ae call 4b707b0 277->278 279 4b707bd-4b707be 277->279 281 4b707c0-4b70830 279->281 282 4b7077e-4b7077f 279->282 292 4b7083b-4b70848 GetCurrentHwProfileW 281->292 282->278 293 4b70858-4b70b2e 292->293
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6783cb0061e3034e27b53aa1809130f92f1e621fdf13c8649a003fe70a95b2c1
                                  • Instruction ID: 4a6351caec76cb04470d3301eaadb3be5f1a7bd60806ab0cd5d8dd2bf670ab1a
                                  • Opcode Fuzzy Hash: 6783cb0061e3034e27b53aa1809130f92f1e621fdf13c8649a003fe70a95b2c1
                                  • Instruction Fuzzy Hash: 7841E3EB34C115BCB552A1452B14AFA6BBEE6E733073084B7F427D6202F2C46E4A7571
                                  Function 04B70752 Relevance: 1.8, APIs: 1, Instructions: 250COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 229 4b70752-4b70753 230 4b70755-4b7075a 229->230 231 4b707a1-4b707ae call 4b707b0 229->231 233 4b707d3-4b70830 230->233 234 4b7075c-4b7079b 230->234 243 4b7083b-4b70848 GetCurrentHwProfileW 233->243 234->231 244 4b70858-4b70b2e 243->244
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: a6d00a61d607faffb129b4a09b1ca495cdf3a124d3a68fa4c10e292664a235d9
                                  • Instruction ID: 4c66284c24a11fc697c3eac503f2dbc7e4ad9b0642726b2460f034fcbabb8590
                                  • Opcode Fuzzy Hash: a6d00a61d607faffb129b4a09b1ca495cdf3a124d3a68fa4c10e292664a235d9
                                  • Instruction Fuzzy Hash: 4F41E3EB74C115BCB152A1852B10AFA6B6EE6E7330B3084F7F427D6202F2C42E4A7571
                                  Function 0022A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 326 22a210-22a2ab call 2ff290 call 222ae0 331 22a2b0-22a2bb 326->331 331->331 332 22a2bd-22a2c8 331->332 333 22a2ca 332->333 334 22a2cd-22a2de call 305362 332->334 333->334 337 22a2e0-22a305 call 309136 call 304eeb call 309136 334->337 338 22a351-22a357 334->338 356 22a307 337->356 357 22a30c-22a316 337->357 340 22a381-22a393 338->340 341 22a359-22a365 338->341 343 22a377-22a37e call 2ff511 341->343 344 22a367-22a375 341->344 343->340 344->343 346 22a394-22a3ae call 3047b0 344->346 353 22a3b0-22a3bb 346->353 353->353 355 22a3bd-22a3c8 353->355 358 22a3ca 355->358 359 22a3cd-22a3df call 305362 355->359 356->357 360 22a328-22a32f call 28cf60 357->360 361 22a318-22a31c 357->361 358->359 370 22a3e1-22a3f9 call 309136 call 304eeb call 308be8 359->370 371 22a3fc-22a403 359->371 366 22a334-22a33a 360->366 364 22a320-22a326 361->364 365 22a31e 361->365 364->366 365->364 368 22a33e-22a349 call 30dbdf call 308be8 366->368 369 22a33c 366->369 386 22a34e 368->386 369->368 370->371 372 22a405-22a411 371->372 373 22a42d-22a433 371->373 376 22a423-22a42a call 2ff511 372->376 377 22a413-22a421 372->377 376->373 377->376 380 22a434-22a45e call 3047b0 377->380 393 22a460-22a464 380->393 394 22a46f-22a474 380->394 386->338 393->394 395 22a466-22a46e 393->395
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 33bd6c796651e22e8e0eb429b3166b7ef400354e1dc2eeda1361fe122e35dbb7
                                  • Instruction ID: 38ce0930f14c508a1213ce8b0c84e9f4b9bc3cb5a7c1c4429aeb6e4590f23233
                                  • Opcode Fuzzy Hash: 33bd6c796651e22e8e0eb429b3166b7ef400354e1dc2eeda1361fe122e35dbb7
                                  • Instruction Fuzzy Hash: 3D714A70911214BFDB18DFA8DC45BAEBBE8EF41700F1085ADF8059B682D7B5DA50C792
                                  Function 04B707B0 Relevance: 1.7, APIs: 1, Instructions: 226COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 396 4b707b0-4b70830 404 4b7083b-4b70848 GetCurrentHwProfileW 396->404 405 4b70858-4b70b2e 404->405
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d6065b67cf610b92a9c18648671ce583138d087afef028862339030a16a37aab
                                  • Instruction ID: 7ad8bfcdd80965bd47a60b3102c31e8d7e5fc40d179a44199dfc3400bc563d32
                                  • Opcode Fuzzy Hash: d6065b67cf610b92a9c18648671ce583138d087afef028862339030a16a37aab
                                  • Instruction Fuzzy Hash: D341B0EB34C115BCB152A1452B24AFA666EE7E7330B3084B7F427D6202F2C46E4E7170
                                  Function 04B707E2 Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 438 4b707e2-4b70830 442 4b7083b-4b70848 GetCurrentHwProfileW 438->442 443 4b70858-4b70b2e 442->443
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 355e28bfb45afc97ca1d5c40d181fde493264aa274ee77ed1c329ec7717745ba
                                  • Instruction ID: e1717d2bce86abf7354b12a22e6d1f29347197446bd956a1cd053b1fc028e0ca
                                  • Opcode Fuzzy Hash: 355e28bfb45afc97ca1d5c40d181fde493264aa274ee77ed1c329ec7717745ba
                                  • Instruction Fuzzy Hash: C54190EB34C115BCB152A1452B14AFA6A6DE6E773073084B7F827D6202F2C46E4E7171
                                  Function 04B707F5 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 476 4b707f5-4b70830 479 4b7083b-4b70848 GetCurrentHwProfileW 476->479 480 4b70858-4b70b2e 479->480
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 67304dcc38f7318b68e8498625a84ace913953e94cec324b855ed10ee330a165
                                  • Instruction ID: 659e606ed378e554791b77cf0d4d01a6888e774d7c6703b8a56f5cc70c1aeaa4
                                  • Opcode Fuzzy Hash: 67304dcc38f7318b68e8498625a84ace913953e94cec324b855ed10ee330a165
                                  • Instruction Fuzzy Hash: B54191EB74C115BCB142A1452B14AFA6AAEE6E6730B3084B7F427D6102F2D86F4E7171
                                  Function 04B70818 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 513 4b70818-4b70830 516 4b7083b-4b70848 GetCurrentHwProfileW 513->516 517 4b70858-4b70b2e 516->517
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: dc2aa0582cfc82485a28fe0794a52267e9ba5abd577d676f2198c834a586ff02
                                  • Instruction ID: f1e664d872d85f20fed9984096509b9afd1e309e7103ce75bef85f15c43557c1
                                  • Opcode Fuzzy Hash: dc2aa0582cfc82485a28fe0794a52267e9ba5abd577d676f2198c834a586ff02
                                  • Instruction Fuzzy Hash: DD41A0EB74C111BCB142A1852B24AFA6A7DE6E6330B3084B7F427D6602F2C46F4E7171
                                  Function 0031549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 550 31549c-3154be 551 3156b1 550->551 552 3154c4-3154c6 550->552 555 3156b3-3156b7 551->555 553 3154f2-315515 552->553 554 3154c8-3154e7 call 304723 552->554 557 315517-315519 553->557 558 31551b-315521 553->558 561 3154ea-3154ed 554->561 557->558 560 315523-315534 557->560 558->554 558->560 562 315547-315557 call 314fe1 560->562 563 315536-315544 call 30e17d 560->563 561->555 568 3155a0-3155b2 562->568 569 315559-31555f 562->569 563->562 570 3155b4-3155ba 568->570 571 315609-315629 WriteFile 568->571 572 315561-315564 569->572 573 315588-31559e call 314bb2 569->573 574 3155f5-315607 call 31505e 570->574 575 3155bc-3155bf 570->575 578 315634 571->578 579 31562b-315631 571->579 576 315566-315569 572->576 577 31556f-31557e call 314f79 572->577 596 315581-315583 573->596 601 3155dc-3155df 574->601 582 3155e1-3155f3 call 315222 575->582 583 3155c1-3155c4 575->583 576->577 584 315649-31564c 576->584 577->596 581 315637-315642 578->581 579->578 588 315644-315647 581->588 589 3156ac-3156af 581->589 582->601 590 3155ca-3155d7 call 315139 583->590 591 31564f-315651 583->591 584->591 588->584 589->555 590->601 598 315653-315658 591->598 599 31567f-31568b 591->599 596->581 602 315671-31567a call 30d208 598->602 603 31565a-31566c 598->603 604 315695-3156a7 599->604 605 31568d-315693 599->605 601->596 602->561 603->561 604->561 605->551 605->604
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00309087,?,00000000,00000000,00000000,?,00000000,?,0022A3EB,00309087,00000000,0022A3EB,?,?), ref: 00315621
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 1642c5b298f2dd81213779d63ca286a040edd7fc507130135eb4329955fea5ce
                                  • Instruction ID: a457f79464b07067fa10783d6a7d78c6d603079c3bbe03ed417c7b5823a76278
                                  • Opcode Fuzzy Hash: 1642c5b298f2dd81213779d63ca286a040edd7fc507130135eb4329955fea5ce
                                  • Instruction Fuzzy Hash: 4B61D471D00509EFDF1ADFA8C844EEEBBBAAF8D304F550145E800AB256D771D991CBA0
                                  Function 04B70835 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 643 4b70835-4b70848 GetCurrentHwProfileW 645 4b70858-4b70b2e 643->645
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f0c868d0191c9686ea22db64f4b434e9d4eca54195b3808d7aa05bc7591e5f83
                                  • Instruction ID: f2f55d8a6436f3db15a0618f35b39792f8d422f0f3d701f135de858cfc608a66
                                  • Opcode Fuzzy Hash: f0c868d0191c9686ea22db64f4b434e9d4eca54195b3808d7aa05bc7591e5f83
                                  • Instruction Fuzzy Hash: AB3180EB74C115BDB142A1852B14AFA6A6DE6E6330B3084B7F427D6102F2D46E4E7171
                                  Function 04B70828 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 608 4b70828-4b70830 609 4b7083b-4b70848 GetCurrentHwProfileW 608->609 610 4b70858-4b70b2e 609->610
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04B7083F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119330478.0000000004B70000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B70000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b70000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2505dfc98fa120b5a1fa5da9ffcbb1ef7f960d51d52ec4d527fd27b04dd57bb7
                                  • Instruction ID: 08ec877ca513120715f79ec3f7d2ca5f8c4b7480ec50c001872050dc5cb771ab
                                  • Opcode Fuzzy Hash: 2505dfc98fa120b5a1fa5da9ffcbb1ef7f960d51d52ec4d527fd27b04dd57bb7
                                  • Instruction Fuzzy Hash: 4431A2EB74C111BCB142A1452B14AFA6A7DE6E6730B3084B7F427D6202F2D46E4E7171
                                  Function 00290560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 002906AE
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 12052af80230345eb13ed6e6d9b2918ed2bb9a18aaaed4ea6a9ee2bb06d4a994
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 4F411472A101189FCF15DF68D980AAEBBA9AF89340F150169FC05EB342D730DE709BE1
                                  Function 00314B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,003149F9,00000000,CF830579,00351140,0000000C,00314AB5,00308BBD,?), ref: 00314B68
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 9e6d5fd20d4368c8c83ca61d0d41e85b7b779c2878417573cfa5bdafe05a4939
                                  • Instruction ID: c42860b4ef1372a75405868a40561432c8fb07f6f2d37b4b33932815a5711c4d
                                  • Opcode Fuzzy Hash: 9e6d5fd20d4368c8c83ca61d0d41e85b7b779c2878417573cfa5bdafe05a4939
                                  • Instruction Fuzzy Hash: 1511483264A11416D62F22746C02BFE679D8B8E775F3B4209F8949B1D2EE60E8C14195
                                  Function 0030E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00350DF8,0022A3EB,00000002,0022A3EB,00000000,?,?,?,0030E166,00000000,?,0022A3EB,00000002,00350DF8), ref: 0030E098
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: ab4cacbf740fd83928c7eefde2ff561c2e69f1ea89d097a1c0a690f6270bf61a
                                  • Instruction ID: 4478fa4956eff4504fed1618cabe88772d56f3e07960ba8f13b0f9c9bb6bc3b0
                                  • Opcode Fuzzy Hash: ab4cacbf740fd83928c7eefde2ff561c2e69f1ea89d097a1c0a690f6270bf61a
                                  • Instruction Fuzzy Hash: 1E012632711605AFCF069F5ACC11C9E7B69DB81324F250248F8509B2D1EAB1ED418BD0
                                  Function 003163F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,003091F7,00000000,?,00315D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0030D244,003089C3,003091F7,00000000), ref: 00316434
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: faf66a4cec5286b6318975abbe6052cae69d23731e0576caf6ac0a43bb822310
                                  • Instruction ID: 3d3a34c0fd0f1280ada0400a5900162ee3773fcc191f02bc06abaa63e1ddb0dc
                                  • Opcode Fuzzy Hash: faf66a4cec5286b6318975abbe6052cae69d23731e0576caf6ac0a43bb822310
                                  • Instruction Fuzzy Hash: A1F0B43250522467DB2B6BE39C03BDA3B8C9F49760B268025A804AA590CF20EC8186E1
                                  Function 00316E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0031D635,4D88C033,?,0031D635,00000220,?,003157EF,4D88C033), ref: 00316E5F
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 04e129e6d2e30d4dc7c16c962e603d4e8b0751dde9387445f6d401d38eaa8721
                                  • Instruction ID: 39dd996d991b17caff903a61dda0e38bce0941860c4ce1e09c2b47a36b758340
                                  • Opcode Fuzzy Hash: 04e129e6d2e30d4dc7c16c962e603d4e8b0751dde9387445f6d401d38eaa8721
                                  • Instruction Fuzzy Hash: 1DE0ED3A14162166DE3B22E5EE03BDB768C8F897A0F170320BC04AA4E0CB20CC8085B8
                                  Function 04B80161 Relevance: .1, Instructions: 108COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119390261.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b80000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 41dd21c8862b36ff418bda8e1f1f429ec5f823d74b2cb4d34d8d2b96295aacc8
                                  • Instruction ID: 167255595ef542fe8fbe3b31c57a43aa1266b36c1bfaf0f28ec4b32861ba2b32
                                  • Opcode Fuzzy Hash: 41dd21c8862b36ff418bda8e1f1f429ec5f823d74b2cb4d34d8d2b96295aacc8
                                  • Instruction Fuzzy Hash: 2E21679234D290EDEA427D654A656F26F5DB7933B032204EEF047DA902F2C4265DF221
                                  Function 04B80181 Relevance: .1, Instructions: 63COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119390261.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b80000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 644a1fdd5d7bebfdf96e2ed1c8ba248651afe7758674ce3c411901021e5b9886
                                  • Instruction ID: f6ef956c20837fec5efa9d31f03a3b6af2b762bf35dbc2e1046f86b9a288ddf1
                                  • Opcode Fuzzy Hash: 644a1fdd5d7bebfdf96e2ed1c8ba248651afe7758674ce3c411901021e5b9886
                                  • Instruction Fuzzy Hash: 8E0147A764C140AD6242BD9142857B67B48A7877B033344EEF40796600F185666DF071
                                  Function 04B8012C Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119390261.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b80000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 1c3f4c2bfcebe88dadc11dd8ac9335f52e4389058526c7afa5df61618a746b09
                                  • Instruction ID: 7ea4f28cadeb7b5e14f9f7422f4c029217b63e99ad181a3c6ccd1c2ff2deed94
                                  • Opcode Fuzzy Hash: 1c3f4c2bfcebe88dadc11dd8ac9335f52e4389058526c7afa5df61618a746b09
                                  • Instruction Fuzzy Hash: C7F028A734C250FD62427D920606AB67A58A6873F033345FEB407D6501F185666CF031
                                  Function 04B8011C Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119390261.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b80000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 762b22c9f6070e3998950cf8a69d5c0523aa301db79e77d9ed694e0cdde89240
                                  • Instruction ID: 7385b14b7e91e91ff92a7006aec08287fd5fc0376c22856902d27cf7558ddd07
                                  • Opcode Fuzzy Hash: 762b22c9f6070e3998950cf8a69d5c0523aa301db79e77d9ed694e0cdde89240
                                  • Instruction Fuzzy Hash: 01F022A734C200FD62427D824600AB67A98BA8B3F033380EEB007D6601F1D4666CF231
                                  Function 04B801B6 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119390261.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b80000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 388b567f6e8af9765e2a8eba4ae20e782fe1804c568f57b42a90ea541899b810
                                  • Instruction ID: ddb2248106fe02a615bc48027a2af5c863eb26fb3bfa6d5c99acecd6721c0aab
                                  • Opcode Fuzzy Hash: 388b567f6e8af9765e2a8eba4ae20e782fe1804c568f57b42a90ea541899b810
                                  • Instruction Fuzzy Hash: 65F09E4679C551ED46033D9181552B6A94037672F033355DFF08B98511B0C875FDF261
                                  Function 04B80155 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119390261.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b80000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8c00a30e322033d2038c7f0981c9b5f33923bfbdd2dea81a3ae1c776fffe23b9
                                  • Instruction ID: 45da9b62d952d0ea15cebb2c6a4fca84e8dc6316419e672915ff83ba04465d23
                                  • Opcode Fuzzy Hash: 8c00a30e322033d2038c7f0981c9b5f33923bfbdd2dea81a3ae1c776fffe23b9
                                  • Instruction Fuzzy Hash: 3FE0229638C150ED5A833D9242563B4AB413B2B3F033280EEF04B95A01B0C833BDF132
                                  Function 04B8019B Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4119390261.0000000004B80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04B80000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_4b80000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4bbe701118b5d15c971cf7c0904ccdcec89e22fd08fe911805d72c8b431c397b
                                  • Instruction ID: 266ac1b5c1f7507201c93e808020f34e11f1825e739bcab493703e52fb9da3e8
                                  • Opcode Fuzzy Hash: 4bbe701118b5d15c971cf7c0904ccdcec89e22fd08fe911805d72c8b431c397b
                                  • Instruction Fuzzy Hash: 80E0685A789100ED8A023D625A58372BB94332B2F037201EDF047A6900B0D032ADF220

                                  Non-executed Functions

                                  Function 003084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 0e15362745e9895f8ab240e5826507b9ac65b879297298c3367d227b04ef3e85
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 3C024B71E012199BDF15CFA8C890AAEFBF1FF48314F258269D959E7380DB31A941CB94
                                  Function 0028F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0028F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0028F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0028FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"4
                                  • API String ID: 3375549084-3434465823
                                  • Opcode ID: b8279393318e404ffb77c7ce7cc43fec037bd83f37e50a5a309b20f5a519a545
                                  • Instruction ID: 18db57f2bd5518f666affe7b4f0954cc542d08fb880fb98e6cca806cae104b0f
                                  • Opcode Fuzzy Hash: b8279393318e404ffb77c7ce7cc43fec037bd83f37e50a5a309b20f5a519a545
                                  • Instruction Fuzzy Hash: 5461DFB5D212099FEF11EFA4D945BAEBBF4AF14750F140078E804AB391EB70E914CBA1
                                  Function 00223D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00223E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3"$@3"$G>"$G>"$`!"$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-956037866
                                  • Opcode ID: a1fe4e812b8e86c6d114c96cb5ad3332a1beff58a750652e6eae57fc1b7f87a2
                                  • Instruction ID: 986d62206dc3efda9b4777cd9f4f06cdcfb15efe0b8aa0efb497171fb41f4d6a
                                  • Opcode Fuzzy Hash: a1fe4e812b8e86c6d114c96cb5ad3332a1beff58a750652e6eae57fc1b7f87a2
                                  • Instruction Fuzzy Hash: DE41F8B6910218AFCB04DF98D841BEEB7F8EF49710F14852AF915E7741E774AA14CBA0
                                  Function 00302E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00302E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00302E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00302ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00302F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00302F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: i5$csm
                                  • API String ID: 1170836740-665140769
                                  • Opcode ID: 24dc7c5519611c1b2c5330928abfa050b3e30bd1fd132f159d93054b5f048e2e
                                  • Instruction ID: 1005daeedd59d601c45edfb1bda55eeab5e4755c0a8d9ac856e6e131d8afa9f9
                                  • Opcode Fuzzy Hash: 24dc7c5519611c1b2c5330928abfa050b3e30bd1fd132f159d93054b5f048e2e
                                  • Instruction Fuzzy Hash: 0741E630A01209ABCF12DF68C8A9A9FBBB9AF44324F148055FD149B3D2D731EE55CB90
                                  Function 00223DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00223E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3"$@3"$`!"$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-108183131
                                  • Opcode ID: 461ff189b6c88cecf971a462d53dfdf55009d5550d66a07e872c03249abfd1e5
                                  • Instruction ID: f22101a67cea087efa947bca2f41254cd4062ed22376cce1c43ad23371f4dcc8
                                  • Opcode Fuzzy Hash: 461ff189b6c88cecf971a462d53dfdf55009d5550d66a07e872c03249abfd1e5
                                  • Instruction Fuzzy Hash: 75212BB65107157FC715DF98E801B96B7E8AF04310F18883AFE689B641E7B4EA24CB90
                                  Function 00224C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00224F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00224FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 002250C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: @3"$`!"$recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-441038987
                                  • Opcode ID: 3c984c599464f7708f9a11be158730619733e06ae9cd25c8ae5d3464386aa76b
                                  • Instruction ID: 78f2408fc358ae00273829a6351693c7bdcccca4771ba7aff86d824053450d83
                                  • Opcode Fuzzy Hash: 3c984c599464f7708f9a11be158730619733e06ae9cd25c8ae5d3464386aa76b
                                  • Instruction Fuzzy Hash: 85E12571910214AFDB28EFA8E845BAEF7F9FF44700F104A2DE41697781D774AA14CBA1
                                  Function 00227820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00227B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$out_of_range$type_error
                                  • API String ID: 2659868963-4088840996
                                  • Opcode ID: f3b2904c7ad04a7ac26de578cebcebc3c67b60ed228da715b889a3c6e6570d98
                                  • Instruction ID: a488cffb622bd771bccbdff74e65bfa1e5a8606fb203ab48ebbe0496e6bab297
                                  • Opcode Fuzzy Hash: f3b2904c7ad04a7ac26de578cebcebc3c67b60ed228da715b889a3c6e6570d98
                                  • Instruction Fuzzy Hash: 7CC179B19142189FDB08CFA8E98479DFBF5FF49300F148269E419EB781E774A980CB50
                                  Function 00223190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 002232C6
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00223350
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: +4"$@3"$`!"$`!"
                                  • API String ID: 2970364248-3171281168
                                  • Opcode ID: 2eb47523b7142958c8b9aa88e4e25dcd8b2ad4c7b5ec5d3c62be4b49343335b2
                                  • Instruction ID: 00cf95ea5ebe82e96ce617bb3b05538e7ef1e5bb76d3e8dd5ff559daa5f46100
                                  • Opcode Fuzzy Hash: 2eb47523b7142958c8b9aa88e4e25dcd8b2ad4c7b5ec5d3c62be4b49343335b2
                                  • Instruction Fuzzy Hash: 0651BF71910218AFDB09CF98D885BEEBBF9FF49300F14812AF815A7391D7749A51CB90
                                  Function 002239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00223A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00223AA4
                                  • __Getctype.LIBCPMT ref: 00223ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00223AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00223B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 1728f1ef9196aaa847dad8771b04cce6bdf9dfc652b9294c6c8f1eccaebe1347
                                  • Instruction ID: e8af071b252a381c908e1e6f86a2bcf6d018afac982573c46d7ec8f59dfefc19
                                  • Opcode Fuzzy Hash: 1728f1ef9196aaa847dad8771b04cce6bdf9dfc652b9294c6c8f1eccaebe1347
                                  • Instruction Fuzzy Hash: C65181B1D10218AFDF11DFE4D845B9EBBF8AF14714F144069E909AB381E778EA14CB51
                                  Function 0028DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0028DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0028DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0028DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0028DF7B
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 4bf9923af9929af9c5b3fa4f5861fb0739ba4e48b2c9d48728e64774f23a2dcd
                                  • Instruction ID: 184aa7d673d33c7614ee78ee66dd4f2f2d896911e9055e273597f9a2fe0b1d11
                                  • Opcode Fuzzy Hash: 4bf9923af9929af9c5b3fa4f5861fb0739ba4e48b2c9d48728e64774f23a2dcd
                                  • Instruction Fuzzy Hash: 3B4105799212199FCB15EF54D841B6EBBB8FB20750F144268E9059B3E2D730AD24CFD1
                                  Function 00226F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00227340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$parse error$parse_error
                                  • API String ID: 2659868963-1134234602
                                  • Opcode ID: 2ef8bf996febb9c94f310b0fdee7bf64d21bff3fc4d048e43420e337dc1e9f68
                                  • Instruction ID: 3417f8d2c26fedfdd2d6587d85a1960698b9eb99bc6f3a773e9d7849250630d2
                                  • Opcode Fuzzy Hash: 2ef8bf996febb9c94f310b0fdee7bf64d21bff3fc4d048e43420e337dc1e9f68
                                  • Instruction Fuzzy Hash: 42E190709142189FDB18CFA8D88479DBBF5FF49300F2482A9E418EB792D774AA91CF50
                                  Function 002273B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 002275BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 002275CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column $`!"
                                  • API String ID: 4194217158-499326956
                                  • Opcode ID: 1ca339b7b9ff87553616978a5407d908f03393d105e50057efdc78fd177fb5f8
                                  • Instruction ID: 26e38b049060c617f4fa516276590e1da6a8faead548e671300e916148965055
                                  • Opcode Fuzzy Hash: 1ca339b7b9ff87553616978a5407d908f03393d105e50057efdc78fd177fb5f8
                                  • Instruction Fuzzy Hash: 4961F670A14215AFDB08DFA8EC84B9DFBB5FF45300F644628F415A7781D774AA64CB90
                                  Function 00223370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00223190: ___std_exception_copy.LIBVCRUNTIME ref: 002232C6
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4"$@3"$@3"$`!"
                                  • API String ID: 2659868963-1017541404
                                  • Opcode ID: c19bda138227c8b4acceac0ca2bd67c40c9f503f6edb03bcdd0f8b1b3daee13d
                                  • Instruction ID: 3205a8271c47af3353714eb4ca41e5790bf7fd0a4e32b948ef78b225f2aabc7c
                                  • Opcode Fuzzy Hash: c19bda138227c8b4acceac0ca2bd67c40c9f503f6edb03bcdd0f8b1b3daee13d
                                  • Instruction Fuzzy Hash: 563183B5900219AFCB19DFA8D841AEEFBF9FF08710F10856AE514E7641E774A650CB90
                                  Function 00223410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0022345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4"$@3"$@3"$`!"
                                  • API String ID: 2659868963-1017541404
                                  • Opcode ID: d793f92d6042dd36f368130d28799db8ba156c61fc86472878c747998e233332
                                  • Instruction ID: fade0ed19c5f945895701664d35b1001620c689d2cde3220a1238a0c7af254f6
                                  • Opcode Fuzzy Hash: d793f92d6042dd36f368130d28799db8ba156c61fc86472878c747998e233332
                                  • Instruction Fuzzy Hash: B3014FB6500219AFC709DFA9E401C96FBFCEF04310B00843AE51987611E7B0E524CF90
                                  Function 00226C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00226F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00226F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.$`!"
                                  • API String ID: 4194217158-420608075
                                  • Opcode ID: 471a0a8a1c272b6679b0abf4be0f88dd43bab17b3e691e82889d128d9e07e211
                                  • Instruction ID: 8f14c163d8835d78a84180a1d1423fd15f9dac5543cb5e01b9405dc96e774017
                                  • Opcode Fuzzy Hash: 471a0a8a1c272b6679b0abf4be0f88dd43bab17b3e691e82889d128d9e07e211
                                  • Instruction Fuzzy Hash: 39910771A10208AFDB18CFA8D988B9EFBF6FF45300F20856DE415AB792D771A951CB50
                                  Function 00222270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00222275
                                    • Part of subcall function 002FD6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 002FD6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$L5$L5
                                  • API String ID: 1997705970-1140454669
                                  • Opcode ID: d94d1c15d1a66b5b0bf520cb64902a36cd69095d3af785b71fc7813d7feaddf0
                                  • Instruction ID: 5cacd00fe4389ce65c05a25c450b1b729eff51fe102f69f3c70f23506ec5785d
                                  • Opcode Fuzzy Hash: d94d1c15d1a66b5b0bf520cb64902a36cd69095d3af785b71fc7813d7feaddf0
                                  • Instruction Fuzzy Hash: 1E816535A14295FFCB06CFA8D450BEDBFB5EF5A300F1841AAC894A7342C3768559CBA0
                                  Function 00227620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 002277B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$invalid_iterator
                                  • API String ID: 2659868963-1673871702
                                  • Opcode ID: b249f8a9de8d197c5d8967c3d9526864066400606540b0d9a60d35b2de12369f
                                  • Instruction ID: dd387d85dee1a9859ed81ce90c4265556f528f5f52ff579137c5f7e5a704497b
                                  • Opcode Fuzzy Hash: b249f8a9de8d197c5d8967c3d9526864066400606540b0d9a60d35b2de12369f
                                  • Instruction Fuzzy Hash: 555168B49042089FDB09CFA8E99479DFBF5FF49300F148669E419EB791E774A980CB90
                                  Function 00227BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00227D67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"$other_error
                                  • API String ID: 2659868963-3199201282
                                  • Opcode ID: 17eebf203d6030155c347d50f0291e1ac3aa68219c72c3ed550d4aa9e0d19f14
                                  • Instruction ID: 0ee71784a0b786b9b5d724684520ee3120ca85e69f4cb07922fad4009ed80f6f
                                  • Opcode Fuzzy Hash: 17eebf203d6030155c347d50f0291e1ac3aa68219c72c3ed550d4aa9e0d19f14
                                  • Instruction Fuzzy Hash: 165179B09142489FDB08CFA8E8847ADFBF5BF49300F148669E419EB781E774A980CB50
                                  Function 0028D050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0028D06F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0028D096
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: c886cba7ef34ed4228f1c193cedb79fe3252122ec382d1db4ccb85de395db2b2
                                  • Instruction ID: d379381fc1f5333b32ac03d168196148b142be1afa0a52b2a4e9f2b3a98f55c9
                                  • Opcode Fuzzy Hash: c886cba7ef34ed4228f1c193cedb79fe3252122ec382d1db4ccb85de395db2b2
                                  • Instruction Fuzzy Hash: EE01A8B6500615AFC709DF59D545982FBF8FB45710710853BA529CBB10D7B0E528CFA0
                                  Function 0029B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0029B3DF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0029B406
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: 4ed869cd28622bbe04335a28791b862d9e8429a9bd1df1d0924bad16bca0d694
                                  • Instruction ID: bd724b32999c924496ba743e8e350f03ab66022f47ad07c0342fa7268dc48b55
                                  • Opcode Fuzzy Hash: 4ed869cd28622bbe04335a28791b862d9e8429a9bd1df1d0924bad16bca0d694
                                  • Instruction Fuzzy Hash: DBF0C4BA50061AAFC70ADF58D505986FBF8FA45710711853BE52ACBB00E7B0E528CBA0
                                  Function 0029B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 0029B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Px)$invalid hash bucket count
                                  • API String ID: 909987262-2882725661
                                  • Opcode ID: bc1779a20507995047b1f04cf97864b136526bed1ea292dd695f1395653cb32b
                                  • Instruction ID: 1d0d4d6c25f1d13771709ff56b2ce79c70110adcc62f35d9fb36ab0c997405bb
                                  • Opcode Fuzzy Hash: bc1779a20507995047b1f04cf97864b136526bed1ea292dd695f1395653cb32b
                                  • Instruction Fuzzy Hash: C67110B4A10609DFCB15CF49D28086AFBF9FF88300764C5AAD8599B355D731EA61CF90
                                  Function 0029E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0029E491
                                  Strings
                                  • type must be string, but is , xrefs: 0029E4F8
                                  • type must be boolean, but is , xrefs: 0029E582
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 45242f3f5b3360d39e1865c62872e6ba11ee51638a811654f58ff18c42f20d88
                                  • Instruction ID: b4659b11eadb704cd7ac288c66c27dd43deebaa412c11008431f9dafdaff37d7
                                  • Opcode Fuzzy Hash: 45242f3f5b3360d39e1865c62872e6ba11ee51638a811654f58ff18c42f20d88
                                  • Instruction Fuzzy Hash: 87417AB5910248AFCF15EBA4E812B9EB7A8DB10300F144678F815D76C2EB35A964CB92
                                  Function 00223050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00223078
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000009.00000002.4113783507.0000000000221000.00000040.00000001.01000000.00000006.sdmp, Offset: 00220000, based on PE: true
                                  • Associated: 00000009.00000002.4112172078.0000000000220000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4113783507.0000000000353000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114026608.0000000000358000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000035C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000004F2000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.00000000005D5000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.000000000060C000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000613000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114069988.0000000000622000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4114695634.0000000000623000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000009.00000002.4115008667.00000000007CB000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_9_2_220000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!"$`!"
                                  • API String ID: 2659868963-1599315490
                                  • Opcode ID: 5598f2895bf776948ad46e180210ecdefcbfe18d5f2ea42864490af7bc983e19
                                  • Instruction ID: e8dfa3865ee76a8725314a5707e52fbdc186ffbbf71bae73a93a11b7ae5cb687
                                  • Opcode Fuzzy Hash: 5598f2895bf776948ad46e180210ecdefcbfe18d5f2ea42864490af7bc983e19
                                  • Instruction Fuzzy Hash: A9E0EDB69012189FC711DFA8990598AFBF8AB19701F1086BAE948DB200F6B195548BD1