Edit tour

Windows Analysis Report
Lisect_AVT_24003_G1B_108.exe

Overview

General Information

Sample name:	Lisect_AVT_24003_G1B_108.exe
Analysis ID:	1481265
MD5:	0b4b3e5e4a2ee4bd9ba8d9950639f269
SHA1:	7a0ffcb4a3b75704478ed80c20d4dc830ab07ebf
SHA256:	b240341d8adfed0f14d665dcbad14c542fa2e6f57a8c1904c0e5ccfb10270b17
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected RisePro Stealer

AI detected suspicious sample

Found stalling execution ending in API Sleep call

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

Lisect_AVT_24003_G1B_108.exe (PID: 1992 cmdline: "C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe" MD5: 0B4B3E5E4A2EE4BD9BA8D9950639F269)

schtasks.exe (PID: 2316 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 6972 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 5012 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 0B4B3E5E4A2EE4BD9BA8D9950639F269)

MPGPH131.exe (PID: 6484 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 0B4B3E5E4A2EE4BD9BA8D9950639F269)

RageMP131.exe (PID: 5080 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 0B4B3E5E4A2EE4BD9BA8D9950639F269)

RageMP131.exe (PID: 6620 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 0B4B3E5E4A2EE4BD9BA8D9950639F269)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: Lisect_AVT_24003_G1B_108.exe PID: 1992	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 5012	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 6484	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 5080	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 6620	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe, ProcessId: 1992, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T06:58:51.799868+0200
SID:	2049060
Source Port:	49705
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T06:58:50.127587+0200
SID:	2046269
Source Port:	49704
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T06:58:54.752913+0200
SID:	2046269
Source Port:	49705
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T06:59:13.143304+0200
SID:	2046269
Source Port:	49715
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T06:59:23.343383+0200
SID:	2022930
Source Port:	443
Destination Port:	62109
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 20.12.23.50 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T06:59:03.946343+0200
SID:	2022930
Source Port:	443
Destination Port:	49707
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T06:58:54.752808+0200
SID:	2046269
Source Port:	49706
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T06:58:47.148505+0200
SID:	2049060
Source Port:	49704
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.5 - Destination IP: 193.233.132.62

Timestamp:	2024-07-25T06:59:05.660986+0200
SID:	2046269
Source Port:	49708
Destination Port:	50500
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 52.165.165.26 - Destination IP: 192.168.2.5

Timestamp:	2024-07-25T06:59:22.123324+0200
SID:	2022930
Source Port:	443
Destination Port:	62108
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: Lisect_AVT_24003_G1B_108.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: TR/Zenpak.bowul
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: TR/Zenpak.bowul

Multi AV Scanner detection for dropped file

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	ReversingLabs: Detection: 63%
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: Lisect_AVT_24003_G1B_108.exe

ReversingLabs: Detection: 63%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: Lisect_AVT_24003_G1B_108.exe

Joe Sandbox ML: detected

Source: Lisect_AVT_24003_G1B_108.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: global traffic

TCP traffic: 192.168.2.5:49704 -> 193.233.132.62:50500

Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62
Source: Joe Sandbox View	IP Address: 193.233.132.62 193.233.132.62

Source: unknown

DNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.62
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Code function: 0_2_0082DB60 recv,WSAStartup,closesocket,socket,connect,closesocket,

0_2_0082DB60

Source: global traffic

DNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa

Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.000000000137E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4485725451.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4485715827.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4485499780.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4485711166.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT-h
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.000000000137E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT;
Source: MPGPH131.exe, 00000006.00000002.4485725451.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTt

System Summary

PE file contains section with special chars

Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name: .idata
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008EA800	0_2_008EA800
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_00812040	0_2_00812040
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_0082A100	0_2_0082A100
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008F991F	0_2_008F991F
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_00891940	0_2_00891940
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008242A0	0_2_008242A0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008122C0	0_2_008122C0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_0089BBB0	0_2_0089BBB0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_0081AB50	0_2_0081AB50
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_00894C20	0_2_00894C20
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008F3ED8	0_2_008F3ED8
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008806F0	0_2_008806F0
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_0081A720	0_2_0081A720
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008F0750	0_2_008F0750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00442040	6_2_00442040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0051A800	6_2_0051A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004C1940	6_2_004C1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0045A100	6_2_0045A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0052991F	6_2_0052991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004422C0	6_2_004422C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004542A0	6_2_004542A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0044AB50	6_2_0044AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004CBBB0	6_2_004CBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004C4C20	6_2_004C4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00523ED8	6_2_00523ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_004B06F0	6_2_004B06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00520750	6_2_00520750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0044A720	6_2_0044A720
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00442040	7_2_00442040
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0051A800	7_2_0051A800
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004C1940	7_2_004C1940
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0045A100	7_2_0045A100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0052991F	7_2_0052991F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004422C0	7_2_004422C0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004542A0	7_2_004542A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0044AB50	7_2_0044AB50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004CBBB0	7_2_004CBBB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004C4C20	7_2_004C4C20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00523ED8	7_2_00523ED8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_004B06F0	7_2_004B06F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00520750	7_2_00520750
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0044A720	7_2_0044A720
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00432040	8_2_00432040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0050A800	8_2_0050A800
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B1940	8_2_004B1940
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0044A100	8_2_0044A100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0051991F	8_2_0051991F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004322C0	8_2_004322C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004442A0	8_2_004442A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0043AB50	8_2_0043AB50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004BBBB0	8_2_004BBBB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004B4C20	8_2_004B4C20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00513ED8	8_2_00513ED8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004A06F0	8_2_004A06F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00510750	8_2_00510750
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0043A720	8_2_0043A720
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00432040	10_2_00432040
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_0050A800	10_2_0050A800
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_004B1940	10_2_004B1940
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_0044A100	10_2_0044A100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_0051991F	10_2_0051991F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_004322C0	10_2_004322C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_004442A0	10_2_004442A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_0043AB50	10_2_0043AB50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_004BBBB0	10_2_004BBBB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_004B4C20	10_2_004B4C20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00513ED8	10_2_00513ED8
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_004A06F0	10_2_004A06F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00510750	10_2_00510750
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_0043A720	10_2_0043A720

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 0051D940 appears 46 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 0050D940 appears 46 times

Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2040275696.000000000558F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1B_108.exe
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2041694673.000000000558E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1B_108.exe
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1B_108.exe
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4489638829.00000000050E0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1B_108.exe
Source: Lisect_AVT_24003_G1B_108.exe	Binary or memory string: OriginalFilenameAy3Info.exe0 vs Lisect_AVT_24003_G1B_108.exe

Source: Lisect_AVT_24003_G1B_108.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: Section: ZLIB complexity 0.9993563565340909
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9993563565340909
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9993563565340909

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@1/1

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3436:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: Lisect_AVT_24003_G1B_108.exe

ReversingLabs: Detection: 63%

Source: Lisect_AVT_24003_G1B_108.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

File read: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe "C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior

Source: Lisect_AVT_24003_G1B_108.exe

Static file information: File size 2401804 > 1048576

Source: Lisect_AVT_24003_G1B_108.exe

Static PE information: Raw size of rhfejcgk is bigger than: 0x100000 < 0x1b5a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Unpacked PE file: 0.2.Lisect_AVT_24003_G1B_108.exe.810000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.440000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.440000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 10.2.RageMP131.exe.430000.0.unpack :EW;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;rhfejcgk:EW;khoopwui:EW;.taggant:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x251f63 should be: 0x24fd85
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x251f63 should be: 0x24fd85
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: real checksum: 0x251f63 should be: 0x24fd85

Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name: .idata
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name:
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name: rhfejcgk
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name: khoopwui
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: rhfejcgk
Source: RageMP131.exe.0.dr	Static PE information: section name: khoopwui
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: rhfejcgk
Source: MPGPH131.exe.0.dr	Static PE information: section name: khoopwui
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_008ED509 push ecx; ret	0_2_008ED51C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0051D509 push ecx; ret	6_2_0051D51C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_04F2016D push edx; retf	6_2_04F2016E
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0051D509 push ecx; ret	7_2_0051D51C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0050D509 push ecx; ret	8_2_0050D51C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_0050D509 push ecx; ret	10_2_0050D51C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_04FB03F9 push 0000005Bh; retn 0010h	10_2_04FB0404

Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name: entropy: 7.988833024480807
Source: Lisect_AVT_24003_G1B_108.exe	Static PE information: section name: rhfejcgk entropy: 7.913857553386715
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.988833024480807
Source: RageMP131.exe.0.dr	Static PE information: section name: rhfejcgk entropy: 7.913857553386715
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.988833024480807
Source: MPGPH131.exe.0.dr	Static PE information: section name: rhfejcgk entropy: 7.913857553386715

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found stalling execution ending in API Sleep call

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Stalling execution: Execution stalls by calling Sleep	graph_0-23677
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Stalling execution: Execution stalls by calling Sleep	graph_8-24135
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Stalling execution: Execution stalls by calling Sleep	graph_6-23937

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE5D81 second address: AE5DA2 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBFB0CD3E26h 0x00000008 jmp 00007FBFB0CD3E31h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE5DA2 second address: AE5DB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB1286EBAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ADAFA1 second address: ADAFA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ADAFA5 second address: ADAFAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ADAFAB second address: ADAFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007FBFB0CD3E37h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ADAFC8 second address: ADAFCD instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ADAFCD second address: ADAFF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBFB0CD3E26h 0x0000000a pop edi 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FBFB0CD3E33h 0x00000013 push edi 0x00000014 pop edi 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ADAFF8 second address: ADAFFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ADAFFC second address: ADB012 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 ja 00007FBFB0CD3E26h 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007FBFB0CD3E26h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE5358 second address: AE535C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE535C second address: AE5366 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBFB0CD3E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE5366 second address: AE536D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE5506 second address: AE5525 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB0CD3E39h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE5525 second address: AE5529 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE77D7 second address: AE781C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov edi, dword ptr [ebp+122D391Bh] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebx 0x00000013 call 00007FBFB0CD3E28h 0x00000018 pop ebx 0x00000019 mov dword ptr [esp+04h], ebx 0x0000001d add dword ptr [esp+04h], 00000016h 0x00000025 inc ebx 0x00000026 push ebx 0x00000027 ret 0x00000028 pop ebx 0x00000029 ret 0x0000002a sub dword ptr [ebp+122D3652h], ebx 0x00000030 push A1B7EDC0h 0x00000035 pushad 0x00000036 jnc 00007FBFB0CD3E28h 0x0000003c pushad 0x0000003d popad 0x0000003e push ecx 0x0000003f push eax 0x00000040 push edx 0x00000041 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE781C second address: AE786C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 add dword ptr [esp], 5E4812C0h 0x0000000d mov edi, edx 0x0000000f push 00000003h 0x00000011 mov edi, dword ptr [ebp+122D2A08h] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007FBFB1286EB8h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push 00000003h 0x00000035 sbb edx, 0497FA64h 0x0000003b call 00007FBFB1286EB9h 0x00000040 pushad 0x00000041 push eax 0x00000042 push edx 0x00000043 push ecx 0x00000044 pop ecx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE786C second address: AE78A3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBFB0CD3E38h 0x0000000b popad 0x0000000c push eax 0x0000000d push ecx 0x0000000e jmp 00007FBFB0CD3E2Dh 0x00000013 pop ecx 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push edx 0x00000019 push esi 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE78A3 second address: AE78B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 mov eax, dword ptr [eax] 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007FBFB1286EB8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE78B5 second address: AE78BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE78BB second address: AE78BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE78BF second address: AE78D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f jc 00007FBFB0CD3E26h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE7985 second address: AE798C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE798C second address: AE7996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBFB0CD3E26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE7996 second address: AE7A13 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007FBFB1286EB8h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000015h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 mov dword ptr [ebp+122D375Ah], ebx 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FBFB1286EB8h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 00000014h 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 jmp 00007FBFB1286EC4h 0x0000004a push B00FD9D2h 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007FBFB1286EC7h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE7A13 second address: AE7A17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AE7C3D second address: AE7C47 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B077D4 second address: B077E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FBFB0CD3E26h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B05719 second address: B05723 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBFB1286EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B05F65 second address: B05F6C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B05F6C second address: B05F72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B05F72 second address: B05F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B061FB second address: B06207 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B06207 second address: B0620B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B063C5 second address: B063CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B063CB second address: B063CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B063CF second address: B063E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBFB1286EC0h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B063E8 second address: B06405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB0CD3E2Fh 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B06405 second address: B06412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jbe 00007FBFB1286EB6h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B06412 second address: B06418 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B06418 second address: B0641E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B066DB second address: B066E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AFB927 second address: AFB93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB1286EBEh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AD5FB5 second address: AD5FC9 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FBFB0CD3E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FBFB0CD3E2Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AD5FC9 second address: AD5FD9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBFB1286EBCh 0x0000000a jo 00007FBFB1286EB6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AD5FD9 second address: AD5FEA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBFB0CD3E2Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AD5FEA second address: AD5FF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AD5FF2 second address: AD5FF8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B12531 second address: B1254F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007FBFB1286EBFh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007FBFB1286EB6h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B11A98 second address: B11ABC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B11C44 second address: B11C48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B11C48 second address: B11C55 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 ja 00007FBFB0CD3E26h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B11DCD second address: B11DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push ebx 0x00000008 jbe 00007FBFB1286EB6h 0x0000000e pop ebx 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnp 00007FBFB1286ECFh 0x00000018 jmp 00007FBFB1286EC7h 0x0000001d push edi 0x0000001e pop edi 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B11DFE second address: B11E29 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E37h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFB0CD3E30h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B120B9 second address: B120BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B120BD second address: B120C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B123D4 second address: B123E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jo 00007FBFB1286EB6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B141F8 second address: B141FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B146AC second address: B146B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FBFB1286EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1495E second address: B14968 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FBFB0CD3E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B15152 second address: B15156 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B15227 second address: B1522B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B15323 second address: B15327 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1547A second address: B1547E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1547E second address: B15499 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B161C9 second address: B161CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B171C1 second address: B171CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B16992 second address: B16996 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B171CE second address: B171D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B17C60 second address: B17C79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1866E second address: B186EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007FBFB1286EB8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 and esi, dword ptr [ebp+122D3691h] 0x0000002a jno 00007FBFB1286EC4h 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push ecx 0x00000037 call 00007FBFB1286EB8h 0x0000003c pop ecx 0x0000003d mov dword ptr [esp+04h], ecx 0x00000041 add dword ptr [esp+04h], 0000001Ah 0x00000049 inc ecx 0x0000004a push ecx 0x0000004b ret 0x0000004c pop ecx 0x0000004d ret 0x0000004e sbb si, 854Fh 0x00000053 push eax 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 jmp 00007FBFB1286EBAh 0x0000005c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1842B second address: B1842F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1842F second address: B18433 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B18433 second address: B18444 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jg 00007FBFB0CD3E26h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B19D1E second address: B19D23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1A4C2 second address: B1A4E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c push ebx 0x0000000d pushad 0x0000000e popad 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1A4E1 second address: B1A4E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: AC6D07 second address: AC6D0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1EA71 second address: B1EA77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1EF67 second address: B1EF85 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E30h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jbe 00007FBFB0CD3E34h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1EF85 second address: B1EFE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007FBFB1286EB6h 0x0000000a popad 0x0000000b nop 0x0000000c jne 00007FBFB1286EBBh 0x00000012 push 00000000h 0x00000014 mov dword ptr [ebp+122D1920h], ebx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007FBFB1286EB8h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 00000018h 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 movsx edi, di 0x00000039 xchg eax, esi 0x0000003a push eax 0x0000003b jmp 00007FBFB1286EC0h 0x00000040 pop eax 0x00000041 push eax 0x00000042 push ecx 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 popad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1F114 second address: B1F118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1F118 second address: B1F122 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1F122 second address: B1F126 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1F126 second address: B1F1BC instructions: 0x00000000 rdtsc 0x00000002 jns 00007FBFB1286EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FBFB1286EB8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000018h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push dword ptr fs:[00000000h] 0x0000002d call 00007FBFB1286EC2h 0x00000032 mov di, ax 0x00000035 pop ebx 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d push 00000000h 0x0000003f push edi 0x00000040 call 00007FBFB1286EB8h 0x00000045 pop edi 0x00000046 mov dword ptr [esp+04h], edi 0x0000004a add dword ptr [esp+04h], 0000001Ah 0x00000052 inc edi 0x00000053 push edi 0x00000054 ret 0x00000055 pop edi 0x00000056 ret 0x00000057 mov ebx, 50313B31h 0x0000005c mov ebx, 0D2E2A26h 0x00000061 mov eax, dword ptr [ebp+122D048Dh] 0x00000067 mov dword ptr [ebp+122D3702h], edx 0x0000006d push FFFFFFFFh 0x0000006f mov ebx, dword ptr [ebp+122D1917h] 0x00000075 nop 0x00000076 push eax 0x00000077 push edx 0x00000078 push ebx 0x00000079 push eax 0x0000007a push edx 0x0000007b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1F1BC second address: B1F1C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B22F4D second address: B22F51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B221BD second address: B2225E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a mov dword ptr [esp], eax 0x0000000d push esi 0x0000000e mov dword ptr [ebp+122D28FEh], ebx 0x00000014 pop edi 0x00000015 push dword ptr fs:[00000000h] 0x0000001c and edi, 0C7EB0C6h 0x00000022 sub edi, 7213B417h 0x00000028 mov dword ptr fs:[00000000h], esp 0x0000002f and ebx, 7EEC4846h 0x00000035 mov eax, dword ptr [ebp+122D0A75h] 0x0000003b jmp 00007FBFB0CD3E36h 0x00000040 push FFFFFFFFh 0x00000042 jmp 00007FBFB0CD3E2Fh 0x00000047 movsx ebx, bx 0x0000004a nop 0x0000004b jmp 00007FBFB0CD3E2Bh 0x00000050 push eax 0x00000051 pushad 0x00000052 jc 00007FBFB0CD3E39h 0x00000058 jmp 00007FBFB0CD3E33h 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2311F second address: B23124 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B24FCC second address: B24FD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B24125 second address: B2412C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2412C second address: B241E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007FBFB0CD3E34h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push ebx 0x00000012 call 00007FBFB0CD3E28h 0x00000017 pop ebx 0x00000018 mov dword ptr [esp+04h], ebx 0x0000001c add dword ptr [esp+04h], 0000001Bh 0x00000024 inc ebx 0x00000025 push ebx 0x00000026 ret 0x00000027 pop ebx 0x00000028 ret 0x00000029 push dword ptr fs:[00000000h] 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007FBFB0CD3E28h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000016h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a jmp 00007FBFB0CD3E36h 0x0000004f call 00007FBFB0CD3E32h 0x00000054 pop edi 0x00000055 mov dword ptr fs:[00000000h], esp 0x0000005c mov ebx, esi 0x0000005e mov edi, dword ptr [ebp+122D2A98h] 0x00000064 mov eax, dword ptr [ebp+122D1049h] 0x0000006a mov ebx, dword ptr [ebp+122D38C1h] 0x00000070 push FFFFFFFFh 0x00000072 mov dword ptr [ebp+122D3C63h], edx 0x00000078 nop 0x00000079 push eax 0x0000007a push edx 0x0000007b jns 00007FBFB0CD3E28h 0x00000081 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B241E8 second address: B24208 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d jnc 00007FBFB1286EB6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B261C1 second address: B261C6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2705A second address: B27060 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B27060 second address: B2708B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edi 0x0000000c ja 00007FBFB0CD3E26h 0x00000012 pop edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2708B second address: B2708F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B26294 second address: B262C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB0CD3E37h 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c pushad 0x0000000d jmp 00007FBFB0CD3E31h 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B29179 second address: B2917F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2917F second address: B291F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FBFB0CD3E28h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000016h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 jmp 00007FBFB0CD3E2Dh 0x0000002a push 00000000h 0x0000002c call 00007FBFB0CD3E31h 0x00000031 pushad 0x00000032 movzx esi, di 0x00000035 popad 0x00000036 pop edi 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push esi 0x0000003c call 00007FBFB0CD3E28h 0x00000041 pop esi 0x00000042 mov dword ptr [esp+04h], esi 0x00000046 add dword ptr [esp+04h], 00000015h 0x0000004e inc esi 0x0000004f push esi 0x00000050 ret 0x00000051 pop esi 0x00000052 ret 0x00000053 mov edi, dword ptr [ebp+122D2A64h] 0x00000059 push eax 0x0000005a pushad 0x0000005b push eax 0x0000005c push edx 0x0000005d push edx 0x0000005e pop edx 0x0000005f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B271D0 second address: B271D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B28305 second address: B2830A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B27280 second address: B27289 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2841E second address: B28422 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2C73C second address: B2C749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B27289 second address: B2728D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B28422 second address: B2843E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EC8h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2728D second address: B27291 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B27291 second address: B272A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jg 00007FBFB1286EBCh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2E92A second address: B2E930 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2E930 second address: B2E9A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007FBFB1286EB8h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 00000016h 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 je 00007FBFB1286EB8h 0x0000002e mov bh, 84h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 mov ebx, dword ptr [ebp+122D2AD0h] 0x00000039 pop edi 0x0000003a push 00000000h 0x0000003c mov edi, 109AED33h 0x00000041 push eax 0x00000042 jbe 00007FBFB1286EE2h 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FBFB1286EC5h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2EAC6 second address: B2EACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2EACA second address: B2EB73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a pushad 0x0000000b pushad 0x0000000c mov dword ptr [ebp+122D3176h], ecx 0x00000012 mov di, ax 0x00000015 popad 0x00000016 mov dword ptr [ebp+122D387Dh], ebx 0x0000001c popad 0x0000001d mov ebx, dword ptr [ebp+122D2BC8h] 0x00000023 push dword ptr fs:[00000000h] 0x0000002a mov dword ptr [ebp+122D3BD1h], ebx 0x00000030 mov dword ptr fs:[00000000h], esp 0x00000037 push 00000000h 0x00000039 push eax 0x0000003a call 00007FBFB1286EB8h 0x0000003f pop eax 0x00000040 mov dword ptr [esp+04h], eax 0x00000044 add dword ptr [esp+04h], 0000001Dh 0x0000004c inc eax 0x0000004d push eax 0x0000004e ret 0x0000004f pop eax 0x00000050 ret 0x00000051 xor dword ptr [ebp+12460C22h], edx 0x00000057 mov eax, dword ptr [ebp+122D07B5h] 0x0000005d and edi, 02E0E2BDh 0x00000063 push FFFFFFFFh 0x00000065 push 00000000h 0x00000067 push edi 0x00000068 call 00007FBFB1286EB8h 0x0000006d pop edi 0x0000006e mov dword ptr [esp+04h], edi 0x00000072 add dword ptr [esp+04h], 0000001Ah 0x0000007a inc edi 0x0000007b push edi 0x0000007c ret 0x0000007d pop edi 0x0000007e ret 0x0000007f mov bx, 7112h 0x00000083 nop 0x00000084 push eax 0x00000085 push edx 0x00000086 jmp 00007FBFB1286EC0h 0x0000008b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B2FAE3 second address: B2FAE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B3748D second address: B37492 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B37623 second address: B3762A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B3762A second address: B37639 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBFB1286EB8h 0x00000008 push eax 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B377A4 second address: B377DA instructions: 0x00000000 rdtsc 0x00000002 jp 00007FBFB0CD3E2Ch 0x00000008 jc 00007FBFB0CD3E26h 0x0000000e jc 00007FBFB0CD3E28h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 jno 00007FBFB0CD3E2Ch 0x0000001e push eax 0x0000001f jmp 00007FBFB0CD3E2Dh 0x00000024 push eax 0x00000025 push edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B377DA second address: B377DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B37979 second address: B3797D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B3797D second address: B3798F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FBFB1286EB6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B3798F second address: B37999 instructions: 0x00000000 rdtsc 0x00000002 js 00007FBFB0CD3E26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B37999 second address: B3799F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B42E21 second address: B42E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B42E25 second address: B42E29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B42E29 second address: B42E35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FBFB0CD3E26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B433C0 second address: B43413 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ecx 0x0000000c jmp 00007FBFB1286EBEh 0x00000011 pop ecx 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 jmp 00007FBFB1286EC4h 0x0000001b jmp 00007FBFB1286EC5h 0x00000020 pop eax 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B43413 second address: B4342C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jbe 00007FBFB0CD3E26h 0x00000009 jmp 00007FBFB0CD3E2Bh 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4342C second address: B43432 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B43432 second address: B43436 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B43C04 second address: B43C23 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FBFB1286EC7h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B43C23 second address: B43C29 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B43C29 second address: B43C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B43F13 second address: B43F1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4569E second address: B456A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B456A4 second address: B456A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B456A8 second address: B456AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B456AE second address: B456C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 jo 00007FBFB0CD3E52h 0x0000000d jp 00007FBFB0CD3E44h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1B969 second address: B1B96F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1B96F second address: B1B9BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D2C38h] 0x00000011 lea eax, dword ptr [ebp+12491680h] 0x00000017 mov ecx, 30EA0692h 0x0000001c push edi 0x0000001d jmp 00007FBFB0CD3E33h 0x00000022 pop edx 0x00000023 nop 0x00000024 jmp 00007FBFB0CD3E30h 0x00000029 push eax 0x0000002a push eax 0x0000002b push edx 0x0000002c js 00007FBFB0CD3E2Ch 0x00000032 push eax 0x00000033 push edx 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1B9BC second address: B1B9C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1B9C0 second address: B1B9CA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FBFB0CD3E26h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1BABB second address: B1BABF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C03C second address: B1C058 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jmp 00007FBFB0CD3E30h 0x00000010 pop ecx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C1EF second address: B1C1F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C1F5 second address: B1C1F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C1F9 second address: B1C209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edi 0x0000000e pop edi 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C209 second address: B1C210 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1CB73 second address: B1CB83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop ecx 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push ebx 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1CB83 second address: B1CBA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop ebx 0x00000006 mov eax, dword ptr [eax] 0x00000008 js 00007FBFB0CD3E30h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push edi 0x00000015 pushad 0x00000016 popad 0x00000017 pop edi 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1CC33 second address: B1CC3D instructions: 0x00000000 rdtsc 0x00000002 je 00007FBFB1286EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1CC3D second address: B1CC9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push eax 0x0000000c call 00007FBFB0CD3E28h 0x00000011 pop eax 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 add dword ptr [esp+04h], 00000014h 0x0000001e inc eax 0x0000001f push eax 0x00000020 ret 0x00000021 pop eax 0x00000022 ret 0x00000023 call 00007FBFB0CD3E2Bh 0x00000028 mov edi, ecx 0x0000002a pop edx 0x0000002b lea eax, dword ptr [ebp+124916C4h] 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007FBFB0CD3E28h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000017h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b cmc 0x0000004c nop 0x0000004d push eax 0x0000004e push edx 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1CC9C second address: B1CCA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1CCA2 second address: B1CCA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B48BCC second address: B48BD4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B48BD4 second address: B48BEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007FBFB0CD3E26h 0x00000010 jns 00007FBFB0CD3E26h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B48BEA second address: B48BEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B48BEE second address: B48BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B48EB2 second address: B48EB6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B48EB6 second address: B48ED3 instructions: 0x00000000 rdtsc 0x00000002 je 00007FBFB0CD3E26h 0x00000008 jl 00007FBFB0CD3E26h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBFB0CD3E2Bh 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4903A second address: B49040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B49040 second address: B49045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B49314 second address: B49318 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B49318 second address: B49326 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBFB0CD3E26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B49326 second address: B4932A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4932A second address: B49333 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4949E second address: B494B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jl 00007FBFB1286EB6h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jne 00007FBFB1286ED0h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B494B6 second address: B494BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B494BC second address: B494C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4EA24 second address: B4EA28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4EFB7 second address: B4EFBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4EFBB second address: B4EFC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4EFC8 second address: B4EFEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FBFB1286EC8h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4EFEA second address: B4EFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4EFF0 second address: B4EFF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4F70A second address: B4F710 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B4E59D second address: B4E5BD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop esi 0x00000006 js 00007FBFB1286EBAh 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 jns 00007FBFB1286EB6h 0x0000001b pop ebx 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f pop edi 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5BAC5 second address: B5BACB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5BACB second address: B5BAE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FBFB1286EC5h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5BAE9 second address: B5BAEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5BAEF second address: B5BB10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push edi 0x00000009 pushad 0x0000000a jmp 00007FBFB1286EC1h 0x0000000f push esi 0x00000010 pop esi 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5A91E second address: B5A939 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007FBFB0CD3E31h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5A939 second address: B5A93D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5A93D second address: B5A943 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5AFDD second address: B5AFE7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FBFB1286EB6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5AFE7 second address: B5AFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B5B2B0 second address: B5B2B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B653E0 second address: B653F4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FBFB0CD3E26h 0x0000000e jp 00007FBFB0CD3E26h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B653F4 second address: B653FA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6489A second address: B648B1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E31h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B648B1 second address: B648BB instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FBFB1286EBCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B649F3 second address: B649FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B649FB second address: B649FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B64CA6 second address: B64CBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 ja 00007FBFB0CD3E26h 0x0000000c jnl 00007FBFB0CD3E26h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push ebx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B64F67 second address: B64F6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B64F6B second address: B64F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B64F71 second address: B64FB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007FBFB1286EC2h 0x0000000c pop ebx 0x0000000d pushad 0x0000000e jl 00007FBFB1286EBEh 0x00000014 jc 00007FBFB1286EB6h 0x0000001a push ecx 0x0000001b pop ecx 0x0000001c jmp 00007FBFB1286EC5h 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B64FB1 second address: B64FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B680E0 second address: B680E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B680E4 second address: B680E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B680E8 second address: B680FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB1286EBFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B680FD second address: B68102 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B68102 second address: B68114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBFB1286EB6h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B68114 second address: B6811A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6780E second address: B67812 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6799C second address: B679AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FBFB0CD3E26h 0x0000000a jns 00007FBFB0CD3E26h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6CA82 second address: B6CA96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jng 00007FBFB1286EBAh 0x0000000b popad 0x0000000c push edx 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6CBFE second address: B6CC0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FBFB0CD3E26h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6CC0B second address: B6CC2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB1286EC3h 0x00000009 popad 0x0000000a jnp 00007FBFB1286EBEh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6CEDE second address: B6CF29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB0CD3E37h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c push ebx 0x0000000d jmp 00007FBFB0CD3E36h 0x00000012 jmp 00007FBFB0CD3E35h 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6CF29 second address: B6CF34 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007FBFB1286EB6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C5B2 second address: B1C619 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d mov edi, eax 0x0000000f mov ebx, dword ptr [ebp+124916BFh] 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007FBFB0CD3E28h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 00000016h 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f mov edx, 2C68DE2Bh 0x00000034 add eax, ebx 0x00000036 call 00007FBFB0CD3E37h 0x0000003b movsx edi, bx 0x0000003e pop ecx 0x0000003f nop 0x00000040 push eax 0x00000041 push edx 0x00000042 push edi 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C619 second address: B1C61E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C61E second address: B1C628 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FBFB0CD3E2Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B1C628 second address: B1C647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFB1286EC6h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6DDEC second address: B6DDF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B6DDF2 second address: B6DDF8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B72F53 second address: B72F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jo 00007FBFB0CD3E26h 0x0000000c jmp 00007FBFB0CD3E39h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B72F7D second address: B72F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B730CC second address: B730D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B730D2 second address: B730D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B730D6 second address: B730FC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Eh 0x00000007 jl 00007FBFB0CD3E26h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jc 00007FBFB0CD3E2Eh 0x00000015 pushad 0x00000016 popad 0x00000017 jp 00007FBFB0CD3E26h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B730FC second address: B73114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7324A second address: B73268 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jnp 00007FBFB0CD3E26h 0x00000013 jng 00007FBFB0CD3E26h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B73268 second address: B7326E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7326E second address: B73278 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBFB0CD3E32h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B73278 second address: B7327E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7327E second address: B732B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FBFB0CD3E32h 0x0000000a jnc 00007FBFB0CD3E26h 0x00000010 jnp 00007FBFB0CD3E26h 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 jmp 00007FBFB0CD3E38h 0x0000001e push eax 0x0000001f push edx 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B732B3 second address: B732B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B73E1F second address: B73E25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B74707 second address: B74713 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FBFB1286EB6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B74713 second address: B74717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B74A2D second address: B74A31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B74A31 second address: B74A37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B74A37 second address: B74A3C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B74A3C second address: B74A4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 jnp 00007FBFB0CD3E2Eh 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B74CE3 second address: B74CE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7CF7D second address: B7CF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D0C2 second address: B7D0D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB1286EBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D0D2 second address: B7D0DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D0DA second address: B7D0F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC4h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D0F4 second address: B7D0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D0F8 second address: B7D11E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FBFB1286EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jp 00007FBFB1286ED2h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBFB1286EC2h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D3ED second address: B7D3F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D6C1 second address: B7D6CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FBFB1286EB6h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D821 second address: B7D839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB0CD3E34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D839 second address: B7D84B instructions: 0x00000000 rdtsc 0x00000002 jne 00007FBFB1286EB6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jnc 00007FBFB1286EB6h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B7D9BA second address: B7D9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B86937 second address: B8693D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B853B9 second address: B853BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B85642 second address: B85646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B85646 second address: B85650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B85650 second address: B85654 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B857F6 second address: B857FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B857FC second address: B85800 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B84933 second address: B84947 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB0CD3E2Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B84947 second address: B84950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B88DA2 second address: B88DB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FBFB0CD3E2Dh 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B88DB8 second address: B88DBE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ACF2E4 second address: ACF331 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jmp 00007FBFB0CD3E33h 0x0000000a jo 00007FBFB0CD3E26h 0x00000010 jp 00007FBFB0CD3E26h 0x00000016 popad 0x00000017 push eax 0x00000018 jc 00007FBFB0CD3E26h 0x0000001e pop eax 0x0000001f pop edx 0x00000020 pop eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 jne 00007FBFB0CD3E26h 0x0000002a push eax 0x0000002b pop eax 0x0000002c pushad 0x0000002d popad 0x0000002e popad 0x0000002f push eax 0x00000030 push edx 0x00000031 jmp 00007FBFB0CD3E2Ch 0x00000036 pushad 0x00000037 popad 0x00000038 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ACF331 second address: ACF339 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B9FA41 second address: B9FA45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B9FA45 second address: B9FA67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FBFB1286EC4h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B9FA67 second address: B9FA7D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jnl 00007FBFB0CD3E32h 0x0000000e jnc 00007FBFB0CD3E26h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B9FA7D second address: B9FACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FBFB1286EC9h 0x0000000a jmp 00007FBFB1286EC5h 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBFB1286EC9h 0x00000016 push eax 0x00000017 pop eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B9F4F6 second address: B9F4FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B9F4FA second address: B9F500 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: B9F500 second address: B9F51F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FBFB0CD3E39h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ACA1DD second address: ACA20B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007FBFB1286EC3h 0x0000000d jng 00007FBFB1286EB6h 0x00000013 popad 0x00000014 je 00007FBFB1286EB8h 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ACA20B second address: ACA223 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB0CD3E34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: ACA223 second address: ACA227 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB3B2A second address: BB3B43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FBFB0CD3E35h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB3B43 second address: BB3B4B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB7D7B second address: BB7D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB7D7F second address: BB7D8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB7D8D second address: BB7D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB7D91 second address: BB7D95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB8097 second address: BB809B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB809B second address: BB80B7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FBFB1286EC2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB80B7 second address: BB80BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BB80BB second address: BB80E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007FBFB1286EB6h 0x0000000e jmp 00007FBFB1286EC8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BBC611 second address: BBC62A instructions: 0x00000000 rdtsc 0x00000002 jng 00007FBFB0CD3E2Eh 0x00000008 pushad 0x00000009 jo 00007FBFB0CD3E26h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BCB329 second address: BCB338 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007FBFB1286EB6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BD6805 second address: BD6809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BD6809 second address: BD680D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BD680D second address: BD681F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jbe 00007FBFB0CD3E2Eh 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BE28CB second address: BE28FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBFB1286EC1h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BE28FA second address: BE2927 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB0CD3E33h 0x00000009 jmp 00007FBFB0CD3E36h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: BE2927 second address: BE292B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C08E9D second address: C08EA3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C09101 second address: C09114 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EBFh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C09114 second address: C09118 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C0929A second address: C0929F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C09A62 second address: C09AA6 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jl 00007FBFB0CD3E26h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007FBFB0CD3E36h 0x00000011 popad 0x00000012 pushad 0x00000013 jg 00007FBFB0CD3E3Ch 0x00000019 jmp 00007FBFB0CD3E36h 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C09AA6 second address: C09AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C09AAC second address: C09AB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C0F2C8 second address: C0F2DF instructions: 0x00000000 rdtsc 0x00000002 jc 00007FBFB1286EBCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edi 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C0F8DA second address: C0F8E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C10CE7 second address: C10CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FBFB1286EB6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: C10CF1 second address: C10CF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52F0723 second address: 52F0760 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBFB1286EC7h 0x00000009 and eax, 2224C43Eh 0x0000000f jmp 00007FBFB1286EC9h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52F0760 second address: 52F0773 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b mov di, cx 0x0000000e mov ax, C19Bh 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52F0773 second address: 52F0783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52F0783 second address: 52F07A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FBFB0CD3E30h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52F07A9 second address: 52F07B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52F07B8 second address: 52F07E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, B86Ah 0x00000007 mov bx, F136h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 jmp 00007FBFB0CD3E2Dh 0x00000015 pop ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007FBFB0CD3E2Dh 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0CA8 second address: 52B0CB7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0CB7 second address: 52B0CBD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0CBD second address: 52B0D02 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007FBFB1286EC6h 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FBFB1286EC7h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0D02 second address: 52B0D08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0D08 second address: 52B0D0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0D0C second address: 52B0D24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov esi, 16DC2C1Fh 0x00000013 mov ax, 6B3Bh 0x00000017 popad 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0D24 second address: 52B0D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0D2A second address: 52B0D4C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+0Ch] 0x0000000b jmp 00007FBFB0CD3E2Fh 0x00000010 push dword ptr [ebp+08h] 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 mov ebx, eax 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52B0DBA second address: 52B0DC9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330442 second address: 5330446 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330446 second address: 533044C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 533044C second address: 533049D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 pushfd 0x00000011 jmp 00007FBFB0CD3E39h 0x00000016 add cx, 78C6h 0x0000001b jmp 00007FBFB0CD3E31h 0x00000020 popfd 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 533049D second address: 53304C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBFB1286EBCh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53304C1 second address: 53304D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB0CD3E2Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53304D3 second address: 5330503 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FBFB1286EC6h 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pop edx 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300B69 second address: 5300B8C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movzx esi, di 0x00000006 mov ax, bx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c xchg eax, ebp 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBFB0CD3E34h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300B8C second address: 5300B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5350012 second address: 535004B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007FBFB0CD3E31h 0x0000000b and eax, 6A2D2856h 0x00000011 jmp 00007FBFB0CD3E31h 0x00000016 popfd 0x00000017 popad 0x00000018 mov dword ptr [esp], ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 535004B second address: 5350051 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5350051 second address: 535008C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBFB0CD3E30h 0x00000008 pop ecx 0x00000009 mov ebx, 68E3CC66h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov ebp, esp 0x00000013 jmp 00007FBFB0CD3E2Dh 0x00000018 pop ebp 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FBFB0CD3E2Dh 0x00000020 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 535008C second address: 5350092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330C6B second address: 5330C95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FBFB0CD3E2Eh 0x0000000a jmp 00007FBFB0CD3E35h 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330C95 second address: 5330CA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EBCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330CA5 second address: 5330CD4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007FBFB0CD3E36h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330CD4 second address: 5330CD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330CD8 second address: 5330CDE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330CDE second address: 5330D41 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBFB1286EC5h 0x00000008 pop eax 0x00000009 pushfd 0x0000000a jmp 00007FBFB1286EC1h 0x0000000f xor esi, 0AB4A886h 0x00000015 jmp 00007FBFB1286EC1h 0x0000001a popfd 0x0000001b popad 0x0000001c pop edx 0x0000001d pop eax 0x0000001e xchg eax, ebp 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FBFB1286EC8h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330D41 second address: 5330D47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52C0315 second address: 52C032D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330AA5 second address: 5330B2C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBFB0CD3E2Ch 0x00000012 and esi, 3CF04D28h 0x00000018 jmp 00007FBFB0CD3E2Bh 0x0000001d popfd 0x0000001e mov si, 821Fh 0x00000022 popad 0x00000023 mov eax, dword ptr [ebp+08h] 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007FBFB0CD3E30h 0x0000002d adc ch, FFFFFF88h 0x00000030 jmp 00007FBFB0CD3E2Bh 0x00000035 popfd 0x00000036 call 00007FBFB0CD3E38h 0x0000003b pushad 0x0000003c popad 0x0000003d pop ecx 0x0000003e popad 0x0000003f and dword ptr [eax], 00000000h 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FBFB0CD3E2Ah 0x00000049 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330B2C second address: 5330B56 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 and dword ptr [eax+04h], 00000000h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FBFB1286EC5h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330B56 second address: 5330B76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a pushad 0x0000000b mov ecx, 16FBEC43h 0x00000010 push eax 0x00000011 push edx 0x00000012 mov edx, ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330DBD second address: 5330DCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov edi, ecx 0x00000007 popad 0x00000008 push eax 0x00000009 pushad 0x0000000a mov al, dh 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330DCC second address: 5330E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 xchg eax, ebp 0x00000007 pushad 0x00000008 jmp 00007FBFB0CD3E32h 0x0000000d pushfd 0x0000000e jmp 00007FBFB0CD3E32h 0x00000013 sbb ch, 00000008h 0x00000016 jmp 00007FBFB0CD3E2Bh 0x0000001b popfd 0x0000001c popad 0x0000001d mov ebp, esp 0x0000001f jmp 00007FBFB0CD3E36h 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FBFB0CD3E37h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330E3B second address: 5330E41 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340AE2 second address: 5340B31 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b pushad 0x0000000c mov al, 93h 0x0000000e mov ecx, edi 0x00000010 popad 0x00000011 je 00007FC0228B6C85h 0x00000017 jmp 00007FBFB0CD3E2Bh 0x0000001c mov ecx, eax 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FBFB0CD3E35h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340B31 second address: 5340BB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007FBFB1286EC3h 0x0000000c xor eax, 36E1CB9Eh 0x00000012 jmp 00007FBFB1286EC9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xor eax, dword ptr [ebp+08h] 0x0000001e pushad 0x0000001f call 00007FBFB1286EBDh 0x00000024 movzx esi, di 0x00000027 pop ebx 0x00000028 movzx esi, dx 0x0000002b popad 0x0000002c and ecx, 1Fh 0x0000002f jmp 00007FBFB1286EC5h 0x00000034 ror eax, cl 0x00000036 jmp 00007FBFB1286EBEh 0x0000003b leave 0x0000003c push eax 0x0000003d push edx 0x0000003e pushad 0x0000003f mov ecx, edx 0x00000041 movsx edx, si 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53400F8 second address: 5340179 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 22D4h 0x00000007 mov esi, ebx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c and dword ptr [eax], 00000000h 0x0000000f pushad 0x00000010 push ebx 0x00000011 pushfd 0x00000012 jmp 00007FBFB0CD3E30h 0x00000017 or si, 1E88h 0x0000001c jmp 00007FBFB0CD3E2Bh 0x00000021 popfd 0x00000022 pop eax 0x00000023 pushfd 0x00000024 jmp 00007FBFB0CD3E39h 0x00000029 and ah, FFFFFFA6h 0x0000002c jmp 00007FBFB0CD3E31h 0x00000031 popfd 0x00000032 popad 0x00000033 pop ebp 0x00000034 push eax 0x00000035 push edx 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007FBFB0CD3E38h 0x0000003d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340179 second address: 534017F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534017F second address: 5340185 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340185 second address: 5340189 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300018 second address: 530001E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 530001E second address: 5300022 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300022 second address: 5300026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300026 second address: 5300045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBFB1286EC2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300045 second address: 530004A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 530004A second address: 5300096 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007FBFB1286EC7h 0x0000000a xor ecx, 50F91C0Eh 0x00000010 jmp 00007FBFB1286EC9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov ebp, esp 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e mov bx, B96Eh 0x00000022 movsx edi, si 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300096 second address: 530009C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 530009C second address: 53000A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53000A0 second address: 53000D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b jmp 00007FBFB0CD3E2Fh 0x00000010 xchg eax, ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ebx 0x00000015 pop eax 0x00000016 jmp 00007FBFB0CD3E37h 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53000D8 second address: 5300113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007FBFB1286EBFh 0x00000008 pop eax 0x00000009 jmp 00007FBFB1286EC9h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 mov edi, 329360F2h 0x00000018 pushad 0x00000019 push ebx 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300113 second address: 5300128 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 xchg eax, ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFB0CD3E2Ch 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300128 second address: 5300146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bh, D8h 0x00000005 mov ch, D9h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBFB1286EC1h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 530024A second address: 5300297 instructions: 0x00000000 rdtsc 0x00000002 mov dx, 1238h 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a pushad 0x0000000b movsx ebx, ax 0x0000000e popad 0x0000000f xchg eax, edi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FBFB0CD3E37h 0x00000019 and cx, 04AEh 0x0000001e jmp 00007FBFB0CD3E39h 0x00000023 popfd 0x00000024 mov ebx, esi 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300297 second address: 530032A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 06A9720Eh 0x00000008 movsx edi, ax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e test esi, esi 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007FBFB1286EBCh 0x00000017 jmp 00007FBFB1286EC5h 0x0000001c popfd 0x0000001d mov ecx, 796DE807h 0x00000022 popad 0x00000023 je 00007FC022EA51FAh 0x00000029 jmp 00007FBFB1286EBAh 0x0000002e cmp dword ptr [esi+08h], DDEEDDEEh 0x00000035 jmp 00007FBFB1286EC0h 0x0000003a je 00007FC022EA51E9h 0x00000040 jmp 00007FBFB1286EC0h 0x00000045 mov edx, dword ptr [esi+44h] 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007FBFB1286EC7h 0x0000004f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 530032A second address: 530037A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 jmp 00007FBFB0CD3E2Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e or edx, dword ptr [ebp+0Ch] 0x00000011 pushad 0x00000012 mov dh, ah 0x00000014 pushfd 0x00000015 jmp 00007FBFB0CD3E31h 0x0000001a xor cx, 4916h 0x0000001f jmp 00007FBFB0CD3E31h 0x00000024 popfd 0x00000025 popad 0x00000026 test edx, 61000000h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 push eax 0x00000031 push edx 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 530037A second address: 530037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 530037E second address: 5300382 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300382 second address: 5300388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5300388 second address: 53003D1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E32h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC0228F2110h 0x0000000f jmp 00007FBFB0CD3E30h 0x00000014 test byte ptr [esi+48h], 00000001h 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBFB0CD3E37h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 531004C second address: 53100B9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c jmp 00007FBFB1286EBEh 0x00000011 mov ebp, esp 0x00000013 jmp 00007FBFB1286EC0h 0x00000018 and esp, FFFFFFF8h 0x0000001b jmp 00007FBFB1286EC0h 0x00000020 xchg eax, ebx 0x00000021 push eax 0x00000022 push edx 0x00000023 jmp 00007FBFB1286EC7h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53100B9 second address: 53100D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB0CD3E34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53100D1 second address: 53100F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FBFB1286EBCh 0x0000000f mov edx, ecx 0x00000011 popad 0x00000012 xchg eax, ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53100F1 second address: 53100F7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53100F7 second address: 531012E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 962Dh 0x00000007 jmp 00007FBFB1286EBAh 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f xchg eax, esi 0x00000010 jmp 00007FBFB1286EC0h 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBFB1286EBDh 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 531012E second address: 5310143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310143 second address: 5310193 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a pushad 0x0000000b pushfd 0x0000000c jmp 00007FBFB1286EBCh 0x00000011 sub cx, C6B8h 0x00000016 jmp 00007FBFB1286EBBh 0x0000001b popfd 0x0000001c mov si, BEEFh 0x00000020 popad 0x00000021 mov esi, dword ptr [ebp+08h] 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FBFB1286EC1h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310193 second address: 53101EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, dx 0x00000006 mov cx, dx 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov ebx, 00000000h 0x00000011 jmp 00007FBFB0CD3E32h 0x00000016 test esi, esi 0x00000018 pushad 0x00000019 pushfd 0x0000001a jmp 00007FBFB0CD3E2Eh 0x0000001f and ecx, 23E222A8h 0x00000025 jmp 00007FBFB0CD3E2Bh 0x0000002a popfd 0x0000002b movzx esi, bx 0x0000002e popad 0x0000002f je 00007FC0228D9FD6h 0x00000035 push eax 0x00000036 push edx 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a popad 0x0000003b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53101EA second address: 5310206 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310206 second address: 5310266 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 cmp dword ptr [esi+08h], DDEEDDEEh 0x00000010 jmp 00007FBFB0CD3E36h 0x00000015 mov ecx, esi 0x00000017 pushad 0x00000018 pushfd 0x00000019 jmp 00007FBFB0CD3E2Eh 0x0000001e sbb ax, 09C8h 0x00000023 jmp 00007FBFB0CD3E2Bh 0x00000028 popfd 0x00000029 mov ch, E3h 0x0000002b popad 0x0000002c je 00007FC0228D9F71h 0x00000032 pushad 0x00000033 mov cx, dx 0x00000036 push eax 0x00000037 push edx 0x00000038 push edx 0x00000039 pop ecx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310266 second address: 531028C instructions: 0x00000000 rdtsc 0x00000002 mov si, bx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 test byte ptr [76FA6968h], 00000002h 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FBFB1286EC3h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 531028C second address: 5310290 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310290 second address: 5310296 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310296 second address: 53102CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007FC0228D9F2Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FBFB0CD3E37h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53102CD second address: 53102D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53102D3 second address: 53102D7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53103E7 second address: 53103EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53103EB second address: 53103F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310466 second address: 5310483 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFB1286EC4h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310483 second address: 53104D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d call 00007FBFB0CD3E2Bh 0x00000012 pop eax 0x00000013 pushfd 0x00000014 jmp 00007FBFB0CD3E39h 0x00000019 xor ecx, 65EBD636h 0x0000001f jmp 00007FBFB0CD3E31h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53104D5 second address: 5310521 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 pushfd 0x00000006 jmp 00007FBFB1286EC3h 0x0000000b add si, 136Eh 0x00000010 jmp 00007FBFB1286EC9h 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 mov esp, ebp 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007FBFB1286EBDh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 536182A second address: 536188B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FBFB0CD3E37h 0x00000008 call 00007FBFB0CD3E38h 0x0000000d pop eax 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 jmp 00007FBFB0CD3E30h 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FBFB0CD3E37h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 536188B second address: 53618E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c jmp 00007FBFB1286EBCh 0x00000011 pushfd 0x00000012 jmp 00007FBFB1286EC2h 0x00000017 or ecx, 19F4B028h 0x0000001d jmp 00007FBFB1286EBBh 0x00000022 popfd 0x00000023 popad 0x00000024 push 0000007Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 push eax 0x00000029 push edx 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53618E5 second address: 53618E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53618E9 second address: 53618ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53618ED second address: 53618F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53618F3 second address: 5361910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EC9h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5361910 second address: 536192F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push 00000001h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 536192F second address: 5361933 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5361933 second address: 5361937 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5361937 second address: 536193D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 536193D second address: 5361943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 533078A second address: 53307C9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FBFB1286EBEh 0x0000000f push eax 0x00000010 jmp 00007FBFB1286EBBh 0x00000015 xchg eax, ebp 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53307C9 second address: 53307CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53307CD second address: 53307E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53307E8 second address: 5330812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov eax, edi 0x00000005 call 00007FBFB0CD3E2Bh 0x0000000a pop ecx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FBFB0CD3E32h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330812 second address: 5330824 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EBEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5330824 second address: 533084D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBFB0CD3E35h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310605 second address: 531060B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 531060B second address: 5310629 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310629 second address: 531062F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 531062F second address: 5310635 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5310635 second address: 5310639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370D23 second address: 5370D6F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBFB0CD3E31h 0x00000009 and cx, 16E6h 0x0000000e jmp 00007FBFB0CD3E31h 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push esp 0x00000018 pushad 0x00000019 mov eax, 5C89C00Fh 0x0000001e mov di, ax 0x00000021 popad 0x00000022 mov dword ptr [esp], ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FBFB0CD3E2Dh 0x0000002c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340502 second address: 5340506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340506 second address: 5340516 instructions: 0x00000000 rdtsc 0x00000002 mov dx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 sub esp, 44h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340516 second address: 5340521 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 mov bx, si 0x0000000b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340521 second address: 5340562 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBFB0CD3E2Eh 0x00000008 adc cl, FFFFFFD8h 0x0000000b jmp 00007FBFB0CD3E2Bh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 xchg eax, ebx 0x00000015 pushad 0x00000016 push ecx 0x00000017 pushad 0x00000018 popad 0x00000019 pop ebx 0x0000001a jmp 00007FBFB0CD3E2Eh 0x0000001f popad 0x00000020 push eax 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 movzx ecx, bx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340562 second address: 5340567 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340567 second address: 53405C7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, ecx 0x00000005 push eax 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a xchg eax, ebx 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007FBFB0CD3E36h 0x00000012 adc esi, 4559B5C8h 0x00000018 jmp 00007FBFB0CD3E2Bh 0x0000001d popfd 0x0000001e push eax 0x0000001f push edx 0x00000020 pushfd 0x00000021 jmp 00007FBFB0CD3E36h 0x00000026 or ecx, 1A83B828h 0x0000002c jmp 00007FBFB0CD3E2Bh 0x00000031 popfd 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53405C7 second address: 5340675 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, esi 0x0000000b jmp 00007FBFB1286EC0h 0x00000010 push eax 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007FBFB1286EC1h 0x00000018 xor ax, B1A6h 0x0000001d jmp 00007FBFB1286EC1h 0x00000022 popfd 0x00000023 pushfd 0x00000024 jmp 00007FBFB1286EC0h 0x00000029 or esi, 1D05DF48h 0x0000002f jmp 00007FBFB1286EBBh 0x00000034 popfd 0x00000035 popad 0x00000036 xchg eax, esi 0x00000037 jmp 00007FBFB1286EC6h 0x0000003c xchg eax, edi 0x0000003d jmp 00007FBFB1286EC0h 0x00000042 push eax 0x00000043 pushad 0x00000044 mov eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 movsx edx, cx 0x0000004b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340675 second address: 534069A instructions: 0x00000000 rdtsc 0x00000002 mov bx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, edi 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FBFB0CD3E38h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534069A second address: 534069E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534069E second address: 53406A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53406A4 second address: 534071B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushfd 0x00000006 jmp 00007FBFB1286EBAh 0x0000000b add esi, 1B680998h 0x00000011 jmp 00007FBFB1286EBBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov edi, dword ptr [ebp+08h] 0x0000001d jmp 00007FBFB1286EC6h 0x00000022 mov dword ptr [esp+24h], 00000000h 0x0000002a jmp 00007FBFB1286EC0h 0x0000002f lock bts dword ptr [edi], 00000000h 0x00000034 jmp 00007FBFB1286EC0h 0x00000039 jc 00007FC022E08BDAh 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534071B second address: 5340721 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340721 second address: 5340756 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBFB1286EC2h 0x00000009 xor eax, 7C2E98B8h 0x0000000f jmp 00007FBFB1286EBBh 0x00000014 popfd 0x00000015 mov dx, si 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340756 second address: 534076D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534076D second address: 5340773 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340773 second address: 5340788 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBFB0CD3E2Ah 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534019C second address: 53401A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53401A0 second address: 53401A4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53401A4 second address: 53401AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53401AA second address: 53401B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53401B0 second address: 53401B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53401B4 second address: 534022F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007FBFB0CD3E2Eh 0x0000000e push eax 0x0000000f pushad 0x00000010 mov al, bl 0x00000012 pushad 0x00000013 pushfd 0x00000014 jmp 00007FBFB0CD3E38h 0x00000019 xor esi, 3916EA68h 0x0000001f jmp 00007FBFB0CD3E2Bh 0x00000024 popfd 0x00000025 jmp 00007FBFB0CD3E38h 0x0000002a popad 0x0000002b popad 0x0000002c xchg eax, ebp 0x0000002d push eax 0x0000002e push edx 0x0000002f jmp 00007FBFB0CD3E37h 0x00000034 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534022F second address: 534024F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov al, bl 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a pushad 0x0000000b call 00007FBFB1286EC3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534024F second address: 534026E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007FBFB0CD3E2Fh 0x0000000a popad 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop eax 0x00000011 movsx edi, si 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534026E second address: 5340286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340286 second address: 53402DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBFB0CD3E2Fh 0x00000013 or eax, 576D23DEh 0x00000019 jmp 00007FBFB0CD3E39h 0x0000001e popfd 0x0000001f push esi 0x00000020 mov bx, BFF2h 0x00000024 pop edx 0x00000025 popad 0x00000026 xchg eax, ebx 0x00000027 push eax 0x00000028 push edx 0x00000029 pushad 0x0000002a mov edi, 6A29E216h 0x0000002f mov bl, 09h 0x00000031 popad 0x00000032 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53402DC second address: 5340301 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, 50772AFAh 0x00000008 call 00007FBFB1286EBBh 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push ebp 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FBFB1286EBBh 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340301 second address: 5340330 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBFB0CD3E2Dh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340330 second address: 5340379 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov esi, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d mov eax, 783DB1D3h 0x00000012 mov eax, 42A7982Fh 0x00000017 popad 0x00000018 sub ecx, ecx 0x0000001a pushad 0x0000001b movsx ebx, ax 0x0000001e mov ch, F1h 0x00000020 popad 0x00000021 push esp 0x00000022 jmp 00007FBFB1286EC2h 0x00000027 mov dword ptr [esp], edi 0x0000002a push eax 0x0000002b push edx 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340379 second address: 534037D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534037D second address: 5340381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340381 second address: 5340387 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340387 second address: 53403BE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, 00000001h 0x0000000e jmp 00007FBFB1286EC0h 0x00000013 lock cmpxchg dword ptr [esi], ecx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53403BE second address: 53403C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53403C2 second address: 53403C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53403C6 second address: 53403CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53403CC second address: 53403D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53403D2 second address: 53403D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53403D6 second address: 53403E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d push edi 0x0000000e pop eax 0x0000000f movsx edx, ax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53403E9 second address: 5340405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB0CD3E38h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340405 second address: 5340420 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp ecx, 01h 0x0000000e pushad 0x0000000f mov di, ax 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340420 second address: 5340437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 popad 0x00000006 jne 00007FC022855FCEh 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 mov edi, 590CEE76h 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340437 second address: 534043D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 534043D second address: 5340441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340441 second address: 5340461 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 jmp 00007FBFB1286EC2h 0x0000000e pop esi 0x0000000f pushad 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5340461 second address: 5340470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a mov al, 28h 0x0000000c mov al, dh 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0636 second address: 52A063B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A063B second address: 52A066E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E37h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FBFB0CD3E35h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A066E second address: 52A06A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007FBFB1286EBAh 0x00000013 add ecx, 10F058D8h 0x00000019 jmp 00007FBFB1286EBBh 0x0000001e popfd 0x0000001f pushad 0x00000020 popad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A06A7 second address: 52A06C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 mov bh, 3Ch 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FBFB0CD3E2Fh 0x00000013 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A06C4 second address: 52A06DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB1286EC4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A06DC second address: 52A0703 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007FBFB0CD3E2Bh 0x00000015 mov esi, 0837B23Fh 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0703 second address: 52A0748 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 sub esp, 10h 0x0000000c pushad 0x0000000d mov bh, al 0x0000000f push eax 0x00000010 push edx 0x00000011 pushfd 0x00000012 jmp 00007FBFB1286EBFh 0x00000017 jmp 00007FBFB1286EC3h 0x0000001c popfd 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0748 second address: 52A075C instructions: 0x00000000 rdtsc 0x00000002 mov bx, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 lea eax, dword ptr [ebp-10h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e movsx edx, si 0x00000011 push eax 0x00000012 pop edx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A075C second address: 52A0762 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0762 second address: 52A0766 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0766 second address: 52A07A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push dword ptr [ebp+08h] 0x0000000b jmp 00007FBFB1286EC3h 0x00000010 nop 0x00000011 jmp 00007FBFB1286EC6h 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A07A2 second address: 52A07A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0834 second address: 52A08F5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a jmp 00007FBFB1286EC6h 0x0000000f push dword ptr [ebp+0Ch] 0x00000012 pushad 0x00000013 call 00007FBFB1286EBEh 0x00000018 mov edx, eax 0x0000001a pop esi 0x0000001b mov edi, 3A349E82h 0x00000020 popad 0x00000021 lea eax, dword ptr [ebp-08h] 0x00000024 pushad 0x00000025 pushfd 0x00000026 jmp 00007FBFB1286EBFh 0x0000002b adc ecx, 2F2E597Eh 0x00000031 jmp 00007FBFB1286EC9h 0x00000036 popfd 0x00000037 pushfd 0x00000038 jmp 00007FBFB1286EC0h 0x0000003d sbb esi, 6FE86478h 0x00000043 jmp 00007FBFB1286EBBh 0x00000048 popfd 0x00000049 popad 0x0000004a nop 0x0000004b jmp 00007FBFB1286EC6h 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007FBFB1286EBEh 0x00000058 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5361E6F second address: 5361E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5361E73 second address: 5361E79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370E9C second address: 5370ECB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBFB0CD3E31h 0x00000009 sub ecx, 18438356h 0x0000000f jmp 00007FBFB0CD3E31h 0x00000014 popfd 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370ECB second address: 5370EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 pushad 0x00000009 mov ch, 7Bh 0x0000000b mov ebx, 47A5F3EAh 0x00000010 popad 0x00000011 mov ebp, esp 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FBFB1286EBCh 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370EEC second address: 5370F03 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov bx, si 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 528014D second address: 5280189 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, di 0x00000006 pushfd 0x00000007 jmp 00007FBFB1286EBBh 0x0000000c sbb eax, 6EFB6C2Eh 0x00000012 jmp 00007FBFB1286EC9h 0x00000017 popfd 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ebp 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5280189 second address: 528018D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 528018D second address: 52801A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EBFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52801A0 second address: 52801B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FBFB0CD3E34h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52801B8 second address: 52801BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52801BC second address: 52801D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a mov ebx, ecx 0x0000000c mov ecx, 7328C27Fh 0x00000011 popad 0x00000012 xchg eax, ebp 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52801D5 second address: 52801DB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52801DB second address: 5280213 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E36h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b jmp 00007FBFB0CD3E30h 0x00000010 pop ebp 0x00000011 pushad 0x00000012 mov eax, 4998A69Dh 0x00000017 pushad 0x00000018 mov edi, eax 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0B89 second address: 52A0B8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0B8F second address: 52A0BE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a jmp 00007FBFB0CD3E2Ah 0x0000000f pushfd 0x00000010 jmp 00007FBFB0CD3E32h 0x00000015 adc si, E8C8h 0x0000001a jmp 00007FBFB0CD3E2Bh 0x0000001f popfd 0x00000020 popad 0x00000021 mov dword ptr [esp], ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FBFB0CD3E35h 0x0000002b rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0BE2 second address: 52A0C3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBFB1286EC7h 0x00000009 and ax, 546Eh 0x0000000e jmp 00007FBFB1286EC9h 0x00000013 popfd 0x00000014 mov dx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a mov ebp, esp 0x0000001c push eax 0x0000001d push edx 0x0000001e jmp 00007FBFB1286EC9h 0x00000023 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0C3F second address: 52A0C45 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0C45 second address: 52A0C49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52A0C49 second address: 52A0C66 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FBFB0CD3E32h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52D0827 second address: 52D0850 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007FBFB1286EBEh 0x00000008 or si, 27F8h 0x0000000d jmp 00007FBFB1286EBBh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 mov bx, si 0x0000001a rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52D0850 second address: 52D0863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov ebp, esp 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FBFB0CD3E2Ah 0x0000000e rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52D0863 second address: 52D0869 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 52D0869 second address: 52D086D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370B25 second address: 5370B3A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370523 second address: 5370540 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB0CD3E39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370540 second address: 537058D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FBFB1286EC1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 4D6D850Bh 0x00000010 pushad 0x00000011 mov ecx, 59A4F243h 0x00000016 mov ax, 6F9Fh 0x0000001a popad 0x0000001b call 00007FBFB1286EB9h 0x00000020 jmp 00007FBFB1286EC2h 0x00000025 push eax 0x00000026 pushad 0x00000027 mov edi, 19257BB4h 0x0000002c push eax 0x0000002d push edx 0x0000002e push ebx 0x0000002f pop esi 0x00000030 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 537058D second address: 53705CA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c mov bx, cx 0x0000000f mov ebx, esi 0x00000011 popad 0x00000012 mov eax, dword ptr [eax] 0x00000014 jmp 00007FBFB0CD3E2Fh 0x00000019 mov dword ptr [esp+04h], eax 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FBFB0CD3E34h 0x00000024 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53705CA second address: 53705F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007FBFB1286EC1h 0x00000009 and si, 7236h 0x0000000e jmp 00007FBFB1286EC1h 0x00000013 popfd 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 53705F8 second address: 5370664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushfd 0x0000000a jmp 00007FBFB0CD3E2Ah 0x0000000f sub si, 3158h 0x00000014 jmp 00007FBFB0CD3E2Bh 0x00000019 popfd 0x0000001a pushfd 0x0000001b jmp 00007FBFB0CD3E38h 0x00000020 and ax, 3BB8h 0x00000025 jmp 00007FBFB0CD3E2Bh 0x0000002a popfd 0x0000002b popad 0x0000002c call 00007FC0209FA168h 0x00000031 push 75094FB0h 0x00000036 push dword ptr fs:[00000000h] 0x0000003d mov eax, dword ptr [esp+10h] 0x00000041 mov dword ptr [esp+10h], ebp 0x00000045 lea ebp, dword ptr [esp+10h] 0x00000049 sub esp, eax 0x0000004b push ebx 0x0000004c push esi 0x0000004d push edi 0x0000004e mov eax, dword ptr [750DA500h] 0x00000053 xor dword ptr [ebp-04h], eax 0x00000056 xor eax, ebp 0x00000058 mov dword ptr [ebp-1Ch], eax 0x0000005b push eax 0x0000005c mov dword ptr [ebp-18h], esp 0x0000005f push dword ptr [ebp-08h] 0x00000062 mov eax, dword ptr [ebp-04h] 0x00000065 mov dword ptr [ebp-04h], FFFFFFFEh 0x0000006c mov dword ptr [ebp-08h], eax 0x0000006f lea eax, dword ptr [ebp-10h] 0x00000072 mov dword ptr fs:[00000000h], eax 0x00000078 ret 0x00000079 push eax 0x0000007a push edx 0x0000007b jmp 00007FBFB0CD3E35h 0x00000080 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 5370664 second address: 537066A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 537066A second address: 537066E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	RDTSC instruction interceptor: First address: 537066E second address: 5370693 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebx, dword ptr [ebp+08h] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007FBFB1286EC0h 0x00000013 pop eax 0x00000014 mov ebx, 143ED7B6h 0x00000019 popad 0x0000001a rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Special instruction interceptor: First address: 95DCB5 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Special instruction interceptor: First address: B0A71E instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Special instruction interceptor: First address: B0AB13 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Special instruction interceptor: First address: B0926F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Special instruction interceptor: First address: B1BB31 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Special instruction interceptor: First address: B94687 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 58DCB5 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 73A71E instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 73AB13 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 73926F instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 74BB31 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 7C4687 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 57DCB5 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 72A71E instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 72AB13 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 72926F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 73BB31 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 7B4687 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Code function: 0_2_05370D15 rdtsc

0_2_05370D15

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window / User API: threadDelayed 1091	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Window / User API: threadDelayed 1165	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1199	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1076	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 759	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1223	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1102	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 770	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1573	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1902	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 622	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1219	Jump to behavior

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_6-23936
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_8-24135
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)	graph_0-23680

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe TID: 2212	Thread sleep time: -32016s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe TID: 4416	Thread sleep count: 1091 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe TID: 4416	Thread sleep time: -2183091s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe TID: 1708	Thread sleep count: 245 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe TID: 2788	Thread sleep count: 251 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe TID: 3380	Thread sleep count: 1165 > 30	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe TID: 3380	Thread sleep time: -2331165s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4952	Thread sleep count: 122 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4952	Thread sleep time: -244122s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2716	Thread sleep count: 112 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2716	Thread sleep time: -224112s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6256	Thread sleep time: -36000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3480	Thread sleep count: 124 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3480	Thread sleep time: -248124s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6544	Thread sleep count: 1199 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6544	Thread sleep time: -121099s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4424	Thread sleep count: 1076 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4424	Thread sleep count: 759 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4424	Thread sleep time: -75900s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5780	Thread sleep count: 128 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5780	Thread sleep time: -256128s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3608	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3608	Thread sleep time: -220110s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 572	Thread sleep count: 109 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 572	Thread sleep time: -218109s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5036	Thread sleep count: 89 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5036	Thread sleep time: -178089s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1964	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1964	Thread sleep time: -270135s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5064	Thread sleep count: 127 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5064	Thread sleep time: -254127s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1868	Thread sleep count: 1223 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1868	Thread sleep time: -123523s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5692	Thread sleep count: 1102 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5692	Thread sleep count: 770 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5692	Thread sleep time: -77000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6200	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6200	Thread sleep time: -142071s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6516	Thread sleep time: -46023s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 320	Thread sleep count: 1573 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 320	Thread sleep time: -3147573s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7032	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7032	Thread sleep count: 253 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4144	Thread sleep count: 256 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5260	Thread sleep count: 1902 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5260	Thread sleep time: -3805902s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6844	Thread sleep count: 622 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6844	Thread sleep time: -1244622s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2448	Thread sleep count: 36 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2448	Thread sleep time: -72036s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3808	Thread sleep count: 1219 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3808	Thread sleep time: -2439219s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4072	Thread sleep count: 33 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4072	Thread sleep count: 258 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1292	Thread sleep count: 241 > 30	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: MPGPH131.exe, 00000006.00000002.4485725451.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}H
Source: RageMP131.exe, 0000000A.00000002.4485711166.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000A.00000002.4485711166.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_270C6B9F"
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.000000000137E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: MPGPH131.exe, 00000007.00000003.2099031911.000000000138E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.00000000013BC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}=C:
Source: RageMP131.exe, 0000000A.00000002.4485711166.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 3c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_270C6B9F
Source: RageMP131.exe, 0000000A.00000002.4485711166.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}w
Source: MPGPH131.exe, 00000007.00000002.4485715827.000000000135A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&#
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_270C6B9F?
Source: RageMP131.exe, 00000008.00000003.2207963452.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}r
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000FB5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_270C6B9F
Source: MPGPH131.exe, 00000006.00000002.4485725451.0000000000F00000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4485715827.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4485499780.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 0000000A.00000002.4485711166.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&T
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000F60000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.4485725451.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}%
Source: RageMP131.exe, 00000008.00000002.4485499780.0000000000FA2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.4485725451.0000000000F12000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_270C6B9F&
Source: RageMP131.exe, 0000000A.00000002.4485711166.0000000000E8E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll4
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.0000000001370000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000Jk
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.00000000013C5000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_270C6B9F
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000000A.00000003.2282768505.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M
Source: RageMP131.exe, 0000000A.00000002.4485711166.0000000000EA0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}w
Source: MPGPH131.exe, 00000006.00000002.4485326045.0000000000B0D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}L
Source: Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.00000000013B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll\|\|

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Code function: 10_2_04FB0D96 Start: 04FB0DD0 End: 04FB0D65

10_2_04FB0D96

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Code function: 0_2_05370D15 rdtsc

0_2_05370D15

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Code function: 0_2_00824AB0 mov eax, dword ptr fs:[00000030h]	0_2_00824AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00454AB0 mov eax, dword ptr fs:[00000030h]	6_2_00454AB0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00454AB0 mov eax, dword ptr fs:[00000030h]	7_2_00454AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00444AB0 mov eax, dword ptr fs:[00000030h]	8_2_00444AB0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 10_2_00444AB0 mov eax, dword ptr fs:[00000030h]	10_2_00444AB0

Source: MPGPH131.exe, MPGPH131.exe, 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, RageMP131.exe, 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Code function: 0_2_008ECCDC GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_008ECCDC

Source: C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lisect_AVT_24003_G1B_108.exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6620, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Lisect_AVT_24003_G1B_108.exe PID: 1992, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 5012, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 6484, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 5080, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 6620, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	741 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	1 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	1 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
Lisect_AVT_24003_G1B_108.exe	63%	ReversingLabs	Win32.Trojan.Znyonm
Lisect_AVT_24003_G1B_108.exe	100%	Avira	TR/Zenpak.bowul
Lisect_AVT_24003_G1B_108.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	TR/Zenpak.bowul
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	TR/Zenpak.bowul
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	63%	ReversingLabs	Win32.Trojan.Znyonm
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	63%	ReversingLabs	Win32.Trojan.Znyonm

Source	Detection	Scanner	Label
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://t.me/RiseProSUPPORTt	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT-h	0%	Avira URL Cloud	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
198.187.3.20.in-addr.arpa	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	Lisect_AVT_24003_G1B_108.exe, 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT-h	RageMP131.exe, 00000008.00000002.4485499780.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.000000000137E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4485725451.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.4485715827.000000000135A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.4485499780.0000000000F6E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.4485711166.0000000000E6B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTt	MPGPH131.exe, 00000006.00000002.4485725451.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT;	Lisect_AVT_24003_G1B_108.exe, 00000000.00000002.4485642418.000000000137E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.62	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	false

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481265
Start date and time:	2024-07-25 06:57:54 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 28s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Lisect_AVT_24003_G1B_108.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: Lisect_AVT_24003_G1B_108.exe

Simulations

Behavior and APIs

Time	Type	Description
00:59:13	API Interceptor	3375833x Sleep call for process: Lisect_AVT_24003_G1B_108.exe modified
00:59:19	API Interceptor	5507x Sleep call for process: MPGPH131.exe modified
00:59:28	API Interceptor	4696640x Sleep call for process: RageMP131.exe modified
06:58:47	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
06:58:47	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
06:58:49	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
06:58:58	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
193.233.132.62	SecuriteInfo.com.Win32.PWSX-gen.14899.4987.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.580.27252.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.15960.19323.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	9iz0QM9rMM.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	4fMLTRkOfB.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	q7a5JOlhLZ.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	7jv1U7CgKF.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	SecuriteInfo.com.Win32.PWSX-gen.10022.32492.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe
	file.exe	Get hash	malicious	Amadey, RisePro Stealer	Browse	193.233.132.62:57893/hera/amadka.exe

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	Lisect_AVT_24003_G1A_89.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	LisectAVT_2403002A_262.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.190
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	hunta[1].exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	External Own 4.20.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	Aquantia_Setup 2.11.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	AdobeUpdaterV131.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	installer.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse	147.45.47.81
	92.249.48.47-skid.arm7-2024-07-20T09_04_19.elf	Get hash	malicious	Mirai, Moobot	Browse	147.45.93.156

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2401804
Entropy (8bit):	7.9335791162670946
Encrypted:	false
SSDEEP:	49152:hQuzfd1pUPALeftwHL1STPuAdwGFGB8QTsEVLYt:nbvq2ex9dwn1DL4
MD5:	0B4B3E5E4A2EE4BD9BA8D9950639F269
SHA1:	7A0FFCB4A3B75704478ED80C20D4DC830AB07EBF
SHA-256:	B240341D8ADFED0F14D665DCBAD14C542FA2E6F57A8C1904C0E5CCFB10270B17
SHA-512:	1DAFE222D8112CCAB45436256ADB9736F3E2A47A61CB393819D40D66EDFE54765EE878D6B49AF056169159A737E41450BF2E613E24CB93AF2A955C6B07119083
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L....~.e...............".....,.......0\...........@..........................`\.....c.%...@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............. ..............@... . ,.........."..............@...rhfejcgk.`....@..Z...$..............@...khoopwui..... \......~$.............@....taggant.0...0\.."....$.............@...........................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2401804
Entropy (8bit):	7.9335791162670946
Encrypted:	false
SSDEEP:	49152:hQuzfd1pUPALeftwHL1STPuAdwGFGB8QTsEVLYt:nbvq2ex9dwn1DL4
MD5:	0B4B3E5E4A2EE4BD9BA8D9950639F269
SHA1:	7A0FFCB4A3B75704478ED80C20D4DC830AB07EBF
SHA-256:	B240341D8ADFED0F14D665DCBAD14C542FA2E6F57A8C1904C0E5CCFB10270B17
SHA-512:	1DAFE222D8112CCAB45436256ADB9736F3E2A47A61CB393819D40D66EDFE54765EE878D6B49AF056169159A737E41450BF2E613E24CB93AF2A955C6B07119083
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C.........L.....L.....L.....H.G...H.....H.....H...R.L.....L.....L...............E.....-........Rich..................PE..L....~.e...............".....,.......0\...........@..........................`\.....c.%...@.................................T...h....p.............................................................................................................. . .`..........................@....rsrc........p... ..................@....idata ............. ..............@... . ,.........."..............@...rhfejcgk.`....@..Z...$..............@...khoopwui..... \......~$.............@....taggant.0...0\.."....$.............@...........................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.873140679513133
Encrypted:	false
SSDEEP:	3:LEerSQ:FN
MD5:	9CD5E558DD7049CE1EC209969A5F5665
SHA1:	1441F4CDDA24CE5B3D0113051ED2AAE3617E7AD4
SHA-256:	03E00898995433C4B4AE6B494AA01192160DB98A3A1952E1045A644D6FC3ECA3
SHA-512:	12A2BB046C9D148851026F43665A4378EA4B331E5459E9F74B78E039B028C1DF7399B0CB0441BB1095F7CBE95BFEBA6080A44AEB17E890832C546E1459EE2B29
Malicious:	false
Reputation:	low
Preview:	1721890105732

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9335791162670946
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Lisect_AVT_24003_G1B_108.exe
File size:	2'401'804 bytes
MD5:	0b4b3e5e4a2ee4bd9ba8d9950639f269
SHA1:	7a0ffcb4a3b75704478ed80c20d4dc830ab07ebf
SHA256:	b240341d8adfed0f14d665dcbad14c542fa2e6f57a8c1904c0e5ccfb10270b17
SHA512:	1dafe222d8112ccab45436256adb9736f3e2a47a61cb393819d40d66edfe54765ee878d6b49af056169159a737e41450bf2e613e24cb93af2a955c6b07119083
SSDEEP:	49152:hQuzfd1pUPALeftwHL1STPuAdwGFGB8QTsEVLYt:nbvq2ex9dwn1DL4
TLSH:	CAB533DEAD048197FB94363949C1EAFA111BED909975A0DC7CD8BF63B9B3D2A102340C
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$.......C...............L.......L.......L.......H.G.....H.......H.......H...R...L.......L.......L.........................E.......-....

File Icon


Icon Hash:	7192ecece8b2924d

Static PE Info

General

Entrypoint:	0x9c3000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65CC7EFE [Wed Feb 14 08:51:10 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FBFB1280FAAh
je 00007FBFB1280FCAh
add byte ptr [eax], al
jmp 00007FBFB1282FA5h
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x149054	0x68	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x137000	0x110a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1491f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x136000	0x8f000	a059c558f44abe316df30e7c3bdc3636	False	0.9993563565340909	data	7.988833024480807	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x137000	0x110a0	0x2000	cf81fe283096f6e0b32b20a2965e4a13	False	0.982666015625	data	7.902596502928978	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x149000	0x1000	0x200	588e00183b8b4dbb8c7106492f04143d	False	0.14453125	data	0.9824704719748909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x14a000	0x2c2000	0x200	01b91f8971830b7333c6648e2b8eb7c7	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
rhfejcgk	0x40c000	0x1b6000	0x1b5a00	8683e151f3c35636d38253eac6ebd28a	False	0.9608348507569265	data	7.913857553386715	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
khoopwui	0x5c2000	0x1000	0x600	2e514d738a9829801a2fa61260c1b946	False	0.5696614583333334	data	4.979910669069895	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x5c3000	0x3000	0x2200	45e562a30076b12da1314a3e8121716f	False	0.006433823529411764	DOS executable (COM)	0.019571456231530684	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5b0a7c	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 3779 x 3779 px/m	Russian	Russia	0.10367620962971726
RT_GROUP_ICON	0x5c12a4	0x14	data	Russian	Russia	1.15
RT_VERSION	0x5c12b8	0x2b4	data	Russian	Russia	0.48121387283236994
RT_MANIFEST	0x5c156c	0x2e6	XML 1.0 document, ASCII text, with CRLF line terminators			0.45417789757412397
RT_MANIFEST	0x5c1852	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T06:58:51.799868+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49705	50500	192.168.2.5	193.233.132.62
2024-07-25T06:58:50.127587+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49704	50500	192.168.2.5	193.233.132.62
2024-07-25T06:58:54.752913+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49705	50500	192.168.2.5	193.233.132.62
2024-07-25T06:59:13.143304+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49715	50500	192.168.2.5	193.233.132.62
2024-07-25T06:59:23.343383+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62109	52.165.165.26	192.168.2.5
2024-07-25T06:59:03.946343+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49707	20.12.23.50	192.168.2.5
2024-07-25T06:58:54.752808+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49706	50500	192.168.2.5	193.233.132.62
2024-07-25T06:58:47.148505+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49704	50500	192.168.2.5	193.233.132.62
2024-07-25T06:59:05.660986+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49708	50500	192.168.2.5	193.233.132.62
2024-07-25T06:59:22.123324+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	62108	52.165.165.26	192.168.2.5

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 06:58:47.117734909 CEST	49704	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:47.123430014 CEST	50500	49704	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:47.123579979 CEST	49704	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:47.148504972 CEST	49704	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:47.153429031 CEST	50500	49704	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:50.127587080 CEST	49704	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:50.134040117 CEST	50500	49704	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:51.750699997 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:51.751647949 CEST	49706	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:51.755628109 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:51.755722046 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:51.756465912 CEST	50500	49706	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:51.756534100 CEST	49706	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:51.797506094 CEST	49706	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:51.799868107 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:51.802391052 CEST	50500	49706	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:51.804757118 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:54.752808094 CEST	49706	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:54.752912998 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:58:54.757841110 CEST	50500	49706	193.233.132.62	192.168.2.5
Jul 25, 2024 06:58:54.757855892 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:02.666912079 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:02.672028065 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:02.672137976 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:02.692729950 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:02.699664116 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:05.660985947 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:05.667046070 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:08.511400938 CEST	50500	49704	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:08.511740923 CEST	49704	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:10.151415110 CEST	49715	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:10.156615019 CEST	50500	49715	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:10.156749964 CEST	49715	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:10.174139023 CEST	49715	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:10.179713011 CEST	50500	49715	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:13.137682915 CEST	50500	49706	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:13.137743950 CEST	49706	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:13.143304110 CEST	49715	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:13.148693085 CEST	50500	49705	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:13.148762941 CEST	50500	49715	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:13.148771048 CEST	49705	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:24.058605909 CEST	50500	49708	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:24.058685064 CEST	49708	50500	192.168.2.5	193.233.132.62
Jul 25, 2024 06:59:31.562185049 CEST	50500	49715	193.233.132.62	192.168.2.5
Jul 25, 2024 06:59:31.562429905 CEST	49715	50500	192.168.2.5	193.233.132.62

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 06:59:17.682553053 CEST	53	64885	162.159.36.2	192.168.2.5
Jul 25, 2024 06:59:18.177809000 CEST	60585	53	192.168.2.5	1.1.1.1
Jul 25, 2024 06:59:18.185745955 CEST	53	60585	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jul 25, 2024 06:59:18.177809000 CEST	192.168.2.5	1.1.1.1	0xf07f	Standard query (0)	198.187.3.20.in-addr.arpa	PTR (Pointer record)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jul 25, 2024 06:59:18.185745955 CEST	1.1.1.1	192.168.2.5	0xf07f	Name error (3)	198.187.3.20.in-addr.arpa	none	none	PTR (Pointer record)	IN (0x0001)	false

Target ID:	0
Start time:	00:58:42
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Lisect_AVT_24003_G1B_108.exe"
Imagebase:	0x810000
File size:	2'401'804 bytes
MD5 hash:	0B4B3E5E4A2EE4BD9BA8D9950639F269
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2027415909.00000000050D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	00:58:45
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	00:58:45
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	00:58:45
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xf30000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	00:58:46
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	00:58:47
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x440000
File size:	2'401'804 bytes
MD5 hash:	0B4B3E5E4A2EE4BD9BA8D9950639F269
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.2078685252.0000000004C70000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	00:58:47
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x440000
File size:	2'401'804 bytes
MD5 hash:	0B4B3E5E4A2EE4BD9BA8D9950639F269
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2079204683.00000000051D0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	00:58:58
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x430000
File size:	2'401'804 bytes
MD5 hash:	0B4B3E5E4A2EE4BD9BA8D9950639F269
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.2179548739.0000000004E30000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML Detection: 63%, ReversingLabs
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	10
Start time:	00:59:06
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x430000
File size:	2'401'804 bytes
MD5 hash:	0B4B3E5E4A2EE4BD9BA8D9950639F269
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2265416340.0000000004D10000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	1.2%
Signature Coverage:	5.2%
Total number of Nodes:	251
Total number of Limit Nodes:	24

Executed Functions

Function 0082DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0082DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0082DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0082DC42
closesocket.WS2_32(00000000), ref: 0082DC4D

Strings

50500, xrefs: 0082DBE8

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: 27e0542465ed055ee02618523c990a27f3b2aa598a621d0ee72defd12cab761e
Instruction ID: 055ede28e83c77139e76e814f3cd22d4d50c5d9a240f27c7e85f9081b9232c5a
Opcode Fuzzy Hash: 27e0542465ed055ee02618523c990a27f3b2aa598a621d0ee72defd12cab761e
Instruction Fuzzy Hash: 1C31E1725043156BC7219B289C85A2FBBE9FF89334F111F1DF8A8A32E0E3709844C692

Function 05370D15 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fdd854fe1d9fa0bcf1a2bb296adfbb3cd9e3e11fa814e076ceec236fceb7cce4
Instruction ID: 0d7af3827f17df919cdaa3dc70bef6b83b770738c64d9b2e34f23832f91824bd
Opcode Fuzzy Hash: fdd854fe1d9fa0bcf1a2bb296adfbb3cd9e3e11fa814e076ceec236fceb7cce4
Instruction Fuzzy Hash: 5201F9EB44C208BF615AD5859B189F67A5FE5CB3307318016F40787E01E2A95E459930

Function 0082EC20 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000380,0000FFFF,00001006,?,00000008), ref: 0082ECC6
recv.WS2_32(?,00000004,00000002), ref: 0082ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0082ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0082ED6F
recv.WS2_32(00000000,?,00000008), ref: 0082EE0C

Part of subcall function 0082DB60: WSAStartup.WS2_32 ref: 0082DB8B
Part of subcall function 0082DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0082DC2E
Part of subcall function 0082DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0082DC42
Part of subcall function 0082DB60: closesocket.WS2_32(00000000), ref: 0082DC4D

recv.WS2_32(?,00000004,00000008), ref: 0082F033
Sleep.KERNELBASE(00000001), ref: 0082F09E
Sleep.KERNELBASE(00000064), ref: 0082F0AC
__Mtx_unlock.LIBCPMT ref: 0082F211

Strings

50500, xrefs: 0082EC75

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500
API String ID: 2930922264-2230786414
Opcode ID: 139df7d621183a3ca9090dd432199e9417cbaff1fe8193cdfc0e9e2d01fd2999
Instruction ID: 3e8601444f626dc9d760e81fd5d50f8ca8d9dfeb87981377496f55d65e4ba189
Opcode Fuzzy Hash: 139df7d621183a3ca9090dd432199e9417cbaff1fe8193cdfc0e9e2d01fd2999
Instruction Fuzzy Hash: 61B1DF71D14258DFEB24DFA8DC45BADBBB1FF46300F248269E444E7292DB70A985CB41

Function 0082E060 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,009147E8,00000000,00000000,-009465B0), ref: 0082E3A6

Strings

50500, xrefs: 0082EC75
131, xrefs: 0082F2C8
Ws2_32.dll, xrefs: 0082E37D

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll
API String ID: 121738739-3512819870
Opcode ID: a407e65eb7dcba91e019eacce6159520e8e5bbbca5b444fe1eb470681968ed83
Instruction ID: ecba2af7c435de5aa9913c7ba490ea9cc4ba21eebc0271d3de737d51dbb99b92
Opcode Fuzzy Hash: a407e65eb7dcba91e019eacce6159520e8e5bbbca5b444fe1eb470681968ed83
Instruction Fuzzy Hash: 15D1E030E0425CDFDB14CBA8DC54BADBBF5FF06305F684268D855AB282D7709886CB99

Function 05370683 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: da0bc040d7ded59d4f74cf8ee16a40504d95a87d83fc2a948348d45fc33c2c67
Instruction ID: c91aecccc4539de153ecad207a7c02438b214b739f86638430fa440e9186bc09
Opcode Fuzzy Hash: da0bc040d7ded59d4f74cf8ee16a40504d95a87d83fc2a948348d45fc33c2c67
Instruction Fuzzy Hash: EF4132A7D0C22CFDA27EC195575CAF66AAFA6D7330B308166F407D6A01E6DC0A494DB0

Function 0537069F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: a8251be65d799ca549bd492efe96f40c226c23241f7d9a094b69a8ca26c8a982
Instruction ID: e99aaaa84ea1e89fadf8e73a322e6d6d3dc7134a616817fbf18566dc02417d77
Opcode Fuzzy Hash: a8251be65d799ca549bd492efe96f40c226c23241f7d9a094b69a8ca26c8a982
Instruction Fuzzy Hash: 9D4136A7D0C22CFDA27EC195575C6F666AFA7D7330B304066F407E6A01E6DC0A494DB0

Function 0537068C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 4cf6571e022379ddfa6fe3ae356d9084d2b9f223f7977fc33372caa35a9ab2b9
Instruction ID: 5e99ba7e77d7f5190db542765df484fbbeb7cd854bbbc3b85548b09ec140551f
Opcode Fuzzy Hash: 4cf6571e022379ddfa6fe3ae356d9084d2b9f223f7977fc33372caa35a9ab2b9
Instruction Fuzzy Hash: AC4113A7D0C22CFDA17AC195575CAFA6AAFA7D7330B304066F407E6A01E6DC0A494D71

Function 053706E0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: e194c41c4260b361d5655911309d4aff8a0569e42e40a883fbffcb46452b6b57
Instruction ID: 0101ddbf736c745c0b265b82a932d70f1e6e25fc6eb70ce5c30aa767372ec3b4
Opcode Fuzzy Hash: e194c41c4260b361d5655911309d4aff8a0569e42e40a883fbffcb46452b6b57
Instruction Fuzzy Hash: D74136A7D0C22CFDA27EC191575CAF66AAFA697330B3040A6F407D6A01E6DC0A454DB1

Function 05370721 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 187
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 9a760679ef13b671855afbe01842889910b5459052c4ccf13d79c09830461809
Instruction ID: d57d68d57ac3e7b18a313ae6c234b8d84889fb3dd14ba4fbe657a856d00649c6
Opcode Fuzzy Hash: 9a760679ef13b671855afbe01842889910b5459052c4ccf13d79c09830461809
Instruction Fuzzy Hash: 594124A7D0C22CFDA27EC195575CAF66AAFB7C7330B304066B40BD6A01E6DC0A494D71

Function 053706C5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 96441ddc8f973629c92caab460820952e104ada4f5ce953d0d07556323ae0ac9
Instruction ID: 5af3fff87dc144cad8dbfc3d95c320dcdc0e3d40066abab35066879c0954dbff
Opcode Fuzzy Hash: 96441ddc8f973629c92caab460820952e104ada4f5ce953d0d07556323ae0ac9
Instruction Fuzzy Hash: 684146A7D0C22CFDA27EC195575CAF66AAFB687330B3040A6F407D6902E2DC4A459DB1

Function 05370749 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 038f90efb84b5bd01cee03b5759c0c35ead5f484bdd6b4fcf6287fc892fc437b
Instruction ID: 916dd14b01f92b671b676a337bfe27935ca20e277e72ec8cb2203563f5908218
Opcode Fuzzy Hash: 038f90efb84b5bd01cee03b5759c0c35ead5f484bdd6b4fcf6287fc892fc437b
Instruction Fuzzy Hash: D14126A7D0C22CBDA27EC191565CAF666AFB7D7330B3040A6E407D6901F2DC4E499DB1

Function 05370705 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: e79a89e425f3621bc1d6e51d5395ed91bbc8d802f02ab7ea891227417da8e394
Instruction ID: 85c8f9cd776052e1cc58cf9c263cb574a8ceb6a1427d14f5dab2a1ec01a9f9f2
Opcode Fuzzy Hash: e79a89e425f3621bc1d6e51d5395ed91bbc8d802f02ab7ea891227417da8e394
Instruction Fuzzy Hash: 7E4113A7D0C12CFDA27AC191575CAFA6AAFA7D7330B3080A6F407D6901E6DC4A494DB1

Function 053706F5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 098878b5926ef326a05887c7859295b1412b490e77099ba2c510044a44d3bc26
Instruction ID: 6908cd7a3e6979accc24e055d62ccb4936c601f7ddb2b0b9afd29bef9eebc58a
Opcode Fuzzy Hash: 098878b5926ef326a05887c7859295b1412b490e77099ba2c510044a44d3bc26
Instruction Fuzzy Hash: C14126A7D0C12CFDA27EC191575CAF666AFA7D7330B304066F407D6A01E2DC4A494DB1

Function 05370731 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 6a55549e9efe3e4c7343d7a0559897984c16814d8baff804a1f60bffe725f1a7
Instruction ID: a49d72e4e0f9ab479d2dd6561ead463502f085e944f4b86295bf501c94aab205
Opcode Fuzzy Hash: 6a55549e9efe3e4c7343d7a0559897984c16814d8baff804a1f60bffe725f1a7
Instruction Fuzzy Hash: 853115A7D0C22CFEA27AC1915B5CAF666AFA7D7330B304066F40BD6901E6DD4A494DB0

Function 053707AA Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 151
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 2a7d73f91268dc0ebd487e5358e85eda4b08db1ca0a516dd8a0fab4efc131902
Instruction ID: 52e5a56b24cff97e8bfc0381b18d4ca2f175040f147eb26435a35e604dde0a7e
Opcode Fuzzy Hash: 2a7d73f91268dc0ebd487e5358e85eda4b08db1ca0a516dd8a0fab4efc131902
Instruction Fuzzy Hash: 893138A7D0C12CBDB26AC19157586F66AAFE6C7330B308066F40BD6D01E6DC4A495DB1

Function 053707D4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: 3754f7dbd7ac31363a7b37c3981137b3070ab9af1a2b5f2d679f56a0e9a2b0bb
Instruction ID: 0d11b46b9b4a6d298e125de5f3e784b8e41ec742462490e79472d2a262290d1c
Opcode Fuzzy Hash: 3754f7dbd7ac31363a7b37c3981137b3070ab9af1a2b5f2d679f56a0e9a2b0bb
Instruction Fuzzy Hash: B2317CB7D0C228FDB23AC1915B196F6666FE7C7330B308026F40BD6901E6DC4E4549B1

Function 053707C6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 146COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 053707EE

Strings

qvF, xrefs: 053708D2

Memory Dump Source

Source File: 00000000.00000002.4491060539.0000000005370000.00000040.00001000.00020000.00000000.sdmp, Offset: 05370000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5370000_Lisect_AVT_24003_G1B_108.jbxd

Similarity

API ID: CurrentProfile
String ID: qvF
API String ID: 2104809126-2313467579
Opcode ID: d9ea21a4942057ca52f8efd0a030a1c7b6eaf7d823c3082977264e1c92fa8af0
Instruction ID: 4ee2110b2efafed4fb7eeda974986611b8ac2e3e8dd6e890013f3981a8e3646f
Opcode Fuzzy Hash: d9ea21a4942057ca52f8efd0a030a1c7b6eaf7d823c3082977264e1c92fa8af0
Instruction Fuzzy Hash: 213136B7D0C22CBDB26AC19157586FA66BFF6C7330B308076F40BD6901E6984E4959B1

Function 00902F0C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,008F6AF7,?,00000000,00000000,00000000,?,00000000,?,008EC023,008F6AF7,00000000,008EC023,?,?), ref: 00903091

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 921dd68d9965ffceef3a0bf65508ff046d0ea76de92d861d64025ede959afa21
Instruction ID: ee7b2e4a9183d62e2bab355b66fb29aa3480e6ad878bb554f3d8e9e63b2971f5
Opcode Fuzzy Hash: 921dd68d9965ffceef3a0bf65508ff046d0ea76de92d861d64025ede959afa21
Instruction Fuzzy Hash: 6F61C27190411AAFDF11DFA8C888EFEBBBDAF49304F144545E904AB282D736DA11DBA0

Function 0087BA20 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0087BB71

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 27a55fc8f13307f3cef759422548dc790faef2ecc1b673006b60d907634ea56b
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: 3141F6729011199BCB15EF6CDC817AEBBA6FF45350F144269F819DB209D730DE1187E1

Function 00902582 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00902469,00000000,CF830579,00941148,0000000C,00902525,008F662D,?), ref: 009025D8

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 6f4e99b1dd44586250fc3c93f613378097a77ed00c5bc3c54d411c848843998b
Instruction ID: 67913817c0cfbe7d2b08df65324873a403d7da32dab9495af0d568114dd29269
Opcode Fuzzy Hash: 6f4e99b1dd44586250fc3c93f613378097a77ed00c5bc3c54d411c848843998b
Instruction Fuzzy Hash: 871126337182141ED73523745C5EB7E678EAFC7734F29020AF9189B1C2EE619C825159

Function 008FBACC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00940E00,008EC023,00000002,008EC023,00000000,?,?,?,008FBBD6,00000000,?,008EC023,00000002,00940E00), ref: 008FBB08

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: f841a15753dd77cada39ee18a9988a4de99584c646d27fcb7f765bdfeb8e5d84
Instruction ID: 3cd8dee128f59d50e255d68dfe66f886a1c0ed38d059cb25528e07e2ddaa0d36
Opcode Fuzzy Hash: f841a15753dd77cada39ee18a9988a4de99584c646d27fcb7f765bdfeb8e5d84
Instruction Fuzzy Hash: FF01D232614159AFCF198FA9CC45CAE3B69FF86330B240208F911DB291EB71ED519B90

Function 008ECD02 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00811FDE

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: ecd977b9de962f745aa16c9f988e417c8f2955967a44bc828e76fc061b7b92b4
Instruction ID: 20b7f41eea1c7e5eba43c37aba83b17e1b23cacb324905e51397b3cd0092a3bd
Opcode Fuzzy Hash: ecd977b9de962f745aa16c9f988e417c8f2955967a44bc828e76fc061b7b92b4
Instruction Fuzzy Hash: FF012B3590030DA7CB24ABADEC0189A7BACFE02364B508635F614D6551FB70E59183D2

Function 00903E63 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,008EB16C,?,?,009037E9,00000001,00000364,?,00000006,000000FF,?,008EE0EB,?,?,?,?), ref: 00903EA5

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d5374fcddf0dc577d1d5b531b0982294e36f9ecfed158d44cdb7c0d0e60f00a3
Instruction ID: d026ad823d76bfa005cbc37fc68bce9dc0ee76f63de7adf889209c84d2e17eba
Opcode Fuzzy Hash: d5374fcddf0dc577d1d5b531b0982294e36f9ecfed158d44cdb7c0d0e60f00a3
Instruction Fuzzy Hash: 57F0BE326012256FDA226A76DC05B6B378EAF813A0B16C712AD089A0C1CB70EE0086E1

Function 0090489D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,008EE0EB,?,?,?,?,?,00812D8D,008EB16C,?,?,008EB16C), ref: 009048D0

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ab3fb651a64cd7955a37cad392b8e45e3153a6632dae913e3831c28984a9644e
Instruction ID: 83b2e8836c1a1d03630b5449f2852afacb2b3c5f6c89f57cf1ad35ca2f87eed3
Opcode Fuzzy Hash: ab3fb651a64cd7955a37cad392b8e45e3153a6632dae913e3831c28984a9644e
Instruction Fuzzy Hash: 68E09B751526955FD62137754D05B6B374DDF823B0F174E31AF04A60D1DB60DC1092F1

Non-executed Functions

Function 0089BBB0 Relevance: 18.5, APIs: 3, Strings: 7, Instructions: 970COMMON

Download Yara Rule

Strings

NaN, xrefs: 0089C319
Inf, xrefs: 0089C41F
+Inf, xrefs: 0089C416
-Inf, xrefs: 0089C40F
, xrefs: 0089C475, 0089C49E, 0089C4F2, 0089C517
gfff, xrefs: 0089C7BD
+, xrefs: 0089C260

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID: $+$+Inf$-Inf$Inf$NaN$gfff
API String ID: 0-2577472133
Opcode ID: 0355471480e98053688096f20e32263b38493a5a1149038b6ff433aecf5326c6
Instruction ID: 9333478d9d99dae0788c1edb744fe0477f6ab598ed5e92219a1a27bb6d4be171
Opcode Fuzzy Hash: 0355471480e98053688096f20e32263b38493a5a1149038b6ff433aecf5326c6
Instruction Fuzzy Hash: E382AC7190CB808FDB26DF28955036ABBE1FFDA344F088A5EE4CAD7252D731D9458B42

Function 008EA800 Relevance: 9.2, Strings: 7, Instructions: 490COMMON

Download Yara Rule

Strings

RTRIM, xrefs: 008EAA75
MATCH, xrefs: 008EABCB, 008EABD9, 008EABF9, 008EABFA, 008EAC10
no such vfs: %s, xrefs: 008EAA11
NOCASE, xrefs: 008EAAB4
automatic extension loading failed: %s, xrefs: 008EAD13
sqlite_rename_table, xrefs: 008EABA7
BINARY, xrefs: 008EAA32, 008EAA41, 008EAA5B, 008EAA9D

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID: BINARY$MATCH$NOCASE$RTRIM$automatic extension loading failed: %s$no such vfs: %s$sqlite_rename_table
API String ID: 0-1885142750
Opcode ID: 76a0c4cfe7cae5fb48c007fa474e6d4e96a1c03395a00f229a5a67a5217b0dfe
Instruction ID: 2ee3bc6b4650561f4c806c087d825bd2522227abe3d2978f806340d98854845a
Opcode Fuzzy Hash: 76a0c4cfe7cae5fb48c007fa474e6d4e96a1c03395a00f229a5a67a5217b0dfe
Instruction Fuzzy Hash: CC0215B4B04780ABEB249F26DC45B2A77F4FF42B04F148428E456DB291E7B5F945CB82

Function 0082A100 Relevance: 7.3, Strings: 4, Instructions: 2299COMMON

Download Yara Rule

Strings

%s|%s, xrefs: 0082A347
50500, xrefs: 0082A2A5
131, xrefs: 0082A32B, 0082A33B
type must be boolean, but is , xrefs: 0082C171, 0082C1A2, 0082C265

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID: %s|%s$131$50500$type must be boolean, but is
API String ID: 0-353184664
Opcode ID: e73791d36259b26de5dcfcd758729384f36fd0af1e82e5af3576405ece4b4fd2
Instruction ID: d5df2086401098dba0af33054c68a0fb160d1d8dfd9965b01f307e86d572adec
Opcode Fuzzy Hash: e73791d36259b26de5dcfcd758729384f36fd0af1e82e5af3576405ece4b4fd2
Instruction Fuzzy Hash: C323DE709002688FDB29DF68D958BEEBBB0FF05304F1481D9D449AB292DB719E85CF91

Function 008806F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

type must be number, but is , xrefs: 008808B1
type must be string, but is , xrefs: 00880754
/Kim, xrefs: 00880932
/Kim, xrefs: 00880919

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: 81fa79241835be1deb171b73f99c1af8d03698f66f9535c04b42004e33e4c9f8
Instruction ID: 97c6ead9eb23ada807462bae5de0ca515af7c99cc69ce0774656c82e78b9fc62
Opcode Fuzzy Hash: 81fa79241835be1deb171b73f99c1af8d03698f66f9535c04b42004e33e4c9f8
Instruction Fuzzy Hash: C491D471F002089FCB08DF6CD891799B7A9FB89320F14827EE819D7392D6759D45CB91

Function 008242A0 Relevance: 5.2, APIs: 3, Instructions: 671COMMON

Download Yara Rule

APIs

__Mtx_unlock.LIBCPMT ref: 0082489B
__Mtx_unlock.LIBCPMT ref: 008249A1
__Mtx_unlock.LIBCPMT ref: 00824A6C

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: Mtx_unlock
String ID:
API String ID: 1418687624-0
Opcode ID: 9552c0670b832b6aee7f64e0c840a1374494b052279fee64068258eaad4aab42
Instruction ID: 84f84941352031036e671bb66780131b68d986099dcaeb4975cc5b2828788a71
Opcode Fuzzy Hash: 9552c0670b832b6aee7f64e0c840a1374494b052279fee64068258eaad4aab42
Instruction Fuzzy Hash: 8E321671E002188FDB08DF68DC85BAEB7B5FF45304F148258E815EB392D771AA85CBA1

Function 0081A720 Relevance: 1.6, Strings: 1, Instructions: 333COMMON

Download Yara Rule

Strings

File, xrefs: 0081A93C

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID: File
API String ID: 0-749574446
Opcode ID: 3242747179d13cd60cef5c5d1418b34dcb193274d99ad18486608cf6f40bc65f
Instruction ID: e9c9613ee60acfcc632ae4b8d04886a9c349235a0b90b4d18721e6bcd34cf176
Opcode Fuzzy Hash: 3242747179d13cd60cef5c5d1418b34dcb193274d99ad18486608cf6f40bc65f
Instruction Fuzzy Hash: 87C1BE70D042589BDF19DFA4CD46BEEBBB9FF05304F144069E504EB292E770A984CBA2

Function 008ECCDC Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,008EC6EA,?,?,?,?,00824A9B,?,0082F03C), ref: 008ECCF5

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 55c8e319957ad8ec8bccdefa4a1f5c448e2b8325691da333bc6ba2bab5963141
Instruction ID: cad081667f3140836fb7cc631583baf155f178f66868506cb7be2c50f9474479
Opcode Fuzzy Hash: 55c8e319957ad8ec8bccdefa4a1f5c448e2b8325691da333bc6ba2bab5963141
Instruction Fuzzy Hash: 05D02232A9A0BC938A112FD6FC048ADBBC8FF0AF503188022EE09B7110CA515C016BC1

Function 00812040 Relevance: 1.5, Strings: 1, Instructions: 211COMMON

Download Yara Rule

Strings

string too long, xrefs: 00812040

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: std::invalid_argument::invalid_argument
String ID: string too long
API String ID: 2141394445-2556327735
Opcode ID: d322beb73c5d1857adad5f40369910d09548d578e9402c1bcd3446f6aa14d7e6
Instruction ID: 4ca8216200c7f52c6e0087a65a199daa631978519516b0c64efe4db96e9b0736
Opcode Fuzzy Hash: d322beb73c5d1857adad5f40369910d09548d578e9402c1bcd3446f6aa14d7e6
Instruction Fuzzy Hash: 8D810275A0428A9FDB02CFA8C4117EEFFB9FF5A300F184199D980A7782C3759595C7A1

Function 0081AB50 Relevance: 1.1, Instructions: 1084COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c75b1fd408136c90835c517d75e53ec52e252a5b5c7417f783b855f3eeac263b
Instruction ID: 64a7dbe16fdb50e2d9d143e1cda41fb1e3e05e6aba333236cceb8e86d8f7405c
Opcode Fuzzy Hash: c75b1fd408136c90835c517d75e53ec52e252a5b5c7417f783b855f3eeac263b
Instruction Fuzzy Hash: 4B920531D002488BDF19CFA8C8547FEBB7AFF56314F248299D455E7282DB705A8ACB91

Function 00894C20 Relevance: .7, Instructions: 744COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7812efc9b04549aecba84b24a5a49a0e557f6a7234d610653b8af3f5e07826ed
Instruction ID: add3ad7f756307921b4321f4f66640f85d7258054c658c8baf6e6bf9a287b89e
Opcode Fuzzy Hash: 7812efc9b04549aecba84b24a5a49a0e557f6a7234d610653b8af3f5e07826ed
Instruction Fuzzy Hash: FB6259B0E002099BDF19DF99C5846ADBBB1FF88308F2881A9D814AB352D775D946CF90

Function 008F991F Relevance: .3, Instructions: 333COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d6eab88acd924515a17f75b29c4d7eea2e03814bf60de5d3474b6b4b1b489dc
Instruction ID: 02efa1b3a5968cb8eef03e239df1878dfd7755f08ef75fece72a70f3d6b91891
Opcode Fuzzy Hash: 7d6eab88acd924515a17f75b29c4d7eea2e03814bf60de5d3474b6b4b1b489dc
Instruction Fuzzy Hash: 01C1CB70A0064E8ECB24CF3CC984BBABBA1FF05314F24461DDAD6D72A1D771A945CB52

Function 008122C0 Relevance: .2, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a706a3b1c6c27a8516bd5cd5d075668304d2d59c0120b8328fe337e360b6d652
Instruction ID: a35ce3c7f7823e4b1aa6c7b95e8d5275c5be1ce1eb1ca6bf79ffda1be5496b36
Opcode Fuzzy Hash: a706a3b1c6c27a8516bd5cd5d075668304d2d59c0120b8328fe337e360b6d652
Instruction Fuzzy Hash: 4A712175A002468FDB118F68D8907FEBBB9FF1A300F044168D865D7792C3349956C7A0

Function 00891940 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f7cc22953cc08329244c376f43ecb02dd8e89c8a38b4daede76ce5b0ac66f33a
Instruction ID: 43314cf89851b8718529e045e22968ebc88b9f9e83bd4347651150fe1c68c5af
Opcode Fuzzy Hash: f7cc22953cc08329244c376f43ecb02dd8e89c8a38b4daede76ce5b0ac66f33a
Instruction Fuzzy Hash: 96617531A341654FDBA8CF1EFCD0476B351E38A3617894229EA81CB39DC535E927E7A0

Function 00824AB0 Relevance: .2, Instructions: 167COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cc65e9ec566d855f4bcf7f83d3a0ef34481909f77aa7866fa384ed9eea63f5f
Instruction ID: b5579f5630379ecac2ae057d326cc944db2d526b264093e9c361c49770e17677
Opcode Fuzzy Hash: 7cc65e9ec566d855f4bcf7f83d3a0ef34481909f77aa7866fa384ed9eea63f5f
Instruction Fuzzy Hash: 7851A171E002199FCB14DFA8D941BEEBBB4FF48710F208269E815F7390D7719A448BA5

Function 008F3ED8 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction ID: 91a6b96c2cf5be1d0fe3d196e6fac8e5497d22ebd1d456a68aec34588d970841
Opcode Fuzzy Hash: b904313642ee8bb92eeea3ac85b95f5796e84e1ff494d4087d2543a59d71a9f0
Instruction Fuzzy Hash: F3518172E00219EFDF04CFA8C850AFEBBB2FF88304F598059E615AB241D7349A51CB90

Function 008F0750 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: adbcdbdfcb21b20c168d433bb91263f7de9e3571814da72e52c338219c0e2f0e
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: ED11387B20514D8BD614A63DC8B46BBA795FAC532172C42FAD282CB75AD223B8419D00

Function 0087AE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0087AEB3
std::_Lockit::_Lockit.LIBCPMT ref: 0087AED5
std::_Lockit::~_Lockit.LIBCPMT ref: 0087AEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 0087AF1F
std::_Lockit::_Lockit.LIBCPMT ref: 0087AF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0087AFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0087AFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0087B088
std::_Facet_Register.LIBCPMT ref: 0087B095

Strings

bad locale name, xrefs: 0087B0AF

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: a184d629fae884b0c9cd0c626dd86563ebc9294c6865a637a9335941f757373b
Instruction ID: 78069beb66945e90579061f91298943cbb1ba47825aa59241ad6cb6d81ad4541
Opcode Fuzzy Hash: a184d629fae884b0c9cd0c626dd86563ebc9294c6865a637a9335941f757373b
Instruction Fuzzy Hash: 90616EB5D002589BDB11DFA9D885B9EBBB4FF45350F148068E808E7386EB34ED05CB92

Function 00813770 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 008137E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00813835
__Getctype.LIBCPMT ref: 0081384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0081386A
std::_Lockit::~_Lockit.LIBCPMT ref: 008138FF

Strings

bad locale name, xrefs: 0081391C

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 4a6827e29074a3c7439e1d69f0bef7c43f9defb488abc27b7b12232de2289f32
Instruction ID: ca9580bc4cae2eed373fa1715aeae524c37190eb2b025c018a9c1f55703e0ff0
Opcode Fuzzy Hash: 4a6827e29074a3c7439e1d69f0bef7c43f9defb488abc27b7b12232de2289f32
Instruction Fuzzy Hash: 375170F1D002489BDB10DFA9D8857DEFBB8FF14314F144169E804E7281E775AA54CB92

Function 008F0880 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 008F08B7
___except_validate_context_record.LIBVCRUNTIME ref: 008F08BF
_ValidateLocalCookies.LIBCMT ref: 008F0948
__IsNonwritableInCurrentImage.LIBCMT ref: 008F0973
_ValidateLocalCookies.LIBCMT ref: 008F09C8

Strings

csm, xrefs: 008F095D

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: d7fdb0e7b428fa0fd424f88aabd467b8bd4808c636545135f64401e85498d9b5
Instruction ID: a41896436fccb4f72e9f8a5bd1571f37759cff0ca88e98c1a3b0674ef042c83f
Opcode Fuzzy Hash: d7fdb0e7b428fa0fd424f88aabd467b8bd4808c636545135f64401e85498d9b5
Instruction Fuzzy Hash: 2C416B34A0020DAFCF10DF78C884ABEBBA5FF44324F148155EA18DB293E671AA55CF91

Function 00879520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00879543
std::_Lockit::_Lockit.LIBCPMT ref: 00879566
std::_Lockit::~_Lockit.LIBCPMT ref: 00879586
std::_Facet_Register.LIBCPMT ref: 008795FB
std::_Lockit::~_Lockit.LIBCPMT ref: 00879613
Concurrency::cancel_current_task.LIBCPMT ref: 0087962B

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 88d1bdddd163a7bc704b47bfbb60acef715c9a69f863e0f2a91e90cfbe468bd0
Instruction ID: b9a536d208d29546e46ead2652c9a4dfbaa6d20ac60579c1135ec76ddb68728c
Opcode Fuzzy Hash: 88d1bdddd163a7bc704b47bfbb60acef715c9a69f863e0f2a91e90cfbe468bd0
Instruction Fuzzy Hash: DE41D4759042699FCB11EF98D840AAABB74FF06314F148259E849EB391E730ED44CBD2

Function 00815DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008160F2
___std_exception_destroy.LIBVCRUNTIME ref: 0081617F
___std_exception_copy.LIBVCRUNTIME ref: 00816248

Strings

recursive_directory_iterator::operator++, xrefs: 008161CC

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: c7f8952b84adcec32bda36f14eab7711dea0981c6ef3166f9a8c02496eed72e4
Instruction ID: 4aa153a55dff97531e1bf7b7e919c954b0b81223b1cd7854a1aee1ba098e23bc
Opcode Fuzzy Hash: c7f8952b84adcec32bda36f14eab7711dea0981c6ef3166f9a8c02496eed72e4
Instruction Fuzzy Hash: 60E1E1B19006089FDB28DF68D845B9EB7F9FF44300F14861DE456D7781EB74AA84CBA2

Function 008184C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 008186DE
___std_exception_destroy.LIBVCRUNTIME ref: 008186ED

Strings

, column , xrefs: 00818555, 0081856B
at line , xrefs: 00818518

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: bdea18477d9eec8451d0077cf44711e29dba0deaa4dedae7dc8c6e40336fed63
Instruction ID: 15073f299c339923926ad3ceabfb0e5237b8f852a602c03b42ea7e7a6f8cf589
Opcode Fuzzy Hash: bdea18477d9eec8451d0077cf44711e29dba0deaa4dedae7dc8c6e40336fed63
Instruction Fuzzy Hash: 39612771A002489FDB08CB6CDC86BDEBBB6FF55314F148218E415E7781EB70AAC48792

Function 008834C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00883946
___std_exception_destroy.LIBVCRUNTIME ref: 0088395F
___std_exception_destroy.LIBVCRUNTIME ref: 00883A97
___std_exception_destroy.LIBVCRUNTIME ref: 00883AB0
___std_exception_destroy.LIBVCRUNTIME ref: 00883C16
___std_exception_destroy.LIBVCRUNTIME ref: 00883C2F
___std_exception_destroy.LIBVCRUNTIME ref: 00884479
___std_exception_destroy.LIBVCRUNTIME ref: 00884492

Strings

value, xrefs: 0088439F

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 4314ba4b082901549e063d571a0f456ad84d4363c43eed471069e62a2a405dc5
Instruction ID: 332b9293768771780e171fda35d32598202977a08ebdedb021b44c3e547b137b
Opcode Fuzzy Hash: 4314ba4b082901549e063d571a0f456ad84d4363c43eed471069e62a2a405dc5
Instruction Fuzzy Hash: DF51B171C0125CDBDF14EBA8CC85BDEBBB5FF05304F144259E459A7282EB746A88CB62

Function 00813B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00813C0F

Strings

ios_base::failbit set, xrefs: 00813AC8, 00813BB1
ios_base::eofbit set, xrefs: 00813BB6
ios_base::badbit set, xrefs: 00813BA7, 00813BD2, 00813BF3

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 2718c3d4b724650f06aef74d61a15e7df01aba7cffe4d9c1b0e8b3a0c219ab42
Instruction ID: 7273ae87684aab35300177e1c25b4683cae440efdeab6344e1793dbf4db60aa5
Opcode Fuzzy Hash: 2718c3d4b724650f06aef74d61a15e7df01aba7cffe4d9c1b0e8b3a0c219ab42
Instruction Fuzzy Hash: 781190B2A047096BC720DE59D805ADAB7ECFF45320F04852AF958DB641F770E9948B91

Function 00882A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 00882F43

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: bd1903898a5f94d22e640f07947c74097ef6cff93c6a8b913023e44b27dc7fa5
Instruction ID: bf6ed7b110bd8f9c882e6c977402f16a4251c818710ae553615cbec6c585ff18
Opcode Fuzzy Hash: bd1903898a5f94d22e640f07947c74097ef6cff93c6a8b913023e44b27dc7fa5
Instruction Fuzzy Hash: A3E1C271A002099FCB18EF6CC895AADBBB5FF49310B148369E819DB395E730ED51CB90

Function 00818080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0081844D

Strings

ror, xrefs: 008180D4
parse error, xrefs: 00818149, 00818162

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 51fd52c70b860de1f83952d6938f0ebe0c7ed9b5413fbfd585c75370cbbcc2fe
Instruction ID: 35117ddea4aa2f9777d9a6889943dc418dbd8fbbaffff14da5fb271f5d4cc869
Opcode Fuzzy Hash: 51fd52c70b860de1f83952d6938f0ebe0c7ed9b5413fbfd585c75370cbbcc2fe
Instruction Fuzzy Hash: 91C1D071D10649DFEB09CF68CC85BADBB76FF45304F148248E004AB692DBB4AAC5CB91

Function 00817DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00818051
___std_exception_destroy.LIBVCRUNTIME ref: 00818060

Strings

[json.exception., xrefs: 00817E1C

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 76a89d96908d0ef1b5693b77faee1a366458fea5149b26f17eec5e4a63076785
Instruction ID: 4aef3a903d32bed70d49980ad4ea050fa7b5ac5ee95283a33893ea67623f84c6
Opcode Fuzzy Hash: 76a89d96908d0ef1b5693b77faee1a366458fea5149b26f17eec5e4a63076785
Instruction Fuzzy Hash: 9E91D2719002489FDB18CFA8C885BEEBBB5FF45314F14825DE414AB692DBB0A9C58B91

Function 00813A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00813C0F

Strings

ios_base::failbit set, xrefs: 00813AC8
ios_base::badbit set, xrefs: 00813BA7, 00813BD2, 00813BF3

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 6126689fdd61dbdc4e42dd1d549bd10be6a125203abb21a821ad7f7d626b1908
Instruction ID: 69ac7c492004c45f9ead1a758e89af60b300b40438425b303389c790b103e7d8
Opcode Fuzzy Hash: 6126689fdd61dbdc4e42dd1d549bd10be6a125203abb21a821ad7f7d626b1908
Instruction Fuzzy Hash: 6D41D3B1914608ABC714DF59D845BEAFBF8FF45320F14821AF958D7681E770AA80CBA1

Function 008845C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00884E29
___std_exception_destroy.LIBVCRUNTIME ref: 00884E42
___std_exception_destroy.LIBVCRUNTIME ref: 0088594D
___std_exception_destroy.LIBVCRUNTIME ref: 00885966

Strings

value, xrefs: 00885873

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: c819c5d70a708d02422cab54a74d5eea3d320e939f842c7ff379fe79fad353fc
Instruction ID: 3d9e99a5d01a3a6a0218ca706c946c91942d5e1120ae48fd296527a7a9783e08
Opcode Fuzzy Hash: c819c5d70a708d02422cab54a74d5eea3d320e939f842c7ff379fe79fad353fc
Instruction Fuzzy Hash: CA51CEB1C0025CDBDB14EFA8DC89BDEBBB5FF05304F144259E455AB382DB746A888B52

Function 008899A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008899F1

Strings

type must be boolean, but is , xrefs: 00889AE2
type must be string, but is , xrefs: 00889A58

Memory Dump Source

Source File: 00000000.00000002.4483066704.0000000000811000.00000040.00000001.01000000.00000003.sdmp, Offset: 00810000, based on PE: true

Associated: 00000000.00000002.4482963850.0000000000810000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4483066704.0000000000943000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484209570.0000000000947000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.000000000095A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000AEE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000BCA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C05000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C0E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4484278171.0000000000C1C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485019093.0000000000C1D000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4485275359.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_810000_Lisect_AVT_24003_G1B_108.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 43b6de997854c0cce545174d240b9e11cc8c5b6bc60ed12f61ff68aaeb18c961
Instruction ID: f88220fd376f1d08ccee528931eabf6e1501cf9e5b2ba65dac967666c4ed8a9f
Opcode Fuzzy Hash: 43b6de997854c0cce545174d240b9e11cc8c5b6bc60ed12f61ff68aaeb18c961
Instruction Fuzzy Hash: 25312C719002489FD714EBA8D842FEEB7ADFF04310F144269F419D7686EB35AA45C753

Analysis Process: MPGPH131.exePID: 5012, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	2%
Dynamic/Decrypted Code Coverage:	1.4%
Signature Coverage:	0%
Total number of Nodes:	291
Total number of Limit Nodes:	30

Executed Functions

Function 0045EC20 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(0000033C,0000FFFF,00001006,?,00000008), ref: 0045ECC7
recv.WS2_32(?,00000004,00000002), ref: 0045ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0045ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0045ED6F
recv.WS2_32(00000000,?,00000008), ref: 0045EE0C

Part of subcall function 0045DB60: WSAStartup.WS2_32 ref: 0045DB8A
Part of subcall function 0045DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0045DC2E
Part of subcall function 0045DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0045DC41
Part of subcall function 0045DB60: closesocket.WS2_32(00000000), ref: 0045DC4D

recv.WS2_32(?,00000004,00000008), ref: 0045F033
Sleep.KERNELBASE(00000001), ref: 0045F09E
Sleep.KERNELBASE(00000064), ref: 0045F0AC
__Mtx_unlock.LIBCPMT ref: 0045F211

Strings

t;W, xrefs: 0045EC7A
50500, xrefs: 0045EC75

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500$t;W
API String ID: 2930922264-3984008218
Opcode ID: 31dc3274648ddebbffa37d935dfc29c21b1a93fbd36d273ad94ef3e5f32530c1
Instruction ID: 8fc74847e687bbc3803c5546e39a419ecb7d6f956186c4aa97bf6ee06bfcfc46
Opcode Fuzzy Hash: 31dc3274648ddebbffa37d935dfc29c21b1a93fbd36d273ad94ef3e5f32530c1
Instruction Fuzzy Hash: 51B10331D00248DFEB14DFA8DC45BADBBB1FF55310F24825AE848A72D2D7746A89DB81

Function 0045E060 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005447E8,00000000,00000000,-005765B0), ref: 0045E3A6

Strings

Ws2_32.dll, xrefs: 0045E37D
;W, xrefs: 0045E525
t;W, xrefs: 0045EC7A
\;W, xrefs: 0045EB85
taW, xrefs: 0045F1CA
50500, xrefs: 0045EC75
131, xrefs: 0045F2C8

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll$\;W$t;W$taW$;W
API String ID: 121738739-2827972449
Opcode ID: b5d48317606026a99d8a12f290fe7daf00830488fda8a4234549f7fe5724509b
Instruction ID: 1b70fe9f5e3489535da93b1617a97d9c047d654e12bc26b1fba2f817f0af432c
Opcode Fuzzy Hash: b5d48317606026a99d8a12f290fe7daf00830488fda8a4234549f7fe5724509b
Instruction Fuzzy Hash: 4CD11231D04648DFDB18CFA9CC40BEEBBF1AF06301F684259D855AB2C2D774998ACB55

Function 0045DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0045DB8A
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0045DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0045DC41
closesocket.WS2_32(00000000), ref: 0045DC4D

Strings

50500, xrefs: 0045DBE8

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: df11b29aa6ae668c67dcefddcdb3f1200a6016ba884745d697bf8fbf293663d2
Instruction ID: ccddba8f70c2aca3ed09d49654a281d3456285733c40ff25ee7d2220abdf1fa6
Opcode Fuzzy Hash: df11b29aa6ae668c67dcefddcdb3f1200a6016ba884745d697bf8fbf293663d2
Instruction Fuzzy Hash: 4C31E4729043015BD7218B288C85A2FB7E4FF89328F111F1EFDA4932E1E3759848C696

Function 04F20598 Relevance: 1.9, APIs: 1, Instructions: 426
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 96d2c82cc76d44fee1232e3071ea1c668a6047fc6db1d38330f69e3c13b4b5b5
Instruction ID: 2ef5a7bf8d8e46708b0daf732000463c384241a6c8507a853dcb95f96543be43
Opcode Fuzzy Hash: 96d2c82cc76d44fee1232e3071ea1c668a6047fc6db1d38330f69e3c13b4b5b5
Instruction Fuzzy Hash: A39103E724C231BEF15291816B54AF76A6EE7D37307308426FA07D5602FA882B4B3572

Function 04F205D2 Relevance: 1.9, APIs: 1, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e59c71007640563ab6a31c0c843e19ba433df2f7ccbfbf6dc1b21016afa48c1
Instruction ID: e7eea2674a1b80268fff970c31431574245b98b54395ac084194a6dc4d111224
Opcode Fuzzy Hash: 2e59c71007640563ab6a31c0c843e19ba433df2f7ccbfbf6dc1b21016afa48c1
Instruction Fuzzy Hash: 1981D2EB24C231BDF15291816B64AF76A6EE7D77307308426FA07D5602FA842B4B3572

Function 04F205FF Relevance: 1.9, APIs: 1, Instructions: 412
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ff4ec8fb78ee8a49087665dbe85ea633b1230846ec5476df9513b337106363e7
Instruction ID: 8a0b34ce7837b095888559fbddb520231907bac3bceb0dd35dd8c5690ab54bc3
Opcode Fuzzy Hash: ff4ec8fb78ee8a49087665dbe85ea633b1230846ec5476df9513b337106363e7
Instruction Fuzzy Hash: 9381C3EB24C135BDF15281816B54AF76B6EE7D77307308426F607D5602FA882F8B2572

Function 04F205EA Relevance: 1.9, APIs: 1, Instructions: 406
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: edc748a83f445e9aa5392707b213349d8b4f73390a910caf0005b1534cb46eed
Instruction ID: 984dbd8d6a2e935af0ce171bbe0fdd2f67ac8098a60a477dacf9fd1494f0d2a8
Opcode Fuzzy Hash: edc748a83f445e9aa5392707b213349d8b4f73390a910caf0005b1534cb46eed
Instruction Fuzzy Hash: 5D81E2EB24C134BDB15291816B54AF76A6EE7D77307308426FA07D5602FAC42F8B3572

Function 04F2061B Relevance: 1.9, APIs: 1, Instructions: 404
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 88d5183eeb4e2c45f10c80827fc7257237fa597ad1e3e885d5026ee251464479
Instruction ID: 4e41639c685ed400200e406f0016cbc6827bf9de084a3a519d56aecc0920b66e
Opcode Fuzzy Hash: 88d5183eeb4e2c45f10c80827fc7257237fa597ad1e3e885d5026ee251464479
Instruction Fuzzy Hash: 6F81C4EB24C134BDF15281816B54AF76B6EE7D67307308426FA07D5602FA942F4B3572

Function 04F2066F Relevance: 1.9, APIs: 1, Instructions: 384
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a2dfa586b4d9864868428c22d701ac21f1b6953bec3afae025d76595228b795
Instruction ID: ab3f9bff8fa3e9d051c068131907aac844fbe5cd64f356cfef47580c02d6bad1
Opcode Fuzzy Hash: 4a2dfa586b4d9864868428c22d701ac21f1b6953bec3afae025d76595228b795
Instruction Fuzzy Hash: 7F71C1EB34C134BDB15281816B64AF76B6EE7D67307308426FA07D5602FA842F8B3572

Function 04F206C4 Relevance: 1.9, APIs: 1, Instructions: 377
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b149934c6823dad5ead38dab381434864d65801e256c4f534debb71064c90342
Instruction ID: 1eb2b6476912b0be56f80598ebaf7af63b700884aad3d4d2ece4a2bb52bbd46e
Opcode Fuzzy Hash: b149934c6823dad5ead38dab381434864d65801e256c4f534debb71064c90342
Instruction Fuzzy Hash: 5571C2EB34C134BDB15281816B64AF76B6EE7D67307308466FA07D5602FA842F8B3572

Function 04F20692 Relevance: 1.9, APIs: 1, Instructions: 368
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 74f9255e25944ac1b42a50a481ffd65c0b568b861212673a14f1b2e8626a4bf9
Instruction ID: 47a1fe5263f3f95db4991bf08fbebadde43bcd0557a93490478e6e24a90f2ab7
Opcode Fuzzy Hash: 74f9255e25944ac1b42a50a481ffd65c0b568b861212673a14f1b2e8626a4bf9
Instruction Fuzzy Hash: 0371C2EB34C135BDB15281816B64AF76B6EE7D67307308426FA07D5602FA842F8B3572

Function 04F206A8 Relevance: 1.9, APIs: 1, Instructions: 360
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fff418b6bd47d4a53d1f3034dd3469bd6e8df3a623450e4c80d517486d3c9097
Instruction ID: 3ad590a7e56c3ea6f5f03d1eae94739c78a53fb4dcfa566ab6969318848ec276
Opcode Fuzzy Hash: fff418b6bd47d4a53d1f3034dd3469bd6e8df3a623450e4c80d517486d3c9097
Instruction Fuzzy Hash: 8571D3EB34C135BDB15281816B64AF76B6EE7D67307308426FA07D5602FA842F4B3572

Function 04F2071B Relevance: 1.8, APIs: 1, Instructions: 324
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 78bff2bc8bcd503fcf91942b92efece262b663d9896249d8f752f5ebbdaddec4
Instruction ID: 864bfe822b7ad8ef9e034aa2ae62b4311dad27b1b874b80670b96461769ad581
Opcode Fuzzy Hash: 78bff2bc8bcd503fcf91942b92efece262b663d9896249d8f752f5ebbdaddec4
Instruction Fuzzy Hash: 7751ADEB34C135BDB15281826B64EF7666EE7D67307308426FA07D5602FA842F8B3572

Function 04F2074A Relevance: 1.8, APIs: 1, Instructions: 322
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1e8b8b6da9853691b43d046a582d9a1169d84198a50d77241e2981d30c65f531
Instruction ID: 91645881722f6a1dae318b476d5d3aa858655404e8ecef9dd7f16d0dfb098413
Opcode Fuzzy Hash: 1e8b8b6da9853691b43d046a582d9a1169d84198a50d77241e2981d30c65f531
Instruction Fuzzy Hash: 9351B1EB24C134BDB15281822B24EF7676EE7D67307308466FA07D5642FA842E8B3572

Function 04F2072A Relevance: 1.8, APIs: 1, Instructions: 320
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d427579908de7d9aef2707efaa87411f2997a04c2386cc5bbfefec3d2129c4da
Instruction ID: d1af68fe2eb52c5b669bd87e06becf05fb9403c3a23d77b22309d38c4f70a2eb
Opcode Fuzzy Hash: d427579908de7d9aef2707efaa87411f2997a04c2386cc5bbfefec3d2129c4da
Instruction Fuzzy Hash: 3651A0EB34C135BDB15281826B64EF7666EE7D67307308426FA07D5602FA842F8B3572

Function 04F20740 Relevance: 1.8, APIs: 1, Instructions: 317COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 714519b39650dae0462d75ee086556fda541e9d2082f32ae1f5990ac5c431aa1
Instruction ID: f4a5008b81bccb9a1608cc1ebb7467009e3a879fbe751eafaf9be2bbf067289e
Opcode Fuzzy Hash: 714519b39650dae0462d75ee086556fda541e9d2082f32ae1f5990ac5c431aa1
Instruction Fuzzy Hash: 0551AFEB34C135BDB15281822B64EF7666EE7D67307308426FA07D5602FA842F8B3572

Function 04F2077A Relevance: 1.8, APIs: 1, Instructions: 311COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9f763e63ea2b91463dd96b5a61ea79a0f12dc650aa1aed573dbc1da200dcea2c
Instruction ID: 57993bde8f19fbedc0bcc6629de9814a27944b25b3e8963cd175c2227900a939
Opcode Fuzzy Hash: 9f763e63ea2b91463dd96b5a61ea79a0f12dc650aa1aed573dbc1da200dcea2c
Instruction Fuzzy Hash: B651BFEB34C134BDB15281826B24EF7676EE7C67307308466FA07D5602FA842F8B2572

Function 04F2076A Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 11362f2ec53fed3665223254255c4b6ddff48823f3f2283942acd67c7bd3cb37
Instruction ID: 76b9a41223da0f9bd909c11e5f01454aab37f19ebd7b7477f90f6e993e691a13
Opcode Fuzzy Hash: 11362f2ec53fed3665223254255c4b6ddff48823f3f2283942acd67c7bd3cb37
Instruction Fuzzy Hash: 05519EEB34C135BDB15281822B24EF7666EE7D67307308426FA07D5602FA842E8B2572

Function 04F2078E Relevance: 1.8, APIs: 1, Instructions: 310COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c2f51ec53fed7fe6a49ed9e8180eb0b2d2b243b05ecd5acfb5114c657843639e
Instruction ID: bff5d09da94219d9c5a6a3178b07482a49f439a682c5a0860547eac4740d9120
Opcode Fuzzy Hash: c2f51ec53fed7fe6a49ed9e8180eb0b2d2b243b05ecd5acfb5114c657843639e
Instruction Fuzzy Hash: D5518CEB24C135BDB15281822B24EF7676EE7D67307308466FA07D5602FA842E8B2572

Function 04F207A2 Relevance: 1.8, APIs: 1, Instructions: 303COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f38096758ca61cff166e4f3654fa6caad0bdcc6f9fdc9c139f021d5fd97661df
Instruction ID: 2a64b3c2d236d1802c680f967b66d20186b5d950b0a19de268d81b27fcc69dc3
Opcode Fuzzy Hash: f38096758ca61cff166e4f3654fa6caad0bdcc6f9fdc9c139f021d5fd97661df
Instruction Fuzzy Hash: F0517DEB34C135BDB15281826B24EF7676EE7D67307308466FA07D5602FA842F8B2572

Function 04F207CE Relevance: 1.8, APIs: 1, Instructions: 287COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 416f597d1c8129bed1f2bd2e178cc521b496bbdbde123b8895a6e8e61f45fe67
Instruction ID: 4f6b3faba9b9e37eda3645a31ecd324d05953f74450dfb1e5be5bae72084e47f
Opcode Fuzzy Hash: 416f597d1c8129bed1f2bd2e178cc521b496bbdbde123b8895a6e8e61f45fe67
Instruction Fuzzy Hash: A551B1EB34D135BDB15281822B24EF76A6EE7D67307308426FA07D5601FA846E8B3572

Function 04F207E8 Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: aa1383735b4767cfa3ef84c7961e454cf358453a9eef28254c6b955b310c2128
Instruction ID: 9bfb2721e2ad98b587685440d21bfa35cae1493a2ae604ed81c0a0b2118bfb1c
Opcode Fuzzy Hash: aa1383735b4767cfa3ef84c7961e454cf358453a9eef28254c6b955b310c2128
Instruction Fuzzy Hash: 5E51BFEB34C134BDB15281826B24EF7666EE7D67307308426FA07D5602FA842E8B2572

Function 04F2083D Relevance: 1.8, APIs: 1, Instructions: 262COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f0085a04489d2c56b64174e217f55439689d828fdabe32b7b8d5035049fa1dc2
Instruction ID: 7936c4cbac6ee35f604cfb630f24b0800e56e050f99c7b3ea5bda5661d04f793
Opcode Fuzzy Hash: f0085a04489d2c56b64174e217f55439689d828fdabe32b7b8d5035049fa1dc2
Instruction Fuzzy Hash: B951CFEB34C134BDB25281822B24AF7676EE7D67307308426FA07D5601FA842E8B6572

Function 04F2081F Relevance: 1.8, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04F20854

Memory Dump Source

Source File: 00000006.00000002.4491306058.0000000004F20000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F20000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f20000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: db62e7da7170c9c3747b7364dd7d5cd179f1786762f0e941ca7f8c9d31ade74e
Instruction ID: a6bcd02241e2c5613899a52d4d709e86026c10265fb3ed51a6068b505e2a2812
Opcode Fuzzy Hash: db62e7da7170c9c3747b7364dd7d5cd179f1786762f0e941ca7f8c9d31ade74e
Instruction Fuzzy Hash: 9651A0EB34C134BDB15281822B24EF76B6DE7D67307308467FA07D5601FA846E8B6572

Function 00532F0C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00526AF7,?,00000000,00000000,00000000,?,00000000,?,0051C023,00526AF7,00000000,0051C023,?,?), ref: 00533091

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a02dec9d02b863b18fa4371df5f5db66c4ea953b84439089080c75427818eb5c
Instruction ID: 89601debc8da8e5361d2657b6661ac46eb4bb5426dabb0e58dd1c715dc9b8f35
Opcode Fuzzy Hash: a02dec9d02b863b18fa4371df5f5db66c4ea953b84439089080c75427818eb5c
Instruction Fuzzy Hash: 7161FF71C0411AAFDF15DFA8C889EEEBFB9BF49304F140559E904AB242D372DA41DBA0

Function 004ABA20 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004ABB71

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 5bc5d19c601ffac92f364034007bc4566d3cb9284dcaa4e27eecc02c897b43d6
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: DE4127729001099BDB15DF68DD816AEBBA5FF96340F14026AFC04EB306D734EE5187E5

Function 00532582 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00532469,00000000,CF830579,00571148,0000000C,00532525,0052662D,?), ref: 005325D8

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 31b36112d8d3467a8ff3422222cbfffd1626cbc95d85adf250caaba457ef09ca
Instruction ID: bc9873dbf6a6893779a1b811cfce8051342bb545deb1fc158519bddb594dd0d1
Opcode Fuzzy Hash: 31b36112d8d3467a8ff3422222cbfffd1626cbc95d85adf250caaba457ef09ca
Instruction Fuzzy Hash: D8114933604A2416DA3923746C5AB7E6F8A7FC3734F350219F9189F2C2EE71ED819251

Function 0052BACC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00570E00,0051C023,00000002,0051C023,00000000,?,?,?,0052BBD6,00000000,?,0051C023,00000002,00570E00), ref: 0052BB08

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0eb465050ea75c96f5ae74b35d6312b18970d91f09cd300cce5d55f2c70354a7
Instruction ID: 0f397070026dd6525e38acb49aaedaf2fb079d874b410e273776befa2d981463
Opcode Fuzzy Hash: 0eb465050ea75c96f5ae74b35d6312b18970d91f09cd300cce5d55f2c70354a7
Instruction Fuzzy Hash: 6701C432610265AFDF198F59EC45CAE3F69FF86324F240208F8119B2D1EB71ED519B90

Function 0051CD02 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00441FDE

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 557d8e023e030bebac643801d6b6b953c5d046d101e21c4be8d0de1b84703fd1
Instruction ID: 28db6862278891d92f7f4a3bbe00283d552b999f922a93228321a0845c711948
Opcode Fuzzy Hash: 557d8e023e030bebac643801d6b6b953c5d046d101e21c4be8d0de1b84703fd1
Instruction Fuzzy Hash: E801263540020EA7DB14ABA8FC058CA7FECBE01364B508636F918AB190FB70E9D0C795

Function 00533E63 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0051B16C,?,?,005337E9,00000001,00000364,?,00000006,000000FF,?,0051E0EB,?,?,?,?), ref: 00533EA5

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c2efac4e1cc37871c7f0168ff8e68f4c2699d43950a4b01ad67c70ef0efe9631
Instruction ID: a7bdc691adbb87f0edaaa6fa314856a58346a90dd8c2e08cb7121ffd9a531989
Opcode Fuzzy Hash: c2efac4e1cc37871c7f0168ff8e68f4c2699d43950a4b01ad67c70ef0efe9631
Instruction Fuzzy Hash: C0F0E932509535669B326B715C05B6B3F4DBF82761F154511BC089A080DB74EE0873E0

Function 0053489D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0051E0EB,?,?,?,?,?,00442D8D,0051B16C,?,?,0051B16C), ref: 005348D0

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b515764505151223242b3d0145b65b86860ee85b1bbecad418aa046d3baeeac
Instruction ID: fc8080a42db03bc1b731d5339c9fe025f025f8949d906c9f2f31192c3a957da0
Opcode Fuzzy Hash: 6b515764505151223242b3d0145b65b86860ee85b1bbecad418aa046d3baeeac
Instruction Fuzzy Hash: 2CE06D351126A25AE6212A796D05B6BFF4DFF833A0F160A31AC04A60D1DB70EC509AE1

Function 04F301F6 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4491361330.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f30000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 371fca12bdd04bc259d8924417494845d1f72bd55054a9c79d10db3325ffa84c
Instruction ID: 81e39f2d5a7c54e02ef5a110eef56f877a8ec5be0ad754721cf28f0e399a7882
Opcode Fuzzy Hash: 371fca12bdd04bc259d8924417494845d1f72bd55054a9c79d10db3325ffa84c
Instruction Fuzzy Hash: 90D022A334010CDFC020B8528C8473336A8E3202037A006A2F0839B0CDDAF2A08BEB90

Function 04F301EF Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4491361330.0000000004F30000.00000040.00001000.00020000.00000000.sdmp, Offset: 04F30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4f30000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d6c978aea92f6111e60f94cf3562a4bd6c5cf095efa80c47c0cc89692e08136
Instruction ID: c4d0c59ade625d62515f236380ab5a11d019a0bfd9c029b2cd37f559f2df85d8
Opcode Fuzzy Hash: 8d6c978aea92f6111e60f94cf3562a4bd6c5cf095efa80c47c0cc89692e08136
Instruction Fuzzy Hash: 2BB0927378C954CE0499E596A48963A6A90F7512233B005A3E4538A08EBEA6F05BF725

Non-executed Functions

Function 004AAE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004AAEB3
std::_Lockit::_Lockit.LIBCPMT ref: 004AAED5
std::_Lockit::~_Lockit.LIBCPMT ref: 004AAEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 004AAF1F
std::_Lockit::_Lockit.LIBCPMT ref: 004AAF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004AAFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004AAFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 004AB088
std::_Facet_Register.LIBCPMT ref: 004AB095

Strings

bad locale name, xrefs: 004AB0AF

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 0b683d8567a58570295f82b389718261da6ffaa80d1aec8ca33d174822eae808
Instruction ID: 95c165697748bb07a2090bf1e8a58c426f41e1f6c29759e125c03afb57618426
Opcode Fuzzy Hash: 0b683d8567a58570295f82b389718261da6ffaa80d1aec8ca33d174822eae808
Instruction Fuzzy Hash: F8619DB5D002459FEB20DFA4D889BDEBFB4BF65310F144059E808A7381E738E945CB96

Function 00443770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004437E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00443835
__Getctype.LIBCPMT ref: 0044384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0044386A
std::_Lockit::~_Lockit.LIBCPMT ref: 004438FF

Strings

bad locale name, xrefs: 0044391C
0:D, xrefs: 00443848

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:D$bad locale name
API String ID: 1840309910-3892007210
Opcode ID: 515cc488061c2545b068f53c42cb9114d8bb3f8b1ddbec7160b93d3b279eef7d
Instruction ID: fda69150531bda16cd9ca26006792c97c8e3d5b2b99f903a4955864525bf4417
Opcode Fuzzy Hash: 515cc488061c2545b068f53c42cb9114d8bb3f8b1ddbec7160b93d3b279eef7d
Instruction Fuzzy Hash: 7C517DF1D003499BEB10DFA4D88579EFBB8BF54704F144169E804AB381E779AA48CB92

Function 00520880 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005208B7
___except_validate_context_record.LIBVCRUNTIME ref: 005208BF
_ValidateLocalCookies.LIBCMT ref: 00520948
__IsNonwritableInCurrentImage.LIBCMT ref: 00520973
_ValidateLocalCookies.LIBCMT ref: 005209C8

Strings

CQ, xrefs: 00520965, 0052096E, 0052097F
csm, xrefs: 0052095D

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: CQ$csm
API String ID: 1170836740-1629540169
Opcode ID: 37ee439ae3788193be2401b96ac71f6945aee16afde9a47c0e2bf3f242090fd0
Instruction ID: 892b8eca4c8ffbd67f8e13c428d3fcd27e890cbaaec1ed528d2dcec0e15f14aa
Opcode Fuzzy Hash: 37ee439ae3788193be2401b96ac71f6945aee16afde9a47c0e2bf3f242090fd0
Instruction Fuzzy Hash: 7441F834A012299BDF10DF68E885A9FBFB4BF46324F148055E8199B3D3D731EA45CB91

Function 004A9520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004A9543
std::_Lockit::_Lockit.LIBCPMT ref: 004A9566
std::_Lockit::~_Lockit.LIBCPMT ref: 004A9586
std::_Facet_Register.LIBCPMT ref: 004A95FB
std::_Lockit::~_Lockit.LIBCPMT ref: 004A9613
Concurrency::cancel_current_task.LIBCPMT ref: 004A962B

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: a84ee0d12e363d936b25c413a612dab48eeb404fa12a6ac13a5abd8207b79779
Instruction ID: de8f14c0acf57d4a99a8082372a1e4b478b1c8d3972992462c2a792130925d69
Opcode Fuzzy Hash: a84ee0d12e363d936b25c413a612dab48eeb404fa12a6ac13a5abd8207b79779
Instruction Fuzzy Hash: 53412572C00215EFDB11DF54E845AAEBB74FF22724F14421AE8496B381E734AD45CBD5

Function 00445DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004460F2
___std_exception_destroy.LIBVCRUNTIME ref: 0044617F
___std_exception_copy.LIBVCRUNTIME ref: 00446248

Strings

recursive_directory_iterator::operator++, xrefs: 004461CC

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 3e18b17712177bf5265fc12b5abc2325fe6ab039e67610525fbe2c0cec0580fe
Instruction ID: 1d06802589ea73fce13163c7aba8697dab90b2f14e2b0a528c8456ff28b6ab32
Opcode Fuzzy Hash: 3e18b17712177bf5265fc12b5abc2325fe6ab039e67610525fbe2c0cec0580fe
Instruction Fuzzy Hash: F4E135B09006049FEB18DF68D945B9EFBF9FF45300F10461EE41697782D778AA48CBA6

Function 004484C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004486DE
___std_exception_destroy.LIBVCRUNTIME ref: 004486ED

Strings

, column , xrefs: 00448555, 0044856B
at line , xrefs: 00448518

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: f438a158de764309a5d7de61943b336f6b6a83696f5506c7cd7c4e7cc046346d
Instruction ID: d89484a9352427d1be0980e0a75dc34159763f03e212a92199492ec47daa3dd3
Opcode Fuzzy Hash: f438a158de764309a5d7de61943b336f6b6a83696f5506c7cd7c4e7cc046346d
Instruction Fuzzy Hash: 2D614971D002049FEB08DF68DD8579EBBB1FF85304F14421DE415A7792EB78AA84C795

Function 004B34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004B3946
___std_exception_destroy.LIBVCRUNTIME ref: 004B395F
___std_exception_destroy.LIBVCRUNTIME ref: 004B3A97
___std_exception_destroy.LIBVCRUNTIME ref: 004B3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 004B3C16
___std_exception_destroy.LIBVCRUNTIME ref: 004B3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 004B4479
___std_exception_destroy.LIBVCRUNTIME ref: 004B4492

Strings

value, xrefs: 004B439F

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: a686215d7c86d2877dfdf79b089aa33effc83b7203da67065bf1d3b6f3987aa4
Instruction ID: a7f5eb52dc91f40d6653cb30fa51c6de5449ad8de2bf0a83f850b077d2021710
Opcode Fuzzy Hash: a686215d7c86d2877dfdf79b089aa33effc83b7203da67065bf1d3b6f3987aa4
Instruction Fuzzy Hash: D951D170C00258DBEF14DFA8CD89BDEBFB4BF45304F144259E445A7282D7786A89CB65

Function 00443B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00443C0F

Strings

ios_base::eofbit set, xrefs: 00443BB6
ios_base::failbit set, xrefs: 00443AC8, 00443BB1
ios_base::badbit set, xrefs: 00443BA7, 00443BD2, 00443BF3

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c0fab6b057d7c44d7bc8bf273ddb6360478c3ff7ba6c7dd2d19e387b90159327
Instruction ID: 27a81e23bd6ef86c6132d47fac69e8c69bb94f2d27179c9f57a20ad9d35a8ad5
Opcode Fuzzy Hash: c0fab6b057d7c44d7bc8bf273ddb6360478c3ff7ba6c7dd2d19e387b90159327
Instruction Fuzzy Hash: EB1120B29007046BD700DF59C806B8ABBE8FF44310F04852BF9199B282F774EA40CB95

Function 004B2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 004B2F43

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 1be0ba8213fa319106f833cef62005a030918ab8cdf47c6686063a542cfd3880
Instruction ID: 1863fc12b4c8c22a32571629ad9a9098f86bfc2db798c264c467b2a639d7b4de
Opcode Fuzzy Hash: 1be0ba8213fa319106f833cef62005a030918ab8cdf47c6686063a542cfd3880
Instruction Fuzzy Hash: ABE1F271A001059FCB18DF28C990AADBBB5FF49310B14836AE819DB395E774ED51CBA4

Function 00448080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0044844D

Strings

parse error, xrefs: 00448149, 00448162
ror, xrefs: 004480D4

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 219ea096085af0855fa69d0c53ba53a85f8244524164dc71f6e1747b5cdedd92
Instruction ID: d87648fa63b1941d07e3f428191d0e7ebe501f95502ec30832eae1e074badcd8
Opcode Fuzzy Hash: 219ea096085af0855fa69d0c53ba53a85f8244524164dc71f6e1747b5cdedd92
Instruction Fuzzy Hash: BBC10571D006498FEB08CF68CD857ADBB71FF56304F14824DE4046B692EBB8AAC5CB95

Function 00447DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00448051
___std_exception_destroy.LIBVCRUNTIME ref: 00448060

Strings

[json.exception., xrefs: 00447E1C

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: bf6f9194f127504aebf295da9203bc9fa6d9b32cbd46d1bf6ef35faabf351988
Instruction ID: 6ec5fd873d7e8587c50a26fd6f3fa4c328a08a76d88962279f6ba1442ab2f585
Opcode Fuzzy Hash: bf6f9194f127504aebf295da9203bc9fa6d9b32cbd46d1bf6ef35faabf351988
Instruction Fuzzy Hash: 469107319102089FEB18CFA8CD85BDEBFB1FF55304F24425EE400AB692DBB5A985C795

Function 00443A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00443C0F

Strings

ios_base::failbit set, xrefs: 00443AC8
ios_base::badbit set, xrefs: 00443BA7, 00443BD2, 00443BF3

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: ea6837f8c4ff6cad5dceb9142e0b39827ce9cb4da3849a50ab051b542a3c1c82
Instruction ID: 67b37fd40274e57d09512e34074f78903c5f66ed6417e7cd21571a913fb2aba9
Opcode Fuzzy Hash: ea6837f8c4ff6cad5dceb9142e0b39827ce9cb4da3849a50ab051b542a3c1c82
Instruction Fuzzy Hash: FE412671910204ABDB04DF58CC86BAEFBF8FF45710F14821AF91597782E774AA40CBA5

Function 004B45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004B4E29
___std_exception_destroy.LIBVCRUNTIME ref: 004B4E42
___std_exception_destroy.LIBVCRUNTIME ref: 004B594D
___std_exception_destroy.LIBVCRUNTIME ref: 004B5966

Strings

value, xrefs: 004B5873

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 8adb299e31bad10c3b415fde5024909d8bed926bb0010a19cab3ad34aca1eaf4
Instruction ID: 15243c0fe897c98c5a484ffeb1f9a09d76cfb7d8142b6d40522d4a3fc24e71c2
Opcode Fuzzy Hash: 8adb299e31bad10c3b415fde5024909d8bed926bb0010a19cab3ad34aca1eaf4
Instruction Fuzzy Hash: C551DFB0C00258DBEB14DFA8CC89BDEFFB4BF45304F14425AE405A7282D7786A89CB65

Function 004B99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004B99F1

Strings

type must be boolean, but is , xrefs: 004B9AE2
type must be string, but is , xrefs: 004B9A58

Memory Dump Source

Source File: 00000006.00000002.4483035016.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000006.00000002.4482949788.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483035016.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483266685.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4483321641.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4484923411.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4485278681.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 68b96d55fb9c92cb24553b03d0b2b0d497091bf1287fd7c910d5af23a8cb459a
Instruction ID: a2404520db50e7f3914f65a4c99942635b9c663db7f367f32c7c69bd1501c079
Opcode Fuzzy Hash: 68b96d55fb9c92cb24553b03d0b2b0d497091bf1287fd7c910d5af23a8cb459a
Instruction Fuzzy Hash: 763180B1900144AFD714EB94D842BDFBBA8FB15304F14426EF405D7791EB39AE44C799

Analysis Process: MPGPH131.exePID: 6484, Parent PID: 1068COMMON

Execution Graph

Execution Coverage:	2.1%
Dynamic/Decrypted Code Coverage:	1.7%
Signature Coverage:	0%
Total number of Nodes:	292
Total number of Limit Nodes:	30

Executed Functions

Function 0045EC20 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000330,0000FFFF,00001006,?,00000008), ref: 0045ECC7
recv.WS2_32(?,00000004,00000002), ref: 0045ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0045ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0045ED6F
recv.WS2_32(00000000,?,00000008), ref: 0045EE0C

Part of subcall function 0045DB60: WSAStartup.WS2_32 ref: 0045DB8B
Part of subcall function 0045DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0045DC2E
Part of subcall function 0045DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0045DC42
Part of subcall function 0045DB60: closesocket.WS2_32(00000000), ref: 0045DC4D

recv.WS2_32(?,00000004,00000008), ref: 0045F033
Sleep.KERNELBASE(00000001), ref: 0045F09E
Sleep.KERNELBASE(00000064), ref: 0045F0AC
__Mtx_unlock.LIBCPMT ref: 0045F211

Strings

t;W, xrefs: 0045EC7A
50500, xrefs: 0045EC75

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500$t;W
API String ID: 2930922264-3984008218
Opcode ID: 427da8cd55a5f1240dd8bb43ff905e75735173ab1db38bbf30c36bd63f0ad06f
Instruction ID: 3d5da47a67ea7fd6f4feecf2a3496ffa48af0a0cfff1e98a645f1a378fe65856
Opcode Fuzzy Hash: 427da8cd55a5f1240dd8bb43ff905e75735173ab1db38bbf30c36bd63f0ad06f
Instruction Fuzzy Hash: 18B1F331D00248DFEB24DFA8DC45BADBBB1FF55310F24821AE848A72D2D7746A89DB41

Function 0045E060 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005447E8,00000000,00000000,-005765B0), ref: 0045E3A6

Strings

131, xrefs: 0045F2C8
Ws2_32.dll, xrefs: 0045E37D
\;W, xrefs: 0045EB85
taW, xrefs: 0045F1CA
;W, xrefs: 0045E525
50500, xrefs: 0045EC75
t;W, xrefs: 0045EC7A

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll$\;W$t;W$taW$;W
API String ID: 121738739-2827972449
Opcode ID: 7dca83bfbfcdca64b3f43f4cc8bb21066ab8cdfbf4449cb22754fcf25717ce22
Instruction ID: f41ea0fc75fba29c30876f1cfa7f082419e29d15f78d9e39430ef04ec94e9f7f
Opcode Fuzzy Hash: 7dca83bfbfcdca64b3f43f4cc8bb21066ab8cdfbf4449cb22754fcf25717ce22
Instruction Fuzzy Hash: 56D12231D04648DFDB18CFA9CC44BEEBBF1AF02301F684259D855AB2C2D774998ACB55

Function 0045DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0045DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0045DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0045DC42
closesocket.WS2_32(00000000), ref: 0045DC4D

Strings

50500, xrefs: 0045DBE8

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: d70a2d82d60dbef535e78f831859fae6c799879c68116cad20b5a9ff4f829ff2
Instruction ID: a1627e983cb4812fa3b111e5c6d5071ef93178c20839b72b19b4c30df4e0e10c
Opcode Fuzzy Hash: d70a2d82d60dbef535e78f831859fae6c799879c68116cad20b5a9ff4f829ff2
Instruction Fuzzy Hash: 3531E4729043015BD7218B288C85A2FB7E5FF89328F011F1EFDA4932E1E3749848C696

Function 05450969 Relevance: 1.8, APIs: 1, Instructions: 293
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0545092F

Memory Dump Source

Source File: 00000007.00000002.4490653117.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5450000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3ae837fd2bd95e9000dbe1d3e7f60304bf25383184602c93abbcb2d2bf511180
Instruction ID: f3337290d7777eb232d63f4d110f4d93f40e5fb7155f906acac19c2a911f7790
Opcode Fuzzy Hash: 3ae837fd2bd95e9000dbe1d3e7f60304bf25383184602c93abbcb2d2bf511180
Instruction Fuzzy Hash: F15199EF248120BDB256C1922B6CAFAAB6FE6D7730730852BFC0BD5507E6940E4E1031

Function 054508DB Relevance: 1.8, APIs: 1, Instructions: 282
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0545092F

Memory Dump Source

Source File: 00000007.00000002.4490653117.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5450000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: efa094d1ef4198521da4f586f0a99f4012e4203f0367064cc806104a57facaf3
Instruction ID: 9756603794b235ee7a6aa07e54b139b57a9084c4b55c7c7fbbbd200ec82db267
Opcode Fuzzy Hash: efa094d1ef4198521da4f586f0a99f4012e4203f0367064cc806104a57facaf3
Instruction Fuzzy Hash: 4E5126EF249121BDB156C5922B68AFA6B6FE6D7B307308427FC0BD5607E6940E4E5031

Function 05450905 Relevance: 1.8, APIs: 1, Instructions: 280
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0545092F

Memory Dump Source

Source File: 00000007.00000002.4490653117.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5450000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: df6365cab9bbcde5584199053119436e7177d62596b085b2c737c3e3ced14e76
Instruction ID: ae2d0cea13e9591d0f69fa024c37ec1e2102f9fb80121ef6b346c42e56f30b1f
Opcode Fuzzy Hash: df6365cab9bbcde5584199053119436e7177d62596b085b2c737c3e3ced14e76
Instruction Fuzzy Hash: 7A515AEF249120BDB256C1922B68AFAAB6FE6D77307308527FC0BD5547E6D40E4E5031

Function 054508F0 Relevance: 1.8, APIs: 1, Instructions: 274
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0545092F

Memory Dump Source

Source File: 00000007.00000002.4490653117.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5450000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ebc9171e321a225395ea056cdd5ee952327a92ac476d0b3915443249a4803c98
Instruction ID: 69a48fd4519daef5a3f9ff658c2df868dcc5d662482c67fa49fbe5c68421a449
Opcode Fuzzy Hash: ebc9171e321a225395ea056cdd5ee952327a92ac476d0b3915443249a4803c98
Instruction Fuzzy Hash: 375157EF248120BDB156C5922B6CAFAAB6FE6D6B307308527FC0BD5507E6940F4E1031

Function 05450985 Relevance: 1.8, APIs: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0545092F

Memory Dump Source

Source File: 00000007.00000002.4490653117.0000000005450000.00000040.00001000.00020000.00000000.sdmp, Offset: 05450000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5450000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 52b121d73a4bbd5e90f8fdba3719f986a4cfb3e63912822aa03a9b33aa5a304f
Instruction ID: 05181fe24ab00efadfbbac47dc6820c9e7eddb435d225845f6774a036c97f603
Opcode Fuzzy Hash: 52b121d73a4bbd5e90f8fdba3719f986a4cfb3e63912822aa03a9b33aa5a304f
Instruction Fuzzy Hash: 925138EF249120BDB156C1922B68AFAAB6FE6D6B307308527FC0BD5507E6D40E8E5031

Function 00532F0C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00526AF7,?,00000000,00000000,00000000,?,00000000,?,0051C023,00526AF7,00000000,0051C023,?,?), ref: 00533091

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a17dbfebab1aa79b15e0a181da90016fbe88d0d119c908d61b74fd0df51c02d2
Instruction ID: 4d94682702d7f6424607c5d46547817ed9dd9d4ce1935fa7840bb0380c6b2fa7
Opcode Fuzzy Hash: a17dbfebab1aa79b15e0a181da90016fbe88d0d119c908d61b74fd0df51c02d2
Instruction Fuzzy Hash: 1261F071D0411AAFDF15DFA8C889EEEBFB9BF49304F140159E904AB242D372CA01DBA0

Function 004ABA20 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004ABB71

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 5bc5d19c601ffac92f364034007bc4566d3cb9284dcaa4e27eecc02c897b43d6
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: DE4127729001099BDB15DF68DD816AEBBA5FF96340F14026AFC04EB306D734EE5187E5

Function 00532582 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00532469,00000000,CF830579,00571148,0000000C,00532525,0052662D,?), ref: 005325D8

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 4c64a32bacd993700b503bc5980d5870caed8b70aabeedeba3845a3f3c5a7468
Instruction ID: 1bfb0fd55f68e81be262918f88ec186ee23119f9928a2a7a71567fc3c6252f7b
Opcode Fuzzy Hash: 4c64a32bacd993700b503bc5980d5870caed8b70aabeedeba3845a3f3c5a7468
Instruction Fuzzy Hash: 6F112633604A2016CA3922746C5EB7E6F59BFC3734F250259F9189F2C2EEB1DD819151

Function 0052BACC Relevance: 1.6, APIs: 1, Instructions: 54
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00570E00,0051C023,00000002,0051C023,00000000,?,?,?,0052BBD6,00000000,?,0051C023,00000002,00570E00), ref: 0052BB08

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d7f7c9b44027ffcc00f6a46de1d064b9ca6320506a793986b2a8efa1b1ab6876
Instruction ID: 4d0e54ccc56df29ab1c8f5357c5fdcf3e75f5335ce596facc0224a7fde4c50f0
Opcode Fuzzy Hash: d7f7c9b44027ffcc00f6a46de1d064b9ca6320506a793986b2a8efa1b1ab6876
Instruction Fuzzy Hash: 12010432600265AFDF098F59DC49CAE3F29FF82320B240208F8119B2D1EB71DD419790

Function 0051CD02 Relevance: 1.6, APIs: 1, Instructions: 50
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00441FDE

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 557d8e023e030bebac643801d6b6b953c5d046d101e21c4be8d0de1b84703fd1
Instruction ID: 28db6862278891d92f7f4a3bbe00283d552b999f922a93228321a0845c711948
Opcode Fuzzy Hash: 557d8e023e030bebac643801d6b6b953c5d046d101e21c4be8d0de1b84703fd1
Instruction Fuzzy Hash: E801263540020EA7DB14ABA8FC058CA7FECBE01364B508636F918AB190FB70E9D0C795

Function 00533E63 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,0051B16C,?,?,005337E9,00000001,00000364,?,00000006,000000FF,?,0051E0EB,?,?,?,?), ref: 00533EA4

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2efc9586d8a1a65172764931545a71947003adcbab50ea08d2d103c3660b552a
Instruction ID: f54b4df57372b0e412d1db6fb285495d2c403ca8d1438a71dca8373f68097e49
Opcode Fuzzy Hash: 2efc9586d8a1a65172764931545a71947003adcbab50ea08d2d103c3660b552a
Instruction Fuzzy Hash: 66F0E932509535669B326B719C05B5B3F4DBF81761F154521BC04AA080DB74EE0873E0

Function 0053489D Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0051E0EB,?,?,?,?,?,00442D8D,0051B16C,?,?,0051B16C), ref: 005348D0

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6b515764505151223242b3d0145b65b86860ee85b1bbecad418aa046d3baeeac
Instruction ID: fc8080a42db03bc1b731d5339c9fe025f025f8949d906c9f2f31192c3a957da0
Opcode Fuzzy Hash: 6b515764505151223242b3d0145b65b86860ee85b1bbecad418aa046d3baeeac
Instruction Fuzzy Hash: 2CE06D351126A25AE6212A796D05B6BFF4DFF833A0F160A31AC04A60D1DB70EC509AE1

Function 0546006B Relevance: 1.4, Strings: 1, Instructions: 116COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: d7e3bacbab36b4a76d51b20ed660664d2b8d1d9d29e1c309ffb1cbb14f01e8e6
Instruction ID: 731bf2110a6fe4d6d3c03a18ccb76f6fd22db114d29b339ca225d4a3f0c1610d
Opcode Fuzzy Hash: d7e3bacbab36b4a76d51b20ed660664d2b8d1d9d29e1c309ffb1cbb14f01e8e6
Instruction Fuzzy Hash: 872101EB14C150BD6603D5A16B9CBF66F2BE5D32303318427F44BC4502F29A4E9B92B3

Function 05460000 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: 79e7d845377201b3c250f7d5ba9954e6eef4b9522674c9c1af088638ea35d1c5
Instruction ID: 5780ff702c4f1434d80d6855033244f550db50b55164e3283bad82bf11ac44be
Opcode Fuzzy Hash: 79e7d845377201b3c250f7d5ba9954e6eef4b9522674c9c1af088638ea35d1c5
Instruction Fuzzy Hash: DC1149EB14C124BD7152D5923B6CBFA6A6FE1D67303318427F80BD5606E29A0E9B6073

Function 0546001D Relevance: 1.4, Strings: 1, Instructions: 103COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: 14a2c84f0ee7ad9eb45695087ddc5c6831f655e0a5b2349b20336a49d881e261
Instruction ID: 39227e306807420c8f33bc443495e36960c33d2aed1812865d550f2c473c0b25
Opcode Fuzzy Hash: 14a2c84f0ee7ad9eb45695087ddc5c6831f655e0a5b2349b20336a49d881e261
Instruction Fuzzy Hash: 49119DEB14C124BD6152D5522B6CBFA6B6BE1D62303308427F80FD6602E2DA0F9B9173

Function 05460034 Relevance: 1.4, Strings: 1, Instructions: 100COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: e7f2106a536cdadfc0b875edbedfb660917dd783fa6f0f40b78160fe0b0d4fdd
Instruction ID: dc2933b657b8d70b54d7cd1b0f266c8cba558f1c97844b86706bae288df8ac34
Opcode Fuzzy Hash: e7f2106a536cdadfc0b875edbedfb660917dd783fa6f0f40b78160fe0b0d4fdd
Instruction Fuzzy Hash: D211BCEB18C114BD6142D1916B5CBF66A2FE1D22303318427B84B95602F2D64E9BA1B3

Function 0546004E Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: 61665e4b144e6e51f24f7321c4aeb76598e4ab431359ac8caf00aea66dba8910
Instruction ID: 51ff2179769ee2a055ac2caa834fa8b9d90930c93ef1e411062523042b3dbe47
Opcode Fuzzy Hash: 61665e4b144e6e51f24f7321c4aeb76598e4ab431359ac8caf00aea66dba8910
Instruction Fuzzy Hash: D011ADEB18C124BD6142E1912B5CBF66B6FE1D23303308427F84BD5602E2D60F9BA173

Function 0546005D Relevance: 1.3, Strings: 1, Instructions: 85COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: 81661d802e7d0862a5a0f4bfbf8d5befb51a60b7dcc87055361eb389838fea3d
Instruction ID: 8924896262e515742409e3ffd9249bf183b0e7018dc29355af1dcb46897b3572
Opcode Fuzzy Hash: 81661d802e7d0862a5a0f4bfbf8d5befb51a60b7dcc87055361eb389838fea3d
Instruction Fuzzy Hash: AB018CEB18C124BD6142D5912B5CBF67A6FE1D23303318437F84BD5602E2EA0E9BA133

Function 054600C3 Relevance: 1.3, Strings: 1, Instructions: 62COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: 666d88cea79ab91a3cea39e10bc419dd1ffcffc7fd849a76ba30cfb1b39a11b9
Instruction ID: 8e2c51a6ffaca3382cdab60b37e7e6f6e913b0f5c1704309e263f774680118ec
Opcode Fuzzy Hash: 666d88cea79ab91a3cea39e10bc419dd1ffcffc7fd849a76ba30cfb1b39a11b9
Instruction Fuzzy Hash: CB01F2A704C260ADA243D5612B9C3F67F6BA6972307314563F88FC5602E3A60A979223

Function 054600AE Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: c7aa18b6dc4383e4260863fb672b6b728970474d34d19512a9a12aab6fa71091
Instruction ID: 4d90b3b6a5346afd798e9166b377afc1014c0a9d0169b9d0f5d4c47a020a8d47
Opcode Fuzzy Hash: c7aa18b6dc4383e4260863fb672b6b728970474d34d19512a9a12aab6fa71091
Instruction Fuzzy Hash: A2F0F4B718C120EE6243E5652B9D3F66A67A5932303714037F44B86602E6A60E96A123

Function 05460178 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: 53e5372769e6481ae35a8ccb7728566b7c52d2573b54e61324eaedcff741b3c2
Instruction ID: 27ba5ff34857001c7475168d8cafce6c6414a4b75765ff4b6db49f2540bc6b1e
Opcode Fuzzy Hash: 53e5372769e6481ae35a8ccb7728566b7c52d2573b54e61324eaedcff741b3c2
Instruction Fuzzy Hash: 490176A690C3547DD613E525558D7F27F27AB43232B290097D0CF89653F18746578193

Function 054600EA Relevance: 1.3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

Strings

wMQ>, xrefs: 0546014F

Memory Dump Source

Source File: 00000007.00000002.4490704244.0000000005460000.00000040.00001000.00020000.00000000.sdmp, Offset: 05460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_5460000_MPGPH131.jbxd

Similarity

API ID:
String ID: wMQ>
API String ID: 0-3442419732
Opcode ID: fa17500b1d1b616353e80842c3d253b0116e8a0943b212d9f8af9cfc925e0715
Instruction ID: ab8607ddc7f952dee45c666a143438c4f7a4ca0a5f64e756eb7cd61d370b91bf
Opcode Fuzzy Hash: fa17500b1d1b616353e80842c3d253b0116e8a0943b212d9f8af9cfc925e0715
Instruction Fuzzy Hash: D2E092EB19C124EE6553E1A6279C3F56A5BA1A31303710123F08FD6B02969B0F6B6023

Non-executed Functions

Function 004AAE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004AAEB3
std::_Lockit::_Lockit.LIBCPMT ref: 004AAED5
std::_Lockit::~_Lockit.LIBCPMT ref: 004AAEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 004AAF1F
std::_Lockit::_Lockit.LIBCPMT ref: 004AAF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004AAFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004AAFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 004AB088
std::_Facet_Register.LIBCPMT ref: 004AB095

Strings

bad locale name, xrefs: 004AB0AF

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 0b683d8567a58570295f82b389718261da6ffaa80d1aec8ca33d174822eae808
Instruction ID: 95c165697748bb07a2090bf1e8a58c426f41e1f6c29759e125c03afb57618426
Opcode Fuzzy Hash: 0b683d8567a58570295f82b389718261da6ffaa80d1aec8ca33d174822eae808
Instruction Fuzzy Hash: F8619DB5D002459FEB20DFA4D889BDEBFB4BF65310F144059E808A7381E738E945CB96

Function 00443770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004437E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00443835
__Getctype.LIBCPMT ref: 0044384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0044386A
std::_Lockit::~_Lockit.LIBCPMT ref: 004438FF

Strings

bad locale name, xrefs: 0044391C
0:D, xrefs: 00443848

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:D$bad locale name
API String ID: 1840309910-3892007210
Opcode ID: 515cc488061c2545b068f53c42cb9114d8bb3f8b1ddbec7160b93d3b279eef7d
Instruction ID: fda69150531bda16cd9ca26006792c97c8e3d5b2b99f903a4955864525bf4417
Opcode Fuzzy Hash: 515cc488061c2545b068f53c42cb9114d8bb3f8b1ddbec7160b93d3b279eef7d
Instruction Fuzzy Hash: 7C517DF1D003499BEB10DFA4D88579EFBB8BF54704F144169E804AB381E779AA48CB92

Function 00520880 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005208B7
___except_validate_context_record.LIBVCRUNTIME ref: 005208BF
_ValidateLocalCookies.LIBCMT ref: 00520948
__IsNonwritableInCurrentImage.LIBCMT ref: 00520973
_ValidateLocalCookies.LIBCMT ref: 005209C8

Strings

CQ, xrefs: 00520965, 0052096E, 0052097F
csm, xrefs: 0052095D

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: CQ$csm
API String ID: 1170836740-1629540169
Opcode ID: 37ee439ae3788193be2401b96ac71f6945aee16afde9a47c0e2bf3f242090fd0
Instruction ID: 892b8eca4c8ffbd67f8e13c428d3fcd27e890cbaaec1ed528d2dcec0e15f14aa
Opcode Fuzzy Hash: 37ee439ae3788193be2401b96ac71f6945aee16afde9a47c0e2bf3f242090fd0
Instruction Fuzzy Hash: 7441F834A012299BDF10DF68E885A9FBFB4BF46324F148055E8199B3D3D731EA45CB91

Function 004A9520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004A9543
std::_Lockit::_Lockit.LIBCPMT ref: 004A9566
std::_Lockit::~_Lockit.LIBCPMT ref: 004A9586
std::_Facet_Register.LIBCPMT ref: 004A95FB
std::_Lockit::~_Lockit.LIBCPMT ref: 004A9613
Concurrency::cancel_current_task.LIBCPMT ref: 004A962B

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: a84ee0d12e363d936b25c413a612dab48eeb404fa12a6ac13a5abd8207b79779
Instruction ID: de8f14c0acf57d4a99a8082372a1e4b478b1c8d3972992462c2a792130925d69
Opcode Fuzzy Hash: a84ee0d12e363d936b25c413a612dab48eeb404fa12a6ac13a5abd8207b79779
Instruction Fuzzy Hash: 53412572C00215EFDB11DF54E845AAEBB74FF22724F14421AE8496B381E734AD45CBD5

Function 00445DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004460F2
___std_exception_destroy.LIBVCRUNTIME ref: 0044617F
___std_exception_copy.LIBVCRUNTIME ref: 00446248

Strings

recursive_directory_iterator::operator++, xrefs: 004461CC

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: 3e18b17712177bf5265fc12b5abc2325fe6ab039e67610525fbe2c0cec0580fe
Instruction ID: 1d06802589ea73fce13163c7aba8697dab90b2f14e2b0a528c8456ff28b6ab32
Opcode Fuzzy Hash: 3e18b17712177bf5265fc12b5abc2325fe6ab039e67610525fbe2c0cec0580fe
Instruction Fuzzy Hash: F4E135B09006049FEB18DF68D945B9EFBF9FF45300F10461EE41697782D778AA48CBA6

Function 004484C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004486DE
___std_exception_destroy.LIBVCRUNTIME ref: 004486ED

Strings

, column , xrefs: 00448555, 0044856B
at line , xrefs: 00448518

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: f438a158de764309a5d7de61943b336f6b6a83696f5506c7cd7c4e7cc046346d
Instruction ID: d89484a9352427d1be0980e0a75dc34159763f03e212a92199492ec47daa3dd3
Opcode Fuzzy Hash: f438a158de764309a5d7de61943b336f6b6a83696f5506c7cd7c4e7cc046346d
Instruction Fuzzy Hash: 2D614971D002049FEB08DF68DD8579EBBB1FF85304F14421DE415A7792EB78AA84C795

Function 004B34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004B3946
___std_exception_destroy.LIBVCRUNTIME ref: 004B395F
___std_exception_destroy.LIBVCRUNTIME ref: 004B3A97
___std_exception_destroy.LIBVCRUNTIME ref: 004B3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 004B3C16
___std_exception_destroy.LIBVCRUNTIME ref: 004B3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 004B4479
___std_exception_destroy.LIBVCRUNTIME ref: 004B4492

Strings

value, xrefs: 004B439F

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: a686215d7c86d2877dfdf79b089aa33effc83b7203da67065bf1d3b6f3987aa4
Instruction ID: a7f5eb52dc91f40d6653cb30fa51c6de5449ad8de2bf0a83f850b077d2021710
Opcode Fuzzy Hash: a686215d7c86d2877dfdf79b089aa33effc83b7203da67065bf1d3b6f3987aa4
Instruction Fuzzy Hash: D951D170C00258DBEF14DFA8CD89BDEBFB4BF45304F144259E445A7282D7786A89CB65

Function 00443B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00443C0F

Strings

ios_base::badbit set, xrefs: 00443BA7, 00443BD2, 00443BF3
ios_base::failbit set, xrefs: 00443AC8, 00443BB1
ios_base::eofbit set, xrefs: 00443BB6

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: c0fab6b057d7c44d7bc8bf273ddb6360478c3ff7ba6c7dd2d19e387b90159327
Instruction ID: 27a81e23bd6ef86c6132d47fac69e8c69bb94f2d27179c9f57a20ad9d35a8ad5
Opcode Fuzzy Hash: c0fab6b057d7c44d7bc8bf273ddb6360478c3ff7ba6c7dd2d19e387b90159327
Instruction Fuzzy Hash: EB1120B29007046BD700DF59C806B8ABBE8FF44310F04852BF9199B282F774EA40CB95

Function 004B2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 004B2F43

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 1be0ba8213fa319106f833cef62005a030918ab8cdf47c6686063a542cfd3880
Instruction ID: 1863fc12b4c8c22a32571629ad9a9098f86bfc2db798c264c467b2a639d7b4de
Opcode Fuzzy Hash: 1be0ba8213fa319106f833cef62005a030918ab8cdf47c6686063a542cfd3880
Instruction Fuzzy Hash: ABE1F271A001059FCB18DF28C990AADBBB5FF49310B14836AE819DB395E774ED51CBA4

Function 00448080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0044844D

Strings

ror, xrefs: 004480D4
parse error, xrefs: 00448149, 00448162

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 219ea096085af0855fa69d0c53ba53a85f8244524164dc71f6e1747b5cdedd92
Instruction ID: d87648fa63b1941d07e3f428191d0e7ebe501f95502ec30832eae1e074badcd8
Opcode Fuzzy Hash: 219ea096085af0855fa69d0c53ba53a85f8244524164dc71f6e1747b5cdedd92
Instruction Fuzzy Hash: BBC10571D006498FEB08CF68CD857ADBB71FF56304F14824DE4046B692EBB8AAC5CB95

Function 00447DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00448051
___std_exception_destroy.LIBVCRUNTIME ref: 00448060

Strings

[json.exception., xrefs: 00447E1C

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: bf6f9194f127504aebf295da9203bc9fa6d9b32cbd46d1bf6ef35faabf351988
Instruction ID: 6ec5fd873d7e8587c50a26fd6f3fa4c328a08a76d88962279f6ba1442ab2f585
Opcode Fuzzy Hash: bf6f9194f127504aebf295da9203bc9fa6d9b32cbd46d1bf6ef35faabf351988
Instruction Fuzzy Hash: 469107319102089FEB18CFA8CD85BDEBFB1FF55304F24425EE400AB692DBB5A985C795

Function 00443A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00443C0F

Strings

ios_base::badbit set, xrefs: 00443BA7, 00443BD2, 00443BF3
ios_base::failbit set, xrefs: 00443AC8

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: ea6837f8c4ff6cad5dceb9142e0b39827ce9cb4da3849a50ab051b542a3c1c82
Instruction ID: 67b37fd40274e57d09512e34074f78903c5f66ed6417e7cd21571a913fb2aba9
Opcode Fuzzy Hash: ea6837f8c4ff6cad5dceb9142e0b39827ce9cb4da3849a50ab051b542a3c1c82
Instruction Fuzzy Hash: FE412671910204ABDB04DF58CC86BAEFBF8FF45710F14821AF91597782E774AA40CBA5

Function 004B45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004B4E29
___std_exception_destroy.LIBVCRUNTIME ref: 004B4E42
___std_exception_destroy.LIBVCRUNTIME ref: 004B594D
___std_exception_destroy.LIBVCRUNTIME ref: 004B5966

Strings

value, xrefs: 004B5873

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 8adb299e31bad10c3b415fde5024909d8bed926bb0010a19cab3ad34aca1eaf4
Instruction ID: 15243c0fe897c98c5a484ffeb1f9a09d76cfb7d8142b6d40522d4a3fc24e71c2
Opcode Fuzzy Hash: 8adb299e31bad10c3b415fde5024909d8bed926bb0010a19cab3ad34aca1eaf4
Instruction Fuzzy Hash: C551DFB0C00258DBEB14DFA8CC89BDEFFB4BF45304F14425AE405A7282D7786A89CB65

Function 004B99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004B99F1

Strings

type must be string, but is , xrefs: 004B9A58
type must be boolean, but is , xrefs: 004B9AE2

Memory Dump Source

Source File: 00000007.00000002.4483096105.0000000000441000.00000040.00000001.01000000.00000005.sdmp, Offset: 00440000, based on PE: true

Associated: 00000007.00000002.4482993398.0000000000440000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4483096105.0000000000573000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484218525.0000000000577000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000058A000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.00000000007FA000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.0000000000835000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000083E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4484284014.000000000084C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485091844.000000000084D000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000007.00000002.4485398486.0000000000A02000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_440000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 68b96d55fb9c92cb24553b03d0b2b0d497091bf1287fd7c910d5af23a8cb459a
Instruction ID: a2404520db50e7f3914f65a4c99942635b9c663db7f367f32c7c69bd1501c079
Opcode Fuzzy Hash: 68b96d55fb9c92cb24553b03d0b2b0d497091bf1287fd7c910d5af23a8cb459a
Instruction Fuzzy Hash: 763180B1900144AFD714EB94D842BDFBBA8FB15304F14426EF405D7791EB39AE44C799

Analysis Process: RageMP131.exePID: 5080, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	3.9%
Signature Coverage:	0%
Total number of Nodes:	258
Total number of Limit Nodes:	25

Executed Functions

Function 0044EC20 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000348,0000FFFF,00001006,?,00000008), ref: 0044ECC7
recv.WS2_32(?,00000004,00000002), ref: 0044ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0044ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0044ED6F
recv.WS2_32(00000000,?,00000008), ref: 0044EE0C

Part of subcall function 0044DB60: WSAStartup.WS2_32 ref: 0044DB8B
Part of subcall function 0044DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0044DC2E
Part of subcall function 0044DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0044DC41
Part of subcall function 0044DB60: closesocket.WS2_32(00000000), ref: 0044DC4D

recv.WS2_32(?,00000004,00000008), ref: 0044F033
Sleep.KERNELBASE(00000001), ref: 0044F09E
Sleep.KERNELBASE(00000064), ref: 0044F0AC
__Mtx_unlock.LIBCPMT ref: 0044F211

Strings

50500, xrefs: 0044EC75
t;V, xrefs: 0044EC7A

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500$t;V
API String ID: 2930922264-2591036556
Opcode ID: d393921af02ab6cee96da01b195a456d164395c7410e4db754ecc35979b7a9e6
Instruction ID: 297b87c2e486343adb1abb9dd4429bbbd080a6d4c5acb10f03cea99bcf16b96c
Opcode Fuzzy Hash: d393921af02ab6cee96da01b195a456d164395c7410e4db754ecc35979b7a9e6
Instruction Fuzzy Hash: A6B1D231D00249DFEB10DFA8CC45BADBBB5FF55300F24826AE445A72D2DBB46989CB41

Function 0044E060 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005347E8,00000000,00000000,-005665B0), ref: 0044E3A6

Strings

\;V, xrefs: 0044EB85
50500, xrefs: 0044EC75
Ws2_32.dll, xrefs: 0044E37D
taV, xrefs: 0044F1CA
131, xrefs: 0044F2C8
t;V, xrefs: 0044EC7A
;V, xrefs: 0044E525

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll$\;V$t;V$taV$;V
API String ID: 121738739-25841771
Opcode ID: 3c65a8e673d1c4f0b9fc3a3ef7749b269ef8c55b978382efba52775058244613
Instruction ID: 32657578ee02ea9d3f2551ca0590bde6334cf648b0b3c771aa5defef7c166fc1
Opcode Fuzzy Hash: 3c65a8e673d1c4f0b9fc3a3ef7749b269ef8c55b978382efba52775058244613
Instruction Fuzzy Hash: 31D10230D04248DFEB14CFA9CC54BADBBF1BF46300F684259D851AB2D2D7749886CB95

Function 0044DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0044DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0044DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0044DC41
closesocket.WS2_32(00000000), ref: 0044DC4D

Strings

50500, xrefs: 0044DBE8

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: 950b60f069457f15a8b5708e4618f7f3df929606f3238b13426cecd98f9bcb87
Instruction ID: 5cdb830fbec59ba73a89d39f1dcff458493d06c7a412a48cf8ff9b9b15b4fa51
Opcode Fuzzy Hash: 950b60f069457f15a8b5708e4618f7f3df929606f3238b13426cecd98f9bcb87
Instruction Fuzzy Hash: 3B31C4719043055BD7219B289C85A2FB7E4FF89734F111F1EF9A4A32E0E3759904C696

Function 050D07DA Relevance: 1.8, APIs: 1, Instructions: 330
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b065c47a9e44c7fdf4c79b694eae47e95a3ddc35bbfb3144e1c0c08a28ee666c
Instruction ID: ff611a9e4d524257a5a8d7a838039a4be701c7915bd9bee0adaf31405743ac5e
Opcode Fuzzy Hash: b065c47a9e44c7fdf4c79b694eae47e95a3ddc35bbfb3144e1c0c08a28ee666c
Instruction Fuzzy Hash: 4361A0EB24D3117DB242C1953B78AFEEB6EE6D6730B30846AF40BD6542F2984E4A5131

Function 050D07E6 Relevance: 1.8, APIs: 1, Instructions: 325
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 009e0e18a8e72eb2c9220638d16b20e0ef0fb728090bb7dae74a460fd5c6396c
Instruction ID: 276ccd8b73402d6fea9a3410f0dadea3cb96b6d4271a11bf76094daee472a6b1
Opcode Fuzzy Hash: 009e0e18a8e72eb2c9220638d16b20e0ef0fb728090bb7dae74a460fd5c6396c
Instruction Fuzzy Hash: 7A51C1EB24D3117DB142C1957B78AFEEB6EE6D7730B30846AF44BD6502F2984E4A5031

Function 050D0811 Relevance: 1.8, APIs: 1, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948d4b01545bdb271fb23e88fccc468db19d33f21ce969e2ae565fa741149d49
Instruction ID: 815cccb72bad1288b6cd981fb54d782c8fbe1afdf0fdd0f816cc477c89192c15
Opcode Fuzzy Hash: 948d4b01545bdb271fb23e88fccc468db19d33f21ce969e2ae565fa741149d49
Instruction Fuzzy Hash: 1451E2EB20D3117DB242C1953B7CAFEEB6EE6D6730B30846AF40BC6542F2994E4A5171

Function 050D0834 Relevance: 1.8, APIs: 1, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 9fc15c96d8dea845e962c343bf0622c44fc7baa32e4e74a7ea2926a5f164e5fd
Instruction ID: d0dd427f2fa4a714da88f1e37d5c9ae27f7292aae44a5fb4fbe4d2ace73ea7e8
Opcode Fuzzy Hash: 9fc15c96d8dea845e962c343bf0622c44fc7baa32e4e74a7ea2926a5f164e5fd
Instruction Fuzzy Hash: 38519EEB24D311BDB142C1857B78AFEEB6EE6D6730B30846AF40BD6542F2984E895071

Function 050D088E Relevance: 1.8, APIs: 1, Instructions: 285
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a9e17cad45048818508cea1536feaebd8df47d25cfa9afc79f7947eade54b26
Instruction ID: 3731241b36feca466428f8d336c7d87338df533196ead8e0d5691d141874f884
Opcode Fuzzy Hash: 7a9e17cad45048818508cea1536feaebd8df47d25cfa9afc79f7947eade54b26
Instruction Fuzzy Hash: D051B2EB24D3117DB102C1857B78AFFEB6EE6D6730B30846AF40BD5502F2984E8A5071

Function 050D0868 Relevance: 1.8, APIs: 1, Instructions: 270
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5dd51a3f2eb3f872ff0ecf41e0bdf06e49c3ab5bb501e7c5d5e17366599ded98
Instruction ID: fb2bea144eb4df2d33e7fd4605e3565b89fc3705da9e9d6c8c0d609dce60be1f
Opcode Fuzzy Hash: 5dd51a3f2eb3f872ff0ecf41e0bdf06e49c3ab5bb501e7c5d5e17366599ded98
Instruction Fuzzy Hash: 1F51B0EB24D311BDB102C1857B78AFEEB6EE6D6730B30846AF40BD6542F2984E895171

Function 050D08AF Relevance: 1.7, APIs: 1, Instructions: 237
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3dc3c3a10d0ae66e2bb287de775d8d7f9816f1998045eb6ccd81486c522a3029
Instruction ID: a5784368dfcf9806ae30204f3bbb9c69638af03ec38d6399655d618e34264ea9
Opcode Fuzzy Hash: 3dc3c3a10d0ae66e2bb287de775d8d7f9816f1998045eb6ccd81486c522a3029
Instruction Fuzzy Hash: 0141C0EB24D311BDB202C1953B78AFEEA6FE6D6730F30846AF40BD6502F6984A495071

Function 050D08CD Relevance: 1.7, APIs: 1, Instructions: 234
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 13009bacccc5111a20f9a66d44193b180019fafe093e5d70fb8c9db67e999517
Instruction ID: 719d9d3c67425d371b950182236468bea6e5dfa500a562f45eaab5b99469a465
Opcode Fuzzy Hash: 13009bacccc5111a20f9a66d44193b180019fafe093e5d70fb8c9db67e999517
Instruction Fuzzy Hash: A541F6EB24D3117EF202C1953B78AFEEA6FE6D7730B30806AF40BD6542F6994A495131

Function 050D0974 Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 72627452fced1c1a42ee6b6bc7299be4099342904b8455f34ba5375a61f5ce1e
Instruction ID: 5071f700c4fe54427d7f7ebf9c5788d1b4743c84426fc9eb58120d0f35bed1fd
Opcode Fuzzy Hash: 72627452fced1c1a42ee6b6bc7299be4099342904b8455f34ba5375a61f5ce1e
Instruction Fuzzy Hash: 1241F3EB24C3017DF202C1957A78AFEEB6EE6D6730F308466F40BD6542F2984A4A1031

Function 050D0921 Relevance: 1.7, APIs: 1, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c9047fb74f886fd40628a52803312b1891407caad072503a2880334793c75474
Instruction ID: 2add28cb5bf5f4c8e9d8102575fd9a3604f0eb6445763d85e411873b0667d913
Opcode Fuzzy Hash: c9047fb74f886fd40628a52803312b1891407caad072503a2880334793c75474
Instruction Fuzzy Hash: 9A41F2EB24D3117DB202C1957A78AFEEB6EE6D6730F308466F40BD6542F2984A495131

Function 050D0903 Relevance: 1.7, APIs: 1, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25cd0a6755d12b55fc9c08d3a1324e038b0e55b880105ce73ef027ba83a15e90
Instruction ID: 1bd3c8d9db70d1a718a6da1ab036d5a6611418ae2fd7fba5a46fa117b0455d4d
Opcode Fuzzy Hash: 25cd0a6755d12b55fc9c08d3a1324e038b0e55b880105ce73ef027ba83a15e90
Instruction Fuzzy Hash: 6D41E1EB24D3117DB202C1853B7CAFEEA6EE6D7730F30846AB40BD6502F6D84A895031

Function 050D0908 Relevance: 1.7, APIs: 1, Instructions: 213COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 3674360d25b8ebc982adcb3881aa0a5ef1ecca36f2b9a908573e6b109874e6be
Instruction ID: 14e9a40f959ed72017a837eed388c0255a46c5810d01d2d619eb1f96413a0bba
Opcode Fuzzy Hash: 3674360d25b8ebc982adcb3881aa0a5ef1ecca36f2b9a908573e6b109874e6be
Instruction Fuzzy Hash: C841EFEB24D3117DB202C1957B7CAFEEA6EE6D7730F30846AB40BD6502F6D84A895031

Function 050D08F9 Relevance: 1.7, APIs: 1, Instructions: 213
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 50f0425ef2573198d8ce34e5dc33e0333faf9e27656ea186f7105b21907905b1
Instruction ID: 4f59411be0b744ae663e17cf34a52b8ce72abd00158dde25cfefbf7bb05337c9
Opcode Fuzzy Hash: 50f0425ef2573198d8ce34e5dc33e0333faf9e27656ea186f7105b21907905b1
Instruction Fuzzy Hash: 9341DFEB24D3117DB102C1853B7CAFEEA6EE6D7730F30846AB40BD6502F6D84A895031

Function 00522F0C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00516AF7,?,00000000,00000000,00000000,?,00000000,?,0050C023,00516AF7,00000000,0050C023,?,?), ref: 00523091

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 1e9188cc5c60968d23d47b5d09cb5a85b74e22c68fa8f1cae901f94ae7a6d7eb
Instruction ID: 95a2e221f5ef6ecbaf0cf5769133f1c508d5378db8a1ee5e03a003a0da87318e
Opcode Fuzzy Hash: 1e9188cc5c60968d23d47b5d09cb5a85b74e22c68fa8f1cae901f94ae7a6d7eb
Instruction Fuzzy Hash: 6A61F475D0412ABFDF11CFA8E889AEEBFB9BF0A304F140145E900A7281D375CA11DBA0

Function 050D095C Relevance: 1.7, APIs: 1, Instructions: 192COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 50225482400fc6d857f6239e52c31018fa34f0fdb851541bb2c2a4af325dbf4c
Instruction ID: 0e49f063ad2c14df369aebb8c7459cb1bd48790bc22300773fff08231246c2a3
Opcode Fuzzy Hash: 50225482400fc6d857f6239e52c31018fa34f0fdb851541bb2c2a4af325dbf4c
Instruction Fuzzy Hash: 1B318BEB24D3157DB142D1853B78AFEEA6FE6D6730F308466B40BD6542F6D84A8A1031

Function 050D0965 Relevance: 1.7, APIs: 1, Instructions: 191COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 82d65a095fa7413bbb2efe03d6ab9428e61eb2a31036d7a288b535f9bbfc2d1e
Instruction ID: baecbf61a15803ceaa49ec95d137e7822ae65af11e72a6b2297edac0a03a24a2
Opcode Fuzzy Hash: 82d65a095fa7413bbb2efe03d6ab9428e61eb2a31036d7a288b535f9bbfc2d1e
Instruction Fuzzy Hash: 35318AEB24D3116DB242D1853B78AFEEA6EE6D7730F308466B40BD6542F6994A8A1031

Function 050D09CE Relevance: 1.7, APIs: 1, Instructions: 185COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050D0AC5

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 448b1648097bafcbffa2212c766e2c5842729291d120f7972c13190fbedea682
Instruction ID: 607b7cc7c19612e2d69f8538dc0ad41f043aaabbde92a86d8dd05b0231062816
Opcode Fuzzy Hash: 448b1648097bafcbffa2212c766e2c5842729291d120f7972c13190fbedea682
Instruction Fuzzy Hash: 5331A9AB24D3116DB102C1953B78AFEEA6EE6D6730F30846AF40BD6542F6994A8A5031

Function 050D09B0 Relevance: 1.7, APIs: 1, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 7b8bd9c6233181938c23f79d15e5a70d4da4845e53e078f885d75a5129e5661c
Instruction ID: 4ec65e6ed71b8c89cc821110602845016f592a7fb16b34d2212e8eae61d4ed6a
Opcode Fuzzy Hash: 7b8bd9c6233181938c23f79d15e5a70d4da4845e53e078f885d75a5129e5661c
Instruction Fuzzy Hash: 7A3103EB24D3117DA101D0953B7CAFEAB6FE6E2730F308466F40BD6442F6D84A890030

Function 050D09EB Relevance: 1.7, APIs: 1, Instructions: 166COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050D0AC5

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 77b56d3ba5b72a1259d71c865195e842badcd6ac21676f1c671c64ce9ccd2150
Instruction ID: 5308c67dba2e20de9a68b4175c82bba89a1d9a35cb223043e607036edaf3998e
Opcode Fuzzy Hash: 77b56d3ba5b72a1259d71c865195e842badcd6ac21676f1c671c64ce9ccd2150
Instruction Fuzzy Hash: 773128EB20D3116DE202D1A53A7C9FEBB6EE9D3730B3484B6F40BC6542F6844A4A5131

Function 050D0A3B Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d26ccff6a55f2bbe8b1e41526ed821b8cc46810b43632bca2467667585f5eff9
Instruction ID: 8784307d69440fafe836f6f99a5ca32287bd5aeb193142547d1a28931252a9c0
Opcode Fuzzy Hash: d26ccff6a55f2bbe8b1e41526ed821b8cc46810b43632bca2467667585f5eff9
Instruction Fuzzy Hash: 9121B1EB24D3117DB142D1953B7CAFEAA6FE5E3730B308466F40BD6542F6C94A4A1071

Function 050D0A61 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f0558ece69286dec871bb14cefcd7506339f76bec89081eed112190cefce8b52
Instruction ID: 6a325236729764d8ada90aafb2e64e3f2cdb935d91459389884bff91b56f4647
Opcode Fuzzy Hash: f0558ece69286dec871bb14cefcd7506339f76bec89081eed112190cefce8b52
Instruction Fuzzy Hash: 8A21B4EB24C3117DB142D1953B78AFEAB6FE6D3B30B308466F40BD6542F6D54A491071

Function 0049BA20 Relevance: 1.6, APIs: 1, Instructions: 135COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0049BB71

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 38e6669dc504038121b06ab4bb6f7e6ac73a319efce4e92aa354c026f24c6135
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: 9341EF729001099BCF15DF68EA816AEBFA5EF85350F24067AF804EB345D734EE118BE5

Function 050D0A87 Relevance: 1.6, APIs: 1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 766fce06e08b454b0b462ee2350c006fca1fd2875248255f4042990b7c50c085
Instruction ID: 77a28ecb99bf2ac93b0464678b28f6a85e723fa23b5228dc66eb092871017e09
Opcode Fuzzy Hash: 766fce06e08b454b0b462ee2350c006fca1fd2875248255f4042990b7c50c085
Instruction Fuzzy Hash: 5D2105EF24D3113DA102D1943A7C9FEAB6FEAD3B30B308466F407C6542F6D44A8A4171

Function 050D0A78 Relevance: 1.6, APIs: 1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 68e406ea25fb65979513da9e68a47cdd9c251ebe559016c8ba6f12a7ce902dd9
Instruction ID: 01b603efa064418d46f4ad0b489f2c820817de149139f42358d3e4f5851b15ce
Opcode Fuzzy Hash: 68e406ea25fb65979513da9e68a47cdd9c251ebe559016c8ba6f12a7ce902dd9
Instruction Fuzzy Hash: 8121DEEB24C3113DA112C1953B78AFEAB6FE9D3730B30846AF40BC6542F6C84A8A1131

Function 050D0A35 Relevance: 1.6, APIs: 1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 12c110a9b1be7161cb2b62784ccb11ee0f00711cac6b4fe4a2e644b2e51d35c2
Instruction ID: 011101d9e2a2c5807f3ff9cd3a6ee8c3c1ac9f45b31704356c053b28582ac0bc
Opcode Fuzzy Hash: 12c110a9b1be7161cb2b62784ccb11ee0f00711cac6b4fe4a2e644b2e51d35c2
Instruction Fuzzy Hash: BC21CFEB24D3117DA112D1953B7CAFEAA6FEAD3730B308466F40BC6542F6D84E8A1071

Function 050D0AF7 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050D0AC5

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8a7912dac3ad7bef5e238aa74616fd21fac611fd17b34c92b5a0e7368ecca2cd
Instruction ID: 5352671bbf5a12fec1b8a42f35a046705cc73be7d6f6f78d85caa6799dd8b41e
Opcode Fuzzy Hash: 8a7912dac3ad7bef5e238aa74616fd21fac611fd17b34c92b5a0e7368ecca2cd
Instruction Fuzzy Hash: 4321F3EB64C3123DA512D1943B789FEAB6FEAD3B70B3084A6F407C6502F6C48A460170

Function 050D0AB4 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050D0AC5

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fbaaa6fc1c4a1601f5773833524989a6bf4bd3edb1fa348520f804c28437a7b2
Instruction ID: 264db568f55d92a889bd8b023c1e3537e898ebb180b2de23065b4ef0ca6660f8
Opcode Fuzzy Hash: fbaaa6fc1c4a1601f5773833524989a6bf4bd3edb1fa348520f804c28437a7b2
Instruction Fuzzy Hash: 7C11F0EF24C3117DB512D1957A38AFEAA6FEAC3B30B308476F407C2502F6D48A461130

Function 050D0A9F Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050D0AC5

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6a4beab17206f935bd8a602bced2b25722a3fcd94fdfd5a2e4a7e53b08e9c369
Instruction ID: 8a769ee2046cfe8a81920f80d488a62f24db446a54474c5931388323b41646a4
Opcode Fuzzy Hash: 6a4beab17206f935bd8a602bced2b25722a3fcd94fdfd5a2e4a7e53b08e9c369
Instruction Fuzzy Hash: 0A21CFFF24C3116DA112D5957B68AFEAA6FEAD2730B30846AF447C6A42F6D48A491031

Function 050D0AA8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 050D0AC5

Memory Dump Source

Source File: 00000008.00000002.4490363577.00000000050D0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50d0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5503a612ac03a826bc3db4a15c26ccac0f037448f58bebd4b6cfe1952bcd7b2a
Instruction ID: a12c463b8f817acd513ca1bb1d06a87d69d12cf59e04dfdebb5c6b6cbecc16b4
Opcode Fuzzy Hash: 5503a612ac03a826bc3db4a15c26ccac0f037448f58bebd4b6cfe1952bcd7b2a
Instruction Fuzzy Hash: 7611B1EF24C3117CB112D1953B78AFEAA6FE6D3B30B308466F407C6502F6D44A4A1171

Function 00522582 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00522469,00000000,CF830579,00561148,0000000C,00522525,0051662D,?), ref: 005225D8

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 7065f637503a8d4ca45942863ecb588bc683bef4fbde48e403e01f42ffbc4b93
Instruction ID: fda775816cf9dd6fa493c8f0480b35bdffc27146abc29f4099cbddf23ab613b7
Opcode Fuzzy Hash: 7065f637503a8d4ca45942863ecb588bc683bef4fbde48e403e01f42ffbc4b93
Instruction Fuzzy Hash: 5F11043770623426D62522B47C9ABBE6F897FD3734F254209F9089F2C2EE659C819291

Function 0051BACC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00560E00,0050C023,00000002,0050C023,00000000,?,?,?,0051BBD6,00000000,?,0050C023,00000002,00560E00), ref: 0051BB08

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 8614b097bf1192742ed399538048555045c87b92c1f59b7513f75a615109ab37
Instruction ID: 0a1c98d1bef34d502cee1fa2f0e95b958cb2c31a2818f8694da7a6d0ba4ae88f
Opcode Fuzzy Hash: 8614b097bf1192742ed399538048555045c87b92c1f59b7513f75a615109ab37
Instruction Fuzzy Hash: B6010032604155AFEF1A9F59DC49CEE3F29FF91320F240208F8119B2D0EAB1ED819B90

Function 0050CD02 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00431FDE

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 5cd4db2ff6868d8fa905581d9cad760b6f661d469c2f88477529f3b2c12f6310
Instruction ID: 65685f2945995c6cb1b21799916f1236761673d58994d2f8d6b174951a5d4f96
Opcode Fuzzy Hash: 5cd4db2ff6868d8fa905581d9cad760b6f661d469c2f88477529f3b2c12f6310
Instruction Fuzzy Hash: DF012B3640030E67CB14AB98EC0548D7FACFF01360B608636F514A7191FB70E9908791

Function 00523E63 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0050B16C,?,?,005237E9,00000001,00000364,?,00000006,000000FF,?,0050E0EB,?,?,?,?), ref: 00523EA4

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e537fc6146272ccd34c46ab6b15da49e318e175c397306250111ffa69ba5cff7
Instruction ID: ebacab196d84f5fd9d44a18a9126b7caf5fd171c3d1475977f6011dda8370292
Opcode Fuzzy Hash: e537fc6146272ccd34c46ab6b15da49e318e175c397306250111ffa69ba5cff7
Instruction Fuzzy Hash: A2F0E93254553566AF326B71AC06B5B3F4EBF83760B174112FC04960D0DB74EE0C82E0

Function 0052489D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0050E0EB,?,?,?,?,?,00432D8D,0050B16C,?,?,0050B16C), ref: 005248CF

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 8106bfc15f6d3ae70d12e9973eabba0018c5ae2347538128d22daed4ce2a7184
Instruction ID: dd70dbde15ab33a7b7721d5b817aac0426981fb7db433fc9e9cada34ce6d1c89
Opcode Fuzzy Hash: 8106bfc15f6d3ae70d12e9973eabba0018c5ae2347538128d22daed4ce2a7184
Instruction Fuzzy Hash: ACE0E5321625B256E6212235AC0579B3E4CBF837A0F160231AC00A60D0DB60CC008AE1

Function 050E0202 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490422980.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23832bbf7720281a8987c950354b9d6d8082834284beb2751d192b4f27cb997f
Instruction ID: df0466c96143039c9ad060c397f1afc3dd448849ff80ad1cf0fc839edb3a5be4
Opcode Fuzzy Hash: 23832bbf7720281a8987c950354b9d6d8082834284beb2751d192b4f27cb997f
Instruction Fuzzy Hash: BC2126FB20D1517EA212C1A07A7C9FE3BEAE5D673033488ABF482C6106D1955A4F5231

Function 050E02B3 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490422980.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8755c49814ddf8ff4f37015553dda5a8c6177a06c0029ade7e89f1945ce7ae21
Instruction ID: 01b9b5f827b1746b616f62c948e058a0fb0ff15b3bddf09049e24f7b6e6c51c0
Opcode Fuzzy Hash: 8755c49814ddf8ff4f37015553dda5a8c6177a06c0029ade7e89f1945ce7ae21
Instruction Fuzzy Hash: 56F03CBB24D2216EB252C5A23B289FF63ADE5D1730731C83FF802C1406D2981A4E5131

Function 050E0289 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490422980.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c70e4f88e10ae827c97d658f799e9fb867eef8e163542460865ceb9f37bdfa0
Instruction ID: 64ebfe622f9c380663dd481075b5ca4ffd05b1071511903c8d8448c9ca45761f
Opcode Fuzzy Hash: 5c70e4f88e10ae827c97d658f799e9fb867eef8e163542460865ceb9f37bdfa0
Instruction Fuzzy Hash: 51F0D4FB24D122BD7102D0923F38AFF53AEE0D6B31371C82BF846C1406E6995A4E6035

Function 050E0298 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.4490422980.00000000050E0000.00000040.00001000.00020000.00000000.sdmp, Offset: 050E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_50e0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d489591888708741edb868b4aaea8733dbb5cb3c33e05d2e10348847eef2597
Instruction ID: 38da5205d0186968a9861f801508ba7d28bd4ab8ab1fae2e867bc3da2fa5974c
Opcode Fuzzy Hash: 3d489591888708741edb868b4aaea8733dbb5cb3c33e05d2e10348847eef2597
Instruction Fuzzy Hash: 30F0DAFB64D1627DB242D5923F38AFE67ADE5D6B31331C82BF842C5406E2844A4E6531

Non-executed Functions

Function 0049AE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0049AEB3
std::_Lockit::_Lockit.LIBCPMT ref: 0049AED5
std::_Lockit::~_Lockit.LIBCPMT ref: 0049AEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 0049AF1F
std::_Lockit::_Lockit.LIBCPMT ref: 0049AF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0049AFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0049AFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0049B088
std::_Facet_Register.LIBCPMT ref: 0049B095

Strings

bad locale name, xrefs: 0049B0AF

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 68216ce3bc69d52a7a802c54116f71c3b90133f8ea19c604a611106445964900
Instruction ID: 28ca33799d53fc0c0cfaa529572509b1fd599d11d558bee70b65712794e4df74
Opcode Fuzzy Hash: 68216ce3bc69d52a7a802c54116f71c3b90133f8ea19c604a611106445964900
Instruction Fuzzy Hash: A0617FB5D002459BEF20DFA8D889B9EBFB4BF54310F144069E815A7381EB74ED09CB96

Function 00433770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004337E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00433835
__Getctype.LIBCPMT ref: 0043384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0043386A
std::_Lockit::~_Lockit.LIBCPMT ref: 004338FF

Strings

bad locale name, xrefs: 0043391C
0:C, xrefs: 00433848

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:C$bad locale name
API String ID: 1840309910-3345558881
Opcode ID: 6c8b277a969f683e398eedf38784c3077d70f9096ad59c91777d6b1bab1261a6
Instruction ID: bf5337a2d8456d9a7b3cc25296a201f84bee19edd370540545fe3331f5bb3e90
Opcode Fuzzy Hash: 6c8b277a969f683e398eedf38784c3077d70f9096ad59c91777d6b1bab1261a6
Instruction Fuzzy Hash: 52518FF1D00249DBEF10DFA4D88579EFBB8BF54300F144169E814AB381E775AA48CB92

Function 00510880 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005108B7
___except_validate_context_record.LIBVCRUNTIME ref: 005108BF
_ValidateLocalCookies.LIBCMT ref: 00510948
__IsNonwritableInCurrentImage.LIBCMT ref: 00510973
_ValidateLocalCookies.LIBCMT ref: 005109C8

Strings

csm, xrefs: 0051095D
CP, xrefs: 00510965, 0051096E, 0051097F

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: CP$csm
API String ID: 1170836740-2911555543
Opcode ID: 2705f186eab5b10d366c780f1dc8077e49ef89d8806133cf58490e09d346e53e
Instruction ID: 5c209c8ff88538713b39aacd4b9f32d119ff755c893dfca957c088ff6b007773
Opcode Fuzzy Hash: 2705f186eab5b10d366c780f1dc8077e49ef89d8806133cf58490e09d346e53e
Instruction Fuzzy Hash: 4141A134A00209ABEF10DF68C894ADEBFB5BF44324F148155E9189B392DB71AEC5CB91

Function 00499520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00499543
std::_Lockit::_Lockit.LIBCPMT ref: 00499566
std::_Lockit::~_Lockit.LIBCPMT ref: 00499586
std::_Facet_Register.LIBCPMT ref: 004995FB
std::_Lockit::~_Lockit.LIBCPMT ref: 00499613
Concurrency::cancel_current_task.LIBCPMT ref: 0049962B

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 935f1abd8dedf7632ba54043f91c00489b421e94b32fbae5dd907fbefc749e05
Instruction ID: 3614a086826523f349a425d331120b5fff2c5775198d55a6beab163c66469ade
Opcode Fuzzy Hash: 935f1abd8dedf7632ba54043f91c00489b421e94b32fbae5dd907fbefc749e05
Instruction Fuzzy Hash: F941DE72900219AFCF11DF58D884AAEBB74FF55320F14422EE845AB391EB74AE04CBD5

Function 00435DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004360F2
___std_exception_destroy.LIBVCRUNTIME ref: 0043617F
___std_exception_copy.LIBVCRUNTIME ref: 00436248

Strings

recursive_directory_iterator::operator++, xrefs: 004361CC

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: e0fb7ccc28a3226894f5b38585f2f4ffc35b0bfff182273120be10f43cf45e8f
Instruction ID: 6619192cb6cb13d441e5431a3ac211069c79c714c18eecd698d3b9a810dc0cd4
Opcode Fuzzy Hash: e0fb7ccc28a3226894f5b38585f2f4ffc35b0bfff182273120be10f43cf45e8f
Instruction Fuzzy Hash: 35E158B09006059FCB18DF68C945B9EFBF9FF49300F10862EE41697781D778AA44CBA5

Function 004384C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004386DE
___std_exception_destroy.LIBVCRUNTIME ref: 004386ED

Strings

at line , xrefs: 00438518
, column , xrefs: 00438555, 0043856B

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: e471e0a998357f3fa48addbdf422c73e34727f502e91d6f64e561929a658028f
Instruction ID: 5f3e4a12ec437e830faa44f1ae52748ae1eae63bb8a8ea15f8bc078d1696ab0e
Opcode Fuzzy Hash: e471e0a998357f3fa48addbdf422c73e34727f502e91d6f64e561929a658028f
Instruction Fuzzy Hash: 016125719002059BDB08CB68DD86B9EFBB1FF89304F14461EF415A77C2EB78AA848795

Function 004A34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004A3946
___std_exception_destroy.LIBVCRUNTIME ref: 004A395F
___std_exception_destroy.LIBVCRUNTIME ref: 004A3A97
___std_exception_destroy.LIBVCRUNTIME ref: 004A3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 004A3C16
___std_exception_destroy.LIBVCRUNTIME ref: 004A3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 004A4479
___std_exception_destroy.LIBVCRUNTIME ref: 004A4492

Strings

value, xrefs: 004A439F

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 1b08dc98951d7f5790a1b094ad2d89e696f0962f9333d1608fd539f844dc7a00
Instruction ID: 4a1a45faa4979aa4ad64683741266724e854df4c82cb3c25f6892f2cc6feaecc
Opcode Fuzzy Hash: 1b08dc98951d7f5790a1b094ad2d89e696f0962f9333d1608fd539f844dc7a00
Instruction Fuzzy Hash: 6151D170C00248DBDF14DFA8CD89BDEBFB4BF56304F144259E455A7282D7786A88CB66

Function 00433B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00433C0F

Strings

ios_base::badbit set, xrefs: 00433BA7, 00433BD2, 00433BF3
ios_base::failbit set, xrefs: 00433AC8, 00433BB1
ios_base::eofbit set, xrefs: 00433BB6

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: b2d16b061b1de4e27a50339c30edc60289d9cd77f9fd77f360aa8cd00ae6e4bf
Instruction ID: d5909f071a6136875d10a3bbdf0e90f7cb5058d39c392dd0cc78b15cce36ca70
Opcode Fuzzy Hash: b2d16b061b1de4e27a50339c30edc60289d9cd77f9fd77f360aa8cd00ae6e4bf
Instruction Fuzzy Hash: 031105B29007086BC710DF59C806B9ABBD8BF49311F14892BFD58D7282F774E904CB95

Function 004A2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 004A2F43

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: e47e15e7c7996866a8cef593b9a7aeb48dc17a61a2b3e6669089d2f9ba366923
Instruction ID: f8355d4db2d7a077ebac295686ef1b0a19316a718a0eae606bf4ee3106e8a93a
Opcode Fuzzy Hash: e47e15e7c7996866a8cef593b9a7aeb48dc17a61a2b3e6669089d2f9ba366923
Instruction Fuzzy Hash: DDE1E371A002059FCB18DF6CC984A6EBBA1FF5A310F14836AE819DB391D774ED51CB94

Function 00438080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0043844D

Strings

parse error, xrefs: 00438149, 00438162
ror, xrefs: 004380D4

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 0c2e619ea4ddbccf96e7439623da134e8ff527a64572386fe0adaca83156cd92
Instruction ID: 71245dc7c5200ccb9d5feb04f8a034911a6c2dbb69dca603ce88a810a63d919f
Opcode Fuzzy Hash: 0c2e619ea4ddbccf96e7439623da134e8ff527a64572386fe0adaca83156cd92
Instruction Fuzzy Hash: 92C1F4709007498FDB08CF68CD85BADFB71BF59304F24835DE4046B692EB78AA84CB95

Function 00437DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00438051
___std_exception_destroy.LIBVCRUNTIME ref: 00438060

Strings

[json.exception., xrefs: 00437E1C

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: ee293bf76807d2b4d2f121b8cf06325922f7af48a69cc143c8171278a94b6e82
Instruction ID: d1ce62d5abae90e2634bcb20a61b6de41888fd83abe4ff02112b5e1b14686f9a
Opcode Fuzzy Hash: ee293bf76807d2b4d2f121b8cf06325922f7af48a69cc143c8171278a94b6e82
Instruction Fuzzy Hash: F691D4719002089FDB18CF68CD85B9EFBB1FF49314F14425EE450AB692D7B4AA848795

Function 00433A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00433C0F

Strings

ios_base::badbit set, xrefs: 00433BA7, 00433BD2, 00433BF3
ios_base::failbit set, xrefs: 00433AC8

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 2a2068ffb0e0252bae891f637030c685ac8a0f0ef2becaf0656a31c46beada43
Instruction ID: 110e67317c22a718e353e223aea29a9baf5df9e7412186fe8e6698b0f87d9281
Opcode Fuzzy Hash: 2a2068ffb0e0252bae891f637030c685ac8a0f0ef2becaf0656a31c46beada43
Instruction Fuzzy Hash: 28411671900608ABC704DF59CC46BAEFBF8FF49310F14861AF954A7782E774AA40CBA5

Function 004A45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004A4E29
___std_exception_destroy.LIBVCRUNTIME ref: 004A4E42
___std_exception_destroy.LIBVCRUNTIME ref: 004A594D
___std_exception_destroy.LIBVCRUNTIME ref: 004A5966

Strings

value, xrefs: 004A5873

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 7ce98c8171c851daeb649d2f84924367efab9f5f6d6f42e2a85f2ec329bb6b81
Instruction ID: 2f4644a41b30b767ef63ebfe309279af3947d703a2f95cb1e6974d810ca8874d
Opcode Fuzzy Hash: 7ce98c8171c851daeb649d2f84924367efab9f5f6d6f42e2a85f2ec329bb6b81
Instruction Fuzzy Hash: 8E51B1B0C00248DBDF14DFA4CD89BDEBFB4BF56304F144259E455AB282D7786A88CB56

Function 004A99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004A99F1

Strings

type must be boolean, but is , xrefs: 004A9AE2
type must be string, but is , xrefs: 004A9A58

Memory Dump Source

Source File: 00000008.00000002.4483059852.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 00000008.00000002.4482945368.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483059852.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4483306323.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484155637.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4484916889.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000008.00000002.4485187926.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 6c13dc530ba47eb6493e7812f2132e442f57bfe705df5b27be99a19aa3ac5094
Instruction ID: 8e076b49b9d2b40663101391539bb86dd6918c970e6fd0157adda575f1753b03
Opcode Fuzzy Hash: 6c13dc530ba47eb6493e7812f2132e442f57bfe705df5b27be99a19aa3ac5094
Instruction Fuzzy Hash: 463129B5904248AFCB04EB94D842B9FBBA8EB15304F14466EF415D7791EB38AE04C75A

Analysis Process: RageMP131.exePID: 6620, Parent PID: 1028COMMON

Execution Graph

Execution Coverage:	1.8%
Dynamic/Decrypted Code Coverage:	1.6%
Signature Coverage:	0%
Total number of Nodes:	252
Total number of Limit Nodes:	24

Executed Functions

Function 0044EC20 Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000330,0000FFFF,00001006,?,00000008), ref: 0044ECC7
recv.WS2_32(?,00000004,00000002), ref: 0044ECE1
recv.WS2_32(00000000,0000000C,00000002,0000000C), ref: 0044ED4E
recv.WS2_32(00000000,0000000C,00000008), ref: 0044ED6F
recv.WS2_32(00000000,?,00000008), ref: 0044EE0C

Part of subcall function 0044DB60: WSAStartup.WS2_32 ref: 0044DB8B
Part of subcall function 0044DB60: socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0044DC2E
Part of subcall function 0044DB60: connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0044DC42
Part of subcall function 0044DB60: closesocket.WS2_32(00000000), ref: 0044DC4D

recv.WS2_32(?,00000004,00000008), ref: 0044F033
Sleep.KERNELBASE(00000001), ref: 0044F09E
Sleep.KERNELBASE(00000064), ref: 0044F0AC
__Mtx_unlock.LIBCPMT ref: 0044F211

Strings

t;V, xrefs: 0044EC7A
50500, xrefs: 0044EC75

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: recv$Sleep$Mtx_unlockStartupclosesocketconnectsetsockoptsocket
String ID: 50500$t;V
API String ID: 2930922264-2591036556
Opcode ID: 667a1e5883ec06f96178a587891ee3bddde4708c93009973490402d2396603d4
Instruction ID: b5200ff60a7e53f4cbb5093def1f6bddf053c639913f6b16a5fba28359bde650
Opcode Fuzzy Hash: 667a1e5883ec06f96178a587891ee3bddde4708c93009973490402d2396603d4
Instruction Fuzzy Hash: 19B1E331D00249DFEB10DFA8CC45BADBBB5FF55300F24826AE445A72D2DBB4A989CB40

Function 0044E060 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 333
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASend.WS2_32(?,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,005347E8,00000000,00000000,-005665B0), ref: 0044E3A6

Strings

\;V, xrefs: 0044EB85
t;V, xrefs: 0044EC7A
taV, xrefs: 0044F1CA
50500, xrefs: 0044EC75
;V, xrefs: 0044E525
Ws2_32.dll, xrefs: 0044E37D
131, xrefs: 0044F2C8

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Send
String ID: 131$50500$Ws2_32.dll$\;V$t;V$taV$;V
API String ID: 121738739-25841771
Opcode ID: 1cd50972f020ac79639d39de6e00c09112299ff3bfd7ffa1b9df19f98d1f9ce8
Instruction ID: 21c355422bbe8dd93713406b710f591f5cc3d7d209d604bd7e1288f9021784dc
Opcode Fuzzy Hash: 1cd50972f020ac79639d39de6e00c09112299ff3bfd7ffa1b9df19f98d1f9ce8
Instruction Fuzzy Hash: 64D1F270D04248DFEB14CFA9CC54BADBBF1BF46300F684259D851AB2D2D7749886CB95

Function 0044DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0044DB8B
socket.WS2_32(?,?,?,?,?,?,50500,?,?), ref: 0044DC2E
connect.WS2_32(00000000,?,?,?,?,?,50500,?,?), ref: 0044DC42
closesocket.WS2_32(00000000), ref: 0044DC4D

Strings

50500, xrefs: 0044DBE8

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID: 50500
API String ID: 3098855095-2230786414
Opcode ID: dbeec301e71e32957d78d8adde9d37e5eabb7e4aea38ebc83d16e4dd2b77ab23
Instruction ID: 6b3e054db11a27b071f29559600a3eb63b8bf08c904c318e876bc1a8d44248c6
Opcode Fuzzy Hash: dbeec301e71e32957d78d8adde9d37e5eabb7e4aea38ebc83d16e4dd2b77ab23
Instruction Fuzzy Hash: 0131E4729043055BD7208B288CC5A2FB7E4FF89724F011F1EF9A4932E0E3749904C696

Function 00522582 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00522469,00000000,CF830579,00561148,0000000C,00522525,0051662D,?), ref: 005225D8

Strings

8m, xrefs: 0052259C

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID: 8m
API String ID: 2591292051-3926704479
Opcode ID: 597e0dffa7053bbd928069064f4a64ad021e59c1b30ad38d5b23f85556e10e0c
Instruction ID: 2b474e812d35d8ca256cc214475358f3ffec11d3c7dd95edd7cae4ecfb8b3d19
Opcode Fuzzy Hash: 597e0dffa7053bbd928069064f4a64ad021e59c1b30ad38d5b23f85556e10e0c
Instruction Fuzzy Hash: B811083770513026D62522B47C5977E6F497FD3734F254209F9049F2C2EE65AC819191

Function 04FB0561 Relevance: 1.7, APIs: 1, Instructions: 232
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8d2dabe5a949a6eafa86da2242ea19ee4a687b2b0e9fab2bc242b73c762232d
Instruction ID: d8d7d250ec1bbe3c9a95a87ec4580b49bf63a5face6c8019e23d487ff08c938d
Opcode Fuzzy Hash: c8d2dabe5a949a6eafa86da2242ea19ee4a687b2b0e9fab2bc242b73c762232d
Instruction Fuzzy Hash: 6241DFE730C111BDB10194976B90AFB676EE7E77307308426F887E6901FA846A8B64B1

Function 00522F0C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00516AF7,?,00000000,00000000,00000000,?,00000000,?,0050C023,00516AF7,00000000,0050C023,?,?), ref: 00523091

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 541b06348f4885d074a9b0c7f4ca6a6328694b1165fdea4ac9001afa05c1270d
Instruction ID: 68e38a6281b0c3e9f8f7b6a26902fdf6248225eda2e7faf14a7ec00183940523
Opcode Fuzzy Hash: 541b06348f4885d074a9b0c7f4ca6a6328694b1165fdea4ac9001afa05c1270d
Instruction Fuzzy Hash: 41610575C0012ABFDF11CFA8E885AEEBFB9BF4A304F140145E900A7282D376DA11DB60

Function 04FB05A6 Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb0908fbe26648a03cea5e2dbd874e7914d42b60b4deed0f21f2e21c2a5da025
Instruction ID: be31a224f0a7910ab6c46f984c011dc90078c436ca6bb7b7fd60dc7bda279eef
Opcode Fuzzy Hash: cb0908fbe26648a03cea5e2dbd874e7914d42b60b4deed0f21f2e21c2a5da025
Instruction Fuzzy Hash: 0D3111E730C211BDB21180836B50AFB676EE3E77307308426F887E6501FB946A8B64F4

Function 04FB058D Relevance: 1.7, APIs: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8e5e01f76b9c031765466ef49860b7f50fb5fd73bf9341b056200109bdcc4b26
Instruction ID: b97560b750edb3ad8a9e79ee41c88e5d28f1c956e04e0bfa88b3a31ca8d1a1dd
Opcode Fuzzy Hash: 8e5e01f76b9c031765466ef49860b7f50fb5fd73bf9341b056200109bdcc4b26
Instruction Fuzzy Hash: FA3113E730C215BDB11180876B50AFB566EE3E77307308426F887E6501FB846A8B74F5

Function 04FB05D6 Relevance: 1.7, APIs: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0e98832d5fa3d83f1824c3adfb3948e1d8faa06ddc7cc08ad1813dc8a74780e1
Instruction ID: 2a01964518501b7eb609cf5e2a51e10aeeb5e018a2b2e931f02b12d26ab96d01
Opcode Fuzzy Hash: 0e98832d5fa3d83f1824c3adfb3948e1d8faa06ddc7cc08ad1813dc8a74780e1
Instruction Fuzzy Hash: 1131C0E730C115BCB21185876B50AFB576EE3E77307308426F887E6501FB946A8B64F4

Function 04FB05F3 Relevance: 1.7, APIs: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bd55f27c5040146da196bee9bbb81390de417ccc4bc7105c1f06b555dbd74bb0
Instruction ID: d07407b9e73a8322c4d318537143789c405301fdf9b6e3a5c160c3f6ae111334
Opcode Fuzzy Hash: bd55f27c5040146da196bee9bbb81390de417ccc4bc7105c1f06b555dbd74bb0
Instruction Fuzzy Hash: 7E3104E730C115BDB11180876B50AFB976EE3E7730B308426FC8BE6501FA946A8B64F4

Function 04FB0667 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 55e6d3897f5c541e5019648d4f6ff8a9972bea872eeda92eee793d6867e019ea
Instruction ID: adead8c02b3696fa22db2b6e815a2d092cb3cb6b93e15b83d079e6673dab8c95
Opcode Fuzzy Hash: 55e6d3897f5c541e5019648d4f6ff8a9972bea872eeda92eee793d6867e019ea
Instruction Fuzzy Hash: 9231B1E730C115BD711180876B50AFB966EE3EB7307318426F8CBE6501FA956A8B64F4

Function 04FB062B Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 37deb2f21f513c44deb185afd1101dee1adc703884a95b8376bbae421ace1d2e
Instruction ID: 706ea740ab16c13c942070b4320c8ca787d338bc0ea95d2763514b806628f84b
Opcode Fuzzy Hash: 37deb2f21f513c44deb185afd1101dee1adc703884a95b8376bbae421ace1d2e
Instruction Fuzzy Hash: 3F21B4E730C115BDA21185472B50AFB576EE3EB3307308416F8C7E5501FE446A8B64F5

Function 0049BA20 Relevance: 1.6, APIs: 1, Instructions: 135
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0049BB71

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction ID: 38e6669dc504038121b06ab4bb6f7e6ac73a319efce4e92aa354c026f24c6135
Opcode Fuzzy Hash: b19d2212db506fa46971754378483badd225f06599945ea51feb898bce11e8e1
Instruction Fuzzy Hash: 9341EF729001099BCF15DF68EA816AEBFA5EF85350F24067AF804EB345D734EE118BE5

Function 04FB064F Relevance: 1.6, APIs: 1, Instructions: 131
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2f9bce04386136395e5f4977f949205c147e8178b5f0053fbb1a7806a2897dc6
Instruction ID: 20b05736be8582550415f8716ffef17ba9543d61d87aebee234a63ff770cc810
Opcode Fuzzy Hash: 2f9bce04386136395e5f4977f949205c147e8178b5f0053fbb1a7806a2897dc6
Instruction Fuzzy Hash: 7921BFE730C115BD711094832B90AFB566EE3EB7307318426FC87E6500FA44AA8764F4

Function 04FB0675 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a5f341085a0a24fa959c738ad1b9a47ab40132e05e7f62ad5963b16c752f86be
Instruction ID: 0574be77b70b6f3aed72d9b0d98fc6bcc6f782c7aa510d4d475c4ca151ad1a3f
Opcode Fuzzy Hash: a5f341085a0a24fa959c738ad1b9a47ab40132e05e7f62ad5963b16c752f86be
Instruction Fuzzy Hash: A321B0E730C119BDB11194832B90AFB526EE3EB7307308426FCC7E6500FA556A8768F4

Function 04FB0698 Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 56c4fa2053168bb404120ff5b85312124c7a1d9153bff6e467730d952dcd4479
Instruction ID: bb8281ebbec97b0fc23883fd445984535920f4dbfbbc7d0849e7f4359125aeee
Opcode Fuzzy Hash: 56c4fa2053168bb404120ff5b85312124c7a1d9153bff6e467730d952dcd4479
Instruction Fuzzy Hash: 122148B330C255AEA60281522BA09FBA72DE7D733073084A6FCC7DB501FB046A47A5F1

Function 04FB06CD Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 548a9817d7488db02c3f4202aa0f48bb3395a367fd7057f9a8ed1386281da24d
Instruction ID: 51381ca94dcde3c8d6e8b3d1b606486494c0ab48bf218bc777ed82a7b0510948
Opcode Fuzzy Hash: 548a9817d7488db02c3f4202aa0f48bb3395a367fd7057f9a8ed1386281da24d
Instruction Fuzzy Hash: F611C3B370C115AD621591576A90AFB936EE7E73307309426FC87D6500FB15AA8768F0

Function 04FB0700 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6aff13f5e8240f4969441c4ae00c844aeeda15a321d0f9e89c7bf9bf0168ed6b
Instruction ID: 4b888fa12d1105423e38249c7a137123c9165ba4b2d2cdc71bb9eaf5353d92d5
Opcode Fuzzy Hash: 6aff13f5e8240f4969441c4ae00c844aeeda15a321d0f9e89c7bf9bf0168ed6b
Instruction Fuzzy Hash: 8911C1B370C115ADB21491832B60AFB936DD7DB330B708426FC8BD6500FB05AA87A8F0

Function 04FB07BC Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c3f68996cbcd481af01f419289b801e1bd79c7fb00d77f6116ca0786607dc86
Instruction ID: 50368b59e5de790b1b7be6dc39cd17f9483d9ad8ff81d4f57b85d7cfa6fda5e5
Opcode Fuzzy Hash: 4c3f68996cbcd481af01f419289b801e1bd79c7fb00d77f6116ca0786607dc86
Instruction Fuzzy Hash: B711CBF330C204ADE605C563A650AFB6739C787330B304456ECC2DB105FA11AA8748E1

Function 04FB0727 Relevance: 1.6, APIs: 1, Instructions: 87COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b24df9d00037c3f879661df1ab2a2b2f9bcc5afc90150acf71734ebdaaa78882
Instruction ID: 7d1ec20f58b47b5ee8161c5db3c6441d8d96ee631c094aa983acd1c0e36bb94c
Opcode Fuzzy Hash: b24df9d00037c3f879661df1ab2a2b2f9bcc5afc90150acf71734ebdaaa78882
Instruction Fuzzy Hash: 4311E0A730C115AEB61091536B60AFB932DD7DB720B308422FCCBD6500EA14AA8768F1

Function 04FB071C Relevance: 1.6, APIs: 1, Instructions: 85COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b2b0d4bb96fa58c8f3f97ab7a0accf4f9f56c9ea11ca173aacf7cc001cd5c049
Instruction ID: 74b843d61c018fd56d46c081cec2ad752c85625391a5ad4b537bfc3f1b29767f
Opcode Fuzzy Hash: b2b0d4bb96fa58c8f3f97ab7a0accf4f9f56c9ea11ca173aacf7cc001cd5c049
Instruction Fuzzy Hash: 9A11A0A730C115AD721091436B50AFB932DD7DB7207308426FC87D6100FB04AA87A8F0

Function 04FB0740 Relevance: 1.6, APIs: 1, Instructions: 79COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 99afb6bca97290851078ce95f7eec4449993feaa8e923708fd4ca9a8c01af8e4
Instruction ID: 3df2beff89978a7818b0e62606be3679addb46f40bcb2ae34b9bbae50873c6b6
Opcode Fuzzy Hash: 99afb6bca97290851078ce95f7eec4449993feaa8e923708fd4ca9a8c01af8e4
Instruction Fuzzy Hash: 401125B370C225BEA60191932B50AFBA32DD7DB7307318026FC87D6100FA059E4658F1

Function 04FB0765 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04FB0787

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: aaf626811d4715d0b3c4389e3f59246ac46c786347f757b91be07afb10285236
Instruction ID: 4549054dfac73e5b293e6d5dde54d3b78fb1a389eebe8f8de2e82d033db4f06c
Opcode Fuzzy Hash: aaf626811d4715d0b3c4389e3f59246ac46c786347f757b91be07afb10285236
Instruction Fuzzy Hash: FD0104A370C255AEA21191522B60AFB676DD7EB3307304062ECC6DA100EF15AA8758F1

Function 0051BACC Relevance: 1.6, APIs: 1, Instructions: 54COMMON

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00560E00,0050C023,00000002,0050C023,00000000,?,?,?,0051BBD6,00000000,?,0050C023,00000002,00560E00), ref: 0051BB08

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 39ac700be729baeecf1a79c3f256d71b3af36a69ddef3de5abc77fd42efcedad
Instruction ID: 33ee6917933ea04bd358370f3700448294c908acac7cac6746b13e76671aa9da
Opcode Fuzzy Hash: 39ac700be729baeecf1a79c3f256d71b3af36a69ddef3de5abc77fd42efcedad
Instruction Fuzzy Hash: DA01C432614155AFEF069F59CC45CEE3F69FF85324F240248F8119B2D1EAB1ED919B90

Function 0050CD02 Relevance: 1.6, APIs: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00431FDE

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 5cd4db2ff6868d8fa905581d9cad760b6f661d469c2f88477529f3b2c12f6310
Instruction ID: 65685f2945995c6cb1b21799916f1236761673d58994d2f8d6b174951a5d4f96
Opcode Fuzzy Hash: 5cd4db2ff6868d8fa905581d9cad760b6f661d469c2f88477529f3b2c12f6310
Instruction Fuzzy Hash: DF012B3640030E67CB14AB98EC0548D7FACFF01360B608636F514A7191FB70E9908791

Function 00523E63 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,0050B16C,?,?,005237E9,00000001,00000364,?,00000006,000000FF,?,0050E0EB,?,?,?,?), ref: 00523EA5

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 7b430b993e9f5f435a4573eebac40da0ac61516eabb1913db70fe8b59f5ecd03
Instruction ID: 98ba0b58169991bd07cd2243132139cfff23fc69073f394c6ef2cd4e950673ee
Opcode Fuzzy Hash: 7b430b993e9f5f435a4573eebac40da0ac61516eabb1913db70fe8b59f5ecd03
Instruction Fuzzy Hash: 69F0E93150153666AF326B716C05B6B3F4EBF83360B174511FC04960C0DB74EE0C82E0

Function 0052489D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,?,?,?,0050E0EB,?,?,?,?,?,00432D8D,0050B16C,?,?,0050B16C), ref: 005248D0

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 009b2803bd800bf9c541f94ae47a065ce1f2d41aad139b04fd229c496c6d9441
Instruction ID: 1b429317c2f4d9898f846ec5960151d1f51618fbd23c2592c81ae1cabd533767
Opcode Fuzzy Hash: 009b2803bd800bf9c541f94ae47a065ce1f2d41aad139b04fd229c496c6d9441
Instruction Fuzzy Hash: 2DE065351626B256E6212675AD057AB3E4DFF837A0F150621AC14A60D0DB60DC509AE1

Non-executed Functions

Function 04FB0D96 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000A.00000002.4490702914.0000000004FB0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04FB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_4fb0000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a91919518daa0df833e8a3398b8c59ddec543640694645f66ad4407575b80c45
Instruction ID: a0d6f881263ad5f41efa832fa819842f51b00a255e38ab194e796666aa4b7931
Opcode Fuzzy Hash: a91919518daa0df833e8a3398b8c59ddec543640694645f66ad4407575b80c45
Instruction Fuzzy Hash: 3D110CA75492902EF70387A15A509F73F79EAC733033088A7F481C6457DA996A4BA271

Function 0049AE90 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0049AEB3
std::_Lockit::_Lockit.LIBCPMT ref: 0049AED5
std::_Lockit::~_Lockit.LIBCPMT ref: 0049AEF5
std::_Lockit::~_Lockit.LIBCPMT ref: 0049AF1F
std::_Lockit::_Lockit.LIBCPMT ref: 0049AF8D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0049AFD9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0049AFF3
std::_Lockit::~_Lockit.LIBCPMT ref: 0049B088
std::_Facet_Register.LIBCPMT ref: 0049B095

Strings

bad locale name, xrefs: 0049B0AF

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name
API String ID: 3375549084-1405518554
Opcode ID: 68216ce3bc69d52a7a802c54116f71c3b90133f8ea19c604a611106445964900
Instruction ID: 28ca33799d53fc0c0cfaa529572509b1fd599d11d558bee70b65712794e4df74
Opcode Fuzzy Hash: 68216ce3bc69d52a7a802c54116f71c3b90133f8ea19c604a611106445964900
Instruction Fuzzy Hash: A0617FB5D002459BEF20DFA8D889B9EBFB4BF54310F144069E815A7381EB74ED09CB96

Function 00433770 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 152COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004337E9
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00433835
__Getctype.LIBCPMT ref: 0043384E
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0043386A
std::_Lockit::~_Lockit.LIBCPMT ref: 004338FF

Strings

bad locale name, xrefs: 0043391C
0:C, xrefs: 00433848

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: 0:C$bad locale name
API String ID: 1840309910-3345558881
Opcode ID: 6c8b277a969f683e398eedf38784c3077d70f9096ad59c91777d6b1bab1261a6
Instruction ID: bf5337a2d8456d9a7b3cc25296a201f84bee19edd370540545fe3331f5bb3e90
Opcode Fuzzy Hash: 6c8b277a969f683e398eedf38784c3077d70f9096ad59c91777d6b1bab1261a6
Instruction Fuzzy Hash: 52518FF1D00249DBEF10DFA4D88579EFBB8BF54300F144169E814AB381E775AA48CB92

Function 00510880 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 005108B7
___except_validate_context_record.LIBVCRUNTIME ref: 005108BF
_ValidateLocalCookies.LIBCMT ref: 00510948
__IsNonwritableInCurrentImage.LIBCMT ref: 00510973
_ValidateLocalCookies.LIBCMT ref: 005109C8

Strings

csm, xrefs: 0051095D
CP, xrefs: 00510965, 0051096E, 0051097F

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: CP$csm
API String ID: 1170836740-2911555543
Opcode ID: 2705f186eab5b10d366c780f1dc8077e49ef89d8806133cf58490e09d346e53e
Instruction ID: 5c209c8ff88538713b39aacd4b9f32d119ff755c893dfca957c088ff6b007773
Opcode Fuzzy Hash: 2705f186eab5b10d366c780f1dc8077e49ef89d8806133cf58490e09d346e53e
Instruction Fuzzy Hash: 4141A134A00209ABEF10DF68C894ADEBFB5BF44324F148155E9189B392DB71AEC5CB91

Function 00499520 Relevance: 9.1, APIs: 6, Instructions: 121COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00499543
std::_Lockit::_Lockit.LIBCPMT ref: 00499566
std::_Lockit::~_Lockit.LIBCPMT ref: 00499586
std::_Facet_Register.LIBCPMT ref: 004995FB
std::_Lockit::~_Lockit.LIBCPMT ref: 00499613
Concurrency::cancel_current_task.LIBCPMT ref: 0049962B

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 935f1abd8dedf7632ba54043f91c00489b421e94b32fbae5dd907fbefc749e05
Instruction ID: 3614a086826523f349a425d331120b5fff2c5775198d55a6beab163c66469ade
Opcode Fuzzy Hash: 935f1abd8dedf7632ba54043f91c00489b421e94b32fbae5dd907fbefc749e05
Instruction Fuzzy Hash: F941DE72900219AFCF11DF58D884AAEBB74FF55320F14422EE845AB391EB74AE04CBD5

Function 00435DD0 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 424COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004360F2
___std_exception_destroy.LIBVCRUNTIME ref: 0043617F
___std_exception_copy.LIBVCRUNTIME ref: 00436248

Strings

recursive_directory_iterator::operator++, xrefs: 004361CC

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: e0fb7ccc28a3226894f5b38585f2f4ffc35b0bfff182273120be10f43cf45e8f
Instruction ID: 6619192cb6cb13d441e5431a3ac211069c79c714c18eecd698d3b9a810dc0cd4
Opcode Fuzzy Hash: e0fb7ccc28a3226894f5b38585f2f4ffc35b0bfff182273120be10f43cf45e8f
Instruction Fuzzy Hash: 35E158B09006059FCB18DF68C945B9EFBF9FF49300F10862EE41697781D778AA44CBA5

Function 004384C0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004386DE
___std_exception_destroy.LIBVCRUNTIME ref: 004386ED

Strings

at line , xrefs: 00438518
, column , xrefs: 00438555, 0043856B

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: e471e0a998357f3fa48addbdf422c73e34727f502e91d6f64e561929a658028f
Instruction ID: 5f3e4a12ec437e830faa44f1ae52748ae1eae63bb8a8ea15f8bc078d1696ab0e
Opcode Fuzzy Hash: e471e0a998357f3fa48addbdf422c73e34727f502e91d6f64e561929a658028f
Instruction Fuzzy Hash: 016125719002059BDB08CB68DD86B9EFBB1FF89304F14461EF415A77C2EB78AA848795

Function 004A34C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004A3946
___std_exception_destroy.LIBVCRUNTIME ref: 004A395F
___std_exception_destroy.LIBVCRUNTIME ref: 004A3A97
___std_exception_destroy.LIBVCRUNTIME ref: 004A3AB0
___std_exception_destroy.LIBVCRUNTIME ref: 004A3C16
___std_exception_destroy.LIBVCRUNTIME ref: 004A3C2F
___std_exception_destroy.LIBVCRUNTIME ref: 004A4479
___std_exception_destroy.LIBVCRUNTIME ref: 004A4492

Strings

value, xrefs: 004A439F

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 1b08dc98951d7f5790a1b094ad2d89e696f0962f9333d1608fd539f844dc7a00
Instruction ID: 4a1a45faa4979aa4ad64683741266724e854df4c82cb3c25f6892f2cc6feaecc
Opcode Fuzzy Hash: 1b08dc98951d7f5790a1b094ad2d89e696f0962f9333d1608fd539f844dc7a00
Instruction Fuzzy Hash: 6151D170C00248DBDF14DFA8CD89BDEBFB4BF56304F144259E455A7282D7786A88CB66

Function 00433B70 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 77COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00433C0F

Strings

ios_base::failbit set, xrefs: 00433AC8, 00433BB1
ios_base::badbit set, xrefs: 00433BA7, 00433BD2, 00433BF3
ios_base::eofbit set, xrefs: 00433BB6

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: b2d16b061b1de4e27a50339c30edc60289d9cd77f9fd77f360aa8cd00ae6e4bf
Instruction ID: d5909f071a6136875d10a3bbdf0e90f7cb5058d39c392dd0cc78b15cce36ca70
Opcode Fuzzy Hash: b2d16b061b1de4e27a50339c30edc60289d9cd77f9fd77f360aa8cd00ae6e4bf
Instruction Fuzzy Hash: 031105B29007086BC710DF59C806B9ABBD8BF49311F14892BFD58D7282F774E904CB95

Function 004A2A60 Relevance: 5.7, APIs: 2, Strings: 1, Instructions: 444COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 004A2F43

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: e47e15e7c7996866a8cef593b9a7aeb48dc17a61a2b3e6669089d2f9ba366923
Instruction ID: f8355d4db2d7a077ebac295686ef1b0a19316a718a0eae606bf4ee3106e8a93a
Opcode Fuzzy Hash: e47e15e7c7996866a8cef593b9a7aeb48dc17a61a2b3e6669089d2f9ba366923
Instruction Fuzzy Hash: DDE1E371A002059FCB18DF6CC984A6EBBA1FF5A310F14836AE819DB391D774ED51CB94

Function 00438080 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0043844D

Strings

parse error, xrefs: 00438149, 00438162
ror, xrefs: 004380D4

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$ror
API String ID: 2659868963-4201802366
Opcode ID: 0c2e619ea4ddbccf96e7439623da134e8ff527a64572386fe0adaca83156cd92
Instruction ID: 71245dc7c5200ccb9d5feb04f8a034911a6c2dbb69dca603ce88a810a63d919f
Opcode Fuzzy Hash: 0c2e619ea4ddbccf96e7439623da134e8ff527a64572386fe0adaca83156cd92
Instruction Fuzzy Hash: 92C1F4709007498FDB08CF68CD85BADFB71BF59304F24835DE4046B692EB78AA84CB95

Function 00437DB0 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00438051
___std_exception_destroy.LIBVCRUNTIME ref: 00438060

Strings

[json.exception., xrefs: 00437E1C

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: ee293bf76807d2b4d2f121b8cf06325922f7af48a69cc143c8171278a94b6e82
Instruction ID: d1ce62d5abae90e2634bcb20a61b6de41888fd83abe4ff02112b5e1b14686f9a
Opcode Fuzzy Hash: ee293bf76807d2b4d2f121b8cf06325922f7af48a69cc143c8171278a94b6e82
Instruction Fuzzy Hash: F691D4719002089FDB18CF68CD85B9EFBB1FF49314F14425EE450AB692D7B4AA848795

Function 00433A90 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 150COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00433C0F

Strings

ios_base::failbit set, xrefs: 00433AC8
ios_base::badbit set, xrefs: 00433BA7, 00433BD2, 00433BF3

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::failbit set
API String ID: 2659868963-1240500531
Opcode ID: 2a2068ffb0e0252bae891f637030c685ac8a0f0ef2becaf0656a31c46beada43
Instruction ID: 110e67317c22a718e353e223aea29a9baf5df9e7412186fe8e6698b0f87d9281
Opcode Fuzzy Hash: 2a2068ffb0e0252bae891f637030c685ac8a0f0ef2becaf0656a31c46beada43
Instruction Fuzzy Hash: 28411671900608ABC704DF59CC46BAEFBF8FF49310F14861AF954A7782E774AA40CBA5

Function 004A45C0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 004A4E29
___std_exception_destroy.LIBVCRUNTIME ref: 004A4E42
___std_exception_destroy.LIBVCRUNTIME ref: 004A594D
___std_exception_destroy.LIBVCRUNTIME ref: 004A5966

Strings

value, xrefs: 004A5873

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: value
API String ID: 4194217158-494360628
Opcode ID: 7ce98c8171c851daeb649d2f84924367efab9f5f6d6f42e2a85f2ec329bb6b81
Instruction ID: 2f4644a41b30b767ef63ebfe309279af3947d703a2f95cb1e6974d810ca8874d
Opcode Fuzzy Hash: 7ce98c8171c851daeb649d2f84924367efab9f5f6d6f42e2a85f2ec329bb6b81
Instruction Fuzzy Hash: 8E51B1B0C00248DBDF14DFA4CD89BDEBFB4BF56304F144259E455AB282D7786A88CB56

Function 004A99A0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004A99F1

Strings

type must be boolean, but is , xrefs: 004A9AE2
type must be string, but is , xrefs: 004A9A58

Memory Dump Source

Source File: 0000000A.00000002.4483064804.0000000000431000.00000040.00000001.01000000.00000006.sdmp, Offset: 00430000, based on PE: true

Associated: 0000000A.00000002.4483011351.0000000000430000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4483064804.0000000000563000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484192182.0000000000567000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000057A000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000070E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.00000000007EA000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.0000000000825000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000082E000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4484253694.000000000083C000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485039364.000000000083D000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 0000000A.00000002.4485393293.00000000009F2000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_10_2_430000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 6c13dc530ba47eb6493e7812f2132e442f57bfe705df5b27be99a19aa3ac5094
Instruction ID: 8e076b49b9d2b40663101391539bb86dd6918c970e6fd0157adda575f1753b03
Opcode Fuzzy Hash: 6c13dc530ba47eb6493e7812f2132e442f57bfe705df5b27be99a19aa3ac5094
Instruction Fuzzy Hash: 463129B5904248AFCB04EB94D842B9FBBA8EB15304F14466EF415D7791EB38AE04C75A

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Lisect_AVT_24003_G1B_108.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Suricata IDS Alerts

Network Port Distribution

Windows Analysis Report
Lisect_AVT_24003_G1B_108.exe

Function 0082DB60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 99
networkCOMMON

Function 0082EC20 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 265
networksleepCOMMON

Function 0082E060 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 333
networkCOMMON

Function 05370683 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
COMMON

Function 0537069F Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Function 0537068C Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 197
COMMON

Function 053706E0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 190
COMMON

Function 05370721 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 187
COMMON

Function 053706C5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 186
COMMON

Function 05370749 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 185
COMMON

Function 05370705 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 181
COMMON

Function 053706F5 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 177
COMMON

Function 05370731 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 176
COMMON