Edit tour

Windows Analysis Report
LisectAVT_2403002B_242.exe

Overview

General Information

Sample name:	LisectAVT_2403002B_242.exe
Analysis ID:	1481918
MD5:	814c7d754de0a807785f32a643082d2b
SHA1:	a3f7abb4d5dc8bd5371f2e176b51e8c157b8f4bf
SHA256:	5e4f50a70deeb3a29049c06b1b3a73abb6def3ddd4bea47dbce78e4eaa941333
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found API chain indicative of sandbox detection

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Found stalling execution ending in API Sleep call

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Contains capabilities to detect virtual machines

Contains functionality to detect sandboxes (mouse cursor move detection)

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found decision node followed by non-executed suspicious APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002B_242.exe (PID: 4156 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002B_242.exe" MD5: 814C7D754DE0A807785F32A643082D2B)

schtasks.exe (PID: 3852 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 4344 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3548 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 2020 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 814C7D754DE0A807785F32A643082D2B)

MPGPH131.exe (PID: 500 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 814C7D754DE0A807785F32A643082D2B)

RageMP131.exe (PID: 1756 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 814C7D754DE0A807785F32A643082D2B)

RageMP131.exe (PID: 3220 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 814C7D754DE0A807785F32A643082D2B)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: LisectAVT_2403002B_242.exe PID: 4156	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 2020	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 500	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 1756	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 3220	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe, ProcessId: 4156, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T16:08:29.865110+0200
SID:	2046269
Source Port:	49721
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T16:08:10.131591+0200
SID:	2046269
Source Port:	49712
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T16:08:21.827803+0200
SID:	2046269
Source Port:	49715
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T16:08:10.225066+0200
SID:	2046269
Source Port:	49713
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T16:08:58.773939+0200
SID:	2022930
Source Port:	443
Destination Port:	49723
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.6 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T16:08:07.943795+0200
SID:	2046269
Source Port:	49710
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.6

Timestamp:	2024-07-25T16:08:21.030816+0200
SID:	2022930
Source Port:	443
Destination Port:	49716
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.6 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T16:08:04.974720+0200
SID:	2049060
Source Port:	49710
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002B_242.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: TR/Agent.kmrzu
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: TR/Agent.kmrzu

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002B_242.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002B_242.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.6:49710 -> 193.233.132.74:58709

Source: Joe Sandbox View

IP Address: 193.233.132.74 193.233.132.74

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Code function: 0_2_00C3D4A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,

0_2_00C3D4A0

Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: RageMP131.exe	String found in binary or memory: https://ipinfo.io/
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3376838901.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT2F
Source: MPGPH131.exe, 00000007.00000002.3376838901.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT5
Source: MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTO
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

System Summary

PE file contains section with special chars

Source: LisectAVT_2403002B_242.exe	Static PE information: section name:
Source: LisectAVT_2403002B_242.exe	Static PE information: section name: .idata
Source: LisectAVT_2403002B_242.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C28890	0_2_00C28890
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00D018B0	0_2_00D018B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00CA90B0	0_2_00CA90B0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00D07070	0_2_00D07070
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00D05038	0_2_00D05038
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00D181A4	0_2_00D181A4
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C94290	0_2_00C94290
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00D0AA7F	0_2_00D0AA7F
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00CA1220	0_2_00CA1220
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C39360	0_2_00C39360
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C28CC0	0_2_00C28CC0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00CA5CE0	0_2_00CA5CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C224F0	0_2_00C224F0
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C96470	0_2_00C96470
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00CA4D20	0_2_00CA4D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00828890	6_2_00828890
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_009018B0	6_2_009018B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_008A90B0	6_2_008A90B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00905038	6_2_00905038
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00907070	6_2_00907070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_009181A4	6_2_009181A4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00894290	6_2_00894290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_008A1220	6_2_008A1220
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0090AA7F	6_2_0090AA7F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00839360	6_2_00839360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00828CC0	6_2_00828CC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_008A5CE0	6_2_008A5CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_008224F0	6_2_008224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00896470	6_2_00896470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_008A4D20	6_2_008A4D20
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00828890	7_2_00828890
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_009018B0	7_2_009018B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_008A90B0	7_2_008A90B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00905038	7_2_00905038
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00907070	7_2_00907070
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_009181A4	7_2_009181A4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00894290	7_2_00894290
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_008A1220	7_2_008A1220
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_0090AA7F	7_2_0090AA7F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00839360	7_2_00839360
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00828CC0	7_2_00828CC0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_008A5CE0	7_2_008A5CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_008224F0	7_2_008224F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00896470	7_2_00896470
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_008A4D20	7_2_008A4D20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00547070	8_2_00547070
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00545038	8_2_00545038
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00468890	8_2_00468890
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_005418B0	8_2_005418B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004E90B0	8_2_004E90B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_005581A4	8_2_005581A4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0054AA7F	8_2_0054AA7F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004E1220	8_2_004E1220
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004D4290	8_2_004D4290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00479360	8_2_00479360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004D6470	8_2_004D6470
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00468CC0	8_2_00468CC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004E5CE0	8_2_004E5CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004624F0	8_2_004624F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004E4D20	8_2_004E4D20
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00547070	12_2_00547070
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00545038	12_2_00545038
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00468890	12_2_00468890
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005418B0	12_2_005418B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004E90B0	12_2_004E90B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_005581A4	12_2_005581A4
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_0054AA7F	12_2_0054AA7F
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004E1220	12_2_004E1220
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004D4290	12_2_004D4290
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00479360	12_2_00479360
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004D6470	12_2_004D6470
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00468CC0	12_2_00468CC0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004E5CE0	12_2_004E5CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004624F0	12_2_004624F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004E4D20	12_2_004E4D20

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 008FEAB0 appears 50 times
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 0053EAB0 appears 50 times

Source: LisectAVT_2403002B_242.exe, 00000000.00000000.2122353802.0000000000D53000.00000008.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002B_242.exe
Source: LisectAVT_2403002B_242.exe	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002B_242.exe

Source: LisectAVT_2403002B_242.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LisectAVT_2403002B_242.exe	Static PE information: Section: ZLIB complexity 0.9939268933496441
Source: LisectAVT_2403002B_242.exe	Static PE information: Section: xdijjraj ZLIB complexity 0.9947976670506913
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9939268933496441
Source: RageMP131.exe.0.dr	Static PE information: Section: xdijjraj ZLIB complexity 0.9947976670506913
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9939268933496441
Source: MPGPH131.exe.0.dr	Static PE information: Section: xdijjraj ZLIB complexity 0.9947976670506913

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3548:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: LisectAVT_2403002B_242.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: LisectAVT_2403002B_242.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: https://www.maxmind.com/en/locate-my-ip-address

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe "C:\Users\user\Desktop\LisectAVT_2403002B_242.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior

Source: LisectAVT_2403002B_242.exe

Static file information: File size 2045964 > 1048576

Source: LisectAVT_2403002B_242.exe

Static PE information: Raw size of xdijjraj is bigger than: 0x100000 < 0x160a00

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Unpacked PE file: 0.2.LisectAVT_2403002B_242.exe.c20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 7.2.MPGPH131.exe.820000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 8.2.RageMP131.exe.460000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 12.2.RageMP131.exe.460000.0.unpack :EW;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;xdijjraj:EW;xgxezfhn:EW;.taggant:EW;

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Code function: 0_2_00C39360 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,

0_2_00C39360

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: LisectAVT_2403002B_242.exe	Static PE information: real checksum: 0x1fc5cb should be: 0x1fdff6
Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x1fc5cb should be: 0x1fdff6
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x1fc5cb should be: 0x1fdff6

Source: LisectAVT_2403002B_242.exe	Static PE information: section name:
Source: LisectAVT_2403002B_242.exe	Static PE information: section name: .idata
Source: LisectAVT_2403002B_242.exe	Static PE information: section name:
Source: LisectAVT_2403002B_242.exe	Static PE information: section name: xdijjraj
Source: LisectAVT_2403002B_242.exe	Static PE information: section name: xgxezfhn
Source: LisectAVT_2403002B_242.exe	Static PE information: section name: .taggant
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: xdijjraj
Source: RageMP131.exe.0.dr	Static PE information: section name: xgxezfhn
Source: RageMP131.exe.0.dr	Static PE information: section name: .taggant
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: xdijjraj
Source: MPGPH131.exe.0.dr	Static PE information: section name: xgxezfhn
Source: MPGPH131.exe.0.dr	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00CFE689 push ecx; ret	0_2_00CFE69C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_008FE689 push ecx; ret	6_2_008FE69C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_008FE689 push ecx; ret	7_2_008FE69C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_0053E689 push ecx; ret	8_2_0053E69C
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_0053E689 push ecx; ret	12_2_0053E69C

Source: LisectAVT_2403002B_242.exe	Static PE information: section name: entropy: 7.935474542943052
Source: LisectAVT_2403002B_242.exe	Static PE information: section name: xdijjraj entropy: 7.953698825467194
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.935474542943052
Source: RageMP131.exe.0.dr	Static PE information: section name: xdijjraj entropy: 7.953698825467194
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.935474542943052
Source: MPGPH131.exe.0.dr	Static PE information: section name: xdijjraj entropy: 7.953698825467194

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Code function: 0_2_00CA4D20 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00CA4D20

Malware Analysis System Evasion

Found API chain indicative of sandbox detection

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Sandbox detection routine: GetCursorPos, DecisionNode, Sleep	graph_8-17697
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Sandbox detection routine: GetCursorPos, DecisionNode, Sleep	graph_0-17127
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Sandbox detection routine: GetCursorPos, DecisionNode, Sleep	graph_6-16846

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_0-17129
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_6-16847
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_8-17699

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Stalling execution: Execution stalls by calling Sleep

graph_8-17280

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: D5B108 second address: D5B10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: D5B10C second address: D5B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4A85 second address: ED4A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4A89 second address: ED4AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4F3EEABh 0x00000010 jns 00007FCBB4F3EEA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4D4B second address: ED4D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8170h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4D60 second address: ED4D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4F3EEAEh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4F3EEA6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4D7C second address: ED4D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4D80 second address: ED4D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4D86 second address: ED4DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4EE8179h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4EE8166h 0x00000012 jng 00007FCBB4EE8166h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4EE4 second address: ED4EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4EEE second address: ED4EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4EFA second address: ED4EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4EFE second address: ED4F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED4F0D second address: ED4F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ED52FE second address: ED5317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8175h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EBF468 second address: EBF470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF45CE second address: EF45D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF45D4 second address: EF45DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF45DA second address: EF45DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF4715 second address: EF4719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF4719 second address: EF471F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF471F second address: EF4725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF48ED second address: EF4903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FCBB4EE816Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF4903 second address: EF490F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF4BDB second address: EF4BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF4EEB second address: EF4EFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FCBB4F3EEA6h 0x00000009 pop ecx 0x0000000a jbe 00007FCBB4F3EEBBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF507C second address: EF509B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007FCBB4EE8166h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FCBB4EE8170h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF55E2 second address: EF55ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF5750 second address: EF5757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF5757 second address: EF5770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF5770 second address: EF5774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EEC419 second address: EEC42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FCBB4F3EEA6h 0x0000000d jo 00007FCBB4F3EEA6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EEC42C second address: EEC430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF58C3 second address: EF58C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF58C7 second address: EF58D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF58D5 second address: EF58D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF9386 second address: EF938B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF97F7 second address: EF98F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4F3EEB3h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jmp 00007FCBB4F3EEB0h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jnl 00007FCBB4F3EEAAh 0x00000028 pushad 0x00000029 push esi 0x0000002a ja 00007FCBB4F3EEA6h 0x00000030 pop ecx 0x00000031 mov bh, 99h 0x00000033 popad 0x00000034 lea eax, dword ptr [ebp+12472BD6h] 0x0000003a pushad 0x0000003b and dh, 0000003Bh 0x0000003e mov ah, 04h 0x00000040 popad 0x00000041 mov dword ptr [eax+01h], esp 0x00000044 pushad 0x00000045 jmp 00007FCBB4F3EEB7h 0x0000004a xor si, 6884h 0x0000004f popad 0x00000050 lea eax, dword ptr [ebp+12472C02h] 0x00000056 ja 00007FCBB4F3EEB4h 0x0000005c mov dword ptr [eax+01h], ebp 0x0000005f jnp 00007FCBB4F3EEA7h 0x00000065 mov byte ptr [ebp+122D36D9h], 0000004Fh 0x0000006c push 00000000h 0x0000006e push esi 0x0000006f call 00007FCBB4F3EEA8h 0x00000074 pop esi 0x00000075 mov dword ptr [esp+04h], esi 0x00000079 add dword ptr [esp+04h], 0000001Ch 0x00000081 inc esi 0x00000082 push esi 0x00000083 ret 0x00000084 pop esi 0x00000085 ret 0x00000086 jmp 00007FCBB4F3EEB3h 0x0000008b push B0892644h 0x00000090 push eax 0x00000091 push edx 0x00000092 jmp 00007FCBB4F3EEB8h 0x00000097 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF8144 second address: EF814B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF814B second address: EF8158 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF998A second address: EF998E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF998E second address: EF99BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a je 00007FCBB4F3EEA6h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007FCBB4F3EEABh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EF99BC second address: EF99E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FCBB4EE816Ch 0x00000016 jnp 00007FCBB4EE8166h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFB994 second address: EFB99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFB99A second address: EFB99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFB99E second address: EFB9C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FCBB4F3EEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FCBB4F3EEB6h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFC09 second address: EFFC0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFC0D second address: EFFC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFC13 second address: EFFC40 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jg 00007FCBB4EE816Ah 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FCBB4EE8173h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFC40 second address: EFFC82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a movzx esi, cx 0x0000000d call 00007FCBB4F3EEA9h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FCBB4F3EEB9h 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFC82 second address: EFFC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFC88 second address: EFFC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFC8C second address: EFFCCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jbe 00007FCBB4EE816Eh 0x00000018 push esi 0x00000019 jl 00007FCBB4EE8166h 0x0000001f pop esi 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FCBB4EE816Fh 0x0000002a jg 00007FCBB4EE8166h 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EFFE11 second address: EFFE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F000A7 second address: F000AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F001AB second address: F001AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F001AF second address: F001B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F00891 second address: F00897 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F00897 second address: F0089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F00982 second address: F00988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F00988 second address: F0098D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F00E40 second address: F00E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F00E46 second address: F00E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F022AC second address: F022B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F0310C second address: F03110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F03110 second address: F03116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F03D46 second address: F03D67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE8173h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F03D67 second address: F03D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F03D6B second address: F03D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F04789 second address: F047BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FCBB4F3EEB8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBB4F3EEB1h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F04575 second address: F0457F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F05294 second address: F0529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F06713 second address: F06717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F0C995 second address: F0C999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F0C999 second address: F0C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F07084 second address: F07088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F0EFD4 second address: F0F04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007FCBB4EE8173h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FCBB4EE8168h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 movsx ebx, ax 0x0000002a push 00000000h 0x0000002c mov edi, dword ptr [ebp+122D2BC5h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FCBB4EE8168h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov bx, 6F32h 0x00000052 push eax 0x00000053 push eax 0x00000054 jl 00007FCBB4EE816Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F111A9 second address: F111AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F111AE second address: F111B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F144D4 second address: F144D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F144D8 second address: F144EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBB4EE816Ah 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F144EC second address: F144F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F144F2 second address: F144F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F144F6 second address: F144FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1658B second address: F1658F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1026E second address: F1028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007FCBB4F3EEAFh 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1658F second address: F16608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCBB4EE8170h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FCBB4EE8168h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b pushad 0x0000002c sbb dh, 0000006Dh 0x0000002f sub dword ptr [ebp+122D369Fh], edi 0x00000035 popad 0x00000036 push 00000000h 0x00000038 mov di, B8DEh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FCBB4EE8168h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov ebx, dword ptr [ebp+122D2BE5h] 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1028D second address: F10320 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov bh, 3Dh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 call 00007FCBB4F3EEB3h 0x0000001a mov edi, edx 0x0000001c pop ebx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov bl, 2Eh 0x00000026 mov eax, dword ptr [ebp+122D090Dh] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FCBB4F3EEA8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 push FFFFFFFFh 0x00000048 jc 00007FCBB4F3EEACh 0x0000004e mov ebx, dword ptr [ebp+122D3837h] 0x00000054 nop 0x00000055 jns 00007FCBB4F3EEBBh 0x0000005b push eax 0x0000005c pushad 0x0000005d jnp 00007FCBB4F3EEA8h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F16608 second address: F1662D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FCBB4EE8175h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F14716 second address: F14729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEAFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1662D second address: F16636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F14729 second address: F14730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F16636 second address: F1663A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F158DD second address: F158E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F158E7 second address: F158EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F175AC second address: F175DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FCBB4F3EEB4h 0x0000000f jmp 00007FCBB4F3EEAEh 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F16763 second address: F1676D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F175DF second address: F175E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F186B6 second address: F18703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a popad 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FCBB4EE8168h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f cld 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 mov edi, dword ptr [ebp+12476AABh] 0x00000039 pop edi 0x0000003a mov dword ptr [ebp+122D373Ah], ebx 0x00000040 xchg eax, esi 0x00000041 push edi 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1777A second address: F1778C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEAEh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F19549 second address: F1954F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F18817 second address: F1881C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1881C second address: F18821 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F18821 second address: F1882D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1A51A second address: F1A55D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d ja 00007FCBB4EE8166h 0x00000013 pop ebx 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 mov di, 8A0Eh 0x0000001b call 00007FCBB4EE8172h 0x00000020 mov edi, dword ptr [ebp+122D29ADh] 0x00000026 pop ebx 0x00000027 push 00000000h 0x00000029 mov edi, dword ptr [ebp+122D29A1h] 0x0000002f stc 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F197FC second address: F19806 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1A55D second address: F1A562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1A562 second address: F1A56D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCBB4F3EEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1B75A second address: F1B760 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1B760 second address: F1B765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1B803 second address: F1B809 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F1C61C second address: F1C6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FCBB4F3EEACh 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FCBB4F3EEB3h 0x00000011 nop 0x00000012 movzx ebx, di 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FCBB4F3EEA8h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d xor edi, dword ptr [ebp+122D29C1h] 0x00000043 pushad 0x00000044 mov edi, dword ptr [ebp+122D372Eh] 0x0000004a add ax, 94B7h 0x0000004f popad 0x00000050 mov eax, dword ptr [ebp+122D07B5h] 0x00000056 or di, 84C1h 0x0000005b push FFFFFFFFh 0x0000005d and ebx, dword ptr [ebp+122D2945h] 0x00000063 call 00007FCBB4F3EEB4h 0x00000068 mov dword ptr [ebp+122D3077h], ebx 0x0000006e pop ebx 0x0000006f nop 0x00000070 jmp 00007FCBB4F3EEB5h 0x00000075 push eax 0x00000076 jc 00007FCBB4F3EEB4h 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F2A33C second address: F2A34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007FCBB4EE816Ch 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F29790 second address: F29794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F29794 second address: F29798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F29798 second address: F297CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnc 00007FCBB4F3EEAEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 jmp 00007FCBB4F3EEB4h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F297CC second address: F297D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F29C18 second address: F29C24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEAEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F29D85 second address: F29D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F29EEB second address: F29F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FCBB4F3EEA6h 0x0000000c jmp 00007FCBB4F3EEB5h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F37141 second address: F37173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8172h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCBB4EE8171h 0x00000010 pushad 0x00000011 ja 00007FCBB4EE8166h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F37173 second address: F37179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F37179 second address: F37184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F37184 second address: F3718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3718A second address: F37194 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35051 second address: F35069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35069 second address: F3506E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3506E second address: F35074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35233 second address: F35252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35694 second address: F35698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35994 second address: F3599C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3599C second address: F359A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35B40 second address: F35B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8175h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FCBB4EE8172h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 js 00007FCBB4EE8166h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35E14 second address: F35E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F35F76 second address: F35F7B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3685A second address: F36860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F36860 second address: F3686F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FCBB4EE816Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3686F second address: F368A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEBFh 0x00000008 jmp 00007FCBB4F3EEB3h 0x0000000d je 00007FCBB4F3EEA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBB4F3EEB0h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F368A2 second address: F368A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F34D89 second address: F34D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F34D91 second address: F34D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ECC6C9 second address: ECC6CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3DD50 second address: F3DD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3DD56 second address: F3DD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3DD5A second address: F3DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBB4EE8173h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3DD73 second address: F3DD78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3DD78 second address: F3DD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F3DEBF second address: F3DECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FCBB4F3EEA6h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EBBF2E second address: EBBF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EBBF33 second address: EBBF49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FCBB4F3EEA6h 0x0000000b jns 00007FCBB4F3EEA6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EBBF49 second address: EBBF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EBBF4F second address: EBBF53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F4F51B second address: F4F527 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F4F527 second address: F4F52E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F587C0 second address: F587DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8178h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EC0EFC second address: EC0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EC0F00 second address: EC0F29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 jc 00007FCBB4EE8166h 0x0000000f jmp 00007FCBB4EE8171h 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EC0F29 second address: EC0F44 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F5860D second address: F5863D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8174h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCBB4EE8174h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F5863D second address: F58641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F611C0 second address: F611C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F611C7 second address: F611DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCBB4F3EEAAh 0x0000000a pop edi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F60D4A second address: F60D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FCBB4EE8179h 0x0000000c js 00007FCBB4EE817Dh 0x00000012 jmp 00007FCBB4EE8171h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: ECFC09 second address: ECFC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FCBB4F3EEA6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: EC4488 second address: EC44A4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBB4EE8172h 0x00000008 jmp 00007FCBB4EE816Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F74C3B second address: F74C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F74C45 second address: F74C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a jmp 00007FCBB4EE8178h 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FCBB4EE8173h 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 jl 00007FCBB4EE8166h 0x00000026 push edx 0x00000027 pop edx 0x00000028 jnp 00007FCBB4EE8166h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F77085 second address: F77090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCBB4F3EEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A3D4 second address: F7A3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCBB4EE816Ah 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jns 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A3EF second address: F7A410 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEB4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A410 second address: F7A42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBB4EE8176h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A27C second address: F7A284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A284 second address: F7A28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A28A second address: F7A298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEAAh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A298 second address: F7A29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7A29C second address: F7A2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F8040E second address: F80425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FCBB4EE8166h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F80425 second address: F80434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7FFD9 second address: F7FFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7FFDD second address: F7FFE9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7FFE9 second address: F7FFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7FFED second address: F7FFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7FFF3 second address: F7FFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FCBB4EE8166h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F7FFFF second address: F80011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FCBB4F3EEA6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F80011 second address: F80027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCBB4EE817Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F80027 second address: F80032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F80175 second address: F80199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F80199 second address: F801A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: F801A2 second address: F801A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA42E5 second address: FA42EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA42EB second address: FA42FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FCBB4EE8166h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA42FF second address: FA4309 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA4309 second address: FA432A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE816Eh 0x00000008 jng 00007FCBB4EE8166h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA376A second address: FA3772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA3772 second address: FA3776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA4011 second address: FA401A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA401A second address: FA4029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA4029 second address: FA403F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA403F second address: FA405B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e jns 00007FCBB4EE8166h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA6EE0 second address: FA6EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA83E1 second address: FA8413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBB4EE8166h 0x0000000a jns 00007FCBB4EE8166h 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push edi 0x00000018 jmp 00007FCBB4EE816Eh 0x0000001d pop edi 0x0000001e popad 0x0000001f jo 00007FCBB4EE81ABh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FA8413 second address: FA841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FAAF35 second address: FAAF61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FCBB4EE8176h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCBB4EE8166h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FAAF61 second address: FAAF65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FAD7C5 second address: FAD7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FAD7CC second address: FAD7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FAD7D2 second address: FAD7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FAD7D6 second address: FAD7F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FAD8C9 second address: FAD8E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FADE8B second address: FADE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	RDTSC instruction interceptor: First address: FB106C second address: FB108F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBB4EE8173h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FCBB4EE8166h 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: 95B108 second address: 95B10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: 95B10C second address: 95B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4A85 second address: AD4A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4A89 second address: AD4AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4EE816Bh 0x00000010 jns 00007FCBB4EE8166h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D4B second address: AD4D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D60 second address: AD4D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE816Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4EE8166h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D7C second address: AD4D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D80 second address: AD4D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D86 second address: AD4DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4F3EEB9h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4F3EEA6h 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4EE4 second address: AD4EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4EEE second address: AD4EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4EFA second address: AD4EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4EFE second address: AD4F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4F3EEA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4F0D second address: AD4F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD52FE second address: AD5317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4A89 second address: AD4AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4F3EEABh 0x00000010 jns 00007FCBB4F3EEA6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D4B second address: AD4D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8170h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D60 second address: AD4D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4F3EEAEh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4F3EEA6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4D86 second address: AD4DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4EE8179h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4EE8166h 0x00000012 jng 00007FCBB4EE8166h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4EE4 second address: AD4EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD4EFE second address: AD4F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AD52FE second address: AD5317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8175h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ABF468 second address: ABF470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF45CE second address: AF45D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF45D4 second address: AF45DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF45DA second address: AF45DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF4715 second address: AF4719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF4719 second address: AF471F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF471F second address: AF4725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF48ED second address: AF4903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FCBB4EE816Eh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF4903 second address: AF490F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF4BDB second address: AF4BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF4EEB second address: AF4EFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FCBB4F3EEA6h 0x00000009 pop ecx 0x0000000a jbe 00007FCBB4F3EEBBh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF507C second address: AF509B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007FCBB4EE8166h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FCBB4EE8170h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF55E2 second address: AF55ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF5750 second address: AF5757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF5757 second address: AF5770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF5770 second address: AF5774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AEC419 second address: AEC42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FCBB4F3EEA6h 0x0000000d jo 00007FCBB4F3EEA6h 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AEC42C second address: AEC430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF58C3 second address: AF58C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF58C7 second address: AF58D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF58D5 second address: AF58D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF9386 second address: AF938B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF97F7 second address: AF98F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4F3EEB3h 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e stc 0x0000000f push dword ptr fs:[00000000h] 0x00000016 jmp 00007FCBB4F3EEB0h 0x0000001b mov dword ptr fs:[00000000h], esp 0x00000022 jnl 00007FCBB4F3EEAAh 0x00000028 pushad 0x00000029 push esi 0x0000002a ja 00007FCBB4F3EEA6h 0x00000030 pop ecx 0x00000031 mov bh, 99h 0x00000033 popad 0x00000034 lea eax, dword ptr [ebp+12472BD6h] 0x0000003a pushad 0x0000003b and dh, 0000003Bh 0x0000003e mov ah, 04h 0x00000040 popad 0x00000041 mov dword ptr [eax+01h], esp 0x00000044 pushad 0x00000045 jmp 00007FCBB4F3EEB7h 0x0000004a xor si, 6884h 0x0000004f popad 0x00000050 lea eax, dword ptr [ebp+12472C02h] 0x00000056 ja 00007FCBB4F3EEB4h 0x0000005c mov dword ptr [eax+01h], ebp 0x0000005f jnp 00007FCBB4F3EEA7h 0x00000065 mov byte ptr [ebp+122D36D9h], 0000004Fh 0x0000006c push 00000000h 0x0000006e push esi 0x0000006f call 00007FCBB4F3EEA8h 0x00000074 pop esi 0x00000075 mov dword ptr [esp+04h], esi 0x00000079 add dword ptr [esp+04h], 0000001Ch 0x00000081 inc esi 0x00000082 push esi 0x00000083 ret 0x00000084 pop esi 0x00000085 ret 0x00000086 jmp 00007FCBB4F3EEB3h 0x0000008b push B0892644h 0x00000090 push eax 0x00000091 push edx 0x00000092 jmp 00007FCBB4F3EEB8h 0x00000097 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF8144 second address: AF814B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF814B second address: AF8158 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF998A second address: AF998E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF998E second address: AF99BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 push ecx 0x0000000a je 00007FCBB4F3EEA6h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 popad 0x00000018 mov eax, dword ptr [esp+04h] 0x0000001c jmp 00007FCBB4F3EEABh 0x00000021 mov eax, dword ptr [eax] 0x00000023 push edi 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 popad 0x00000028 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AF99BC second address: AF99E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8171h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007FCBB4EE816Ch 0x00000016 jnp 00007FCBB4EE8166h 0x0000001c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFB994 second address: AFB99A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFB99A second address: AFB99E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFB99E second address: AFB9C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007FCBB4F3EEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007FCBB4F3EEB6h 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFC09 second address: AFFC0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFC0D second address: AFFC13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFC13 second address: AFFC40 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jg 00007FCBB4EE816Ah 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FCBB4EE8173h 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFC40 second address: AFFC82 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a movzx esi, cx 0x0000000d call 00007FCBB4F3EEA9h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FCBB4F3EEB9h 0x0000001c popad 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFC82 second address: AFFC88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFC88 second address: AFFC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFC8C second address: AFFCCF instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e mov eax, dword ptr [esp+04h] 0x00000012 jbe 00007FCBB4EE816Eh 0x00000018 push esi 0x00000019 jl 00007FCBB4EE8166h 0x0000001f pop esi 0x00000020 mov eax, dword ptr [eax] 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FCBB4EE816Fh 0x0000002a jg 00007FCBB4EE8166h 0x00000030 popad 0x00000031 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AFFE11 second address: AFFE19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B000A7 second address: B000AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B001AB second address: B001AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B001AF second address: B001B5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B00891 second address: B00897 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B00897 second address: B0089C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B00982 second address: B00988 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B00988 second address: B0098D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B00E40 second address: B00E46 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B00E46 second address: B00E4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B022AC second address: B022B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B0310C second address: B03110 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B03110 second address: B03116 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B03D46 second address: B03D67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE8173h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B03D67 second address: B03D6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B03D6B second address: B03D6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B04789 second address: B047BC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007FCBB4F3EEB8h 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FCBB4F3EEB1h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B04575 second address: B0457F instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B05294 second address: B0529F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B06713 second address: B06717 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B07084 second address: B07088 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B0C995 second address: B0C999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B0C999 second address: B0C99F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B0EFD4 second address: B0F04E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 jmp 00007FCBB4EE8173h 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007FCBB4EE8168h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000017h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 movsx ebx, ax 0x0000002a push 00000000h 0x0000002c mov edi, dword ptr [ebp+122D2BC5h] 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007FCBB4EE8168h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 0000001Dh 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e mov bx, 6F32h 0x00000052 push eax 0x00000053 push eax 0x00000054 jl 00007FCBB4EE816Ch 0x0000005a push eax 0x0000005b push edx 0x0000005c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B111A9 second address: B111AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B111AE second address: B111B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1026E second address: B1028D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop esi 0x00000008 push eax 0x00000009 pushad 0x0000000a push edi 0x0000000b jmp 00007FCBB4F3EEAFh 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1028D second address: B10320 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c mov bh, 3Dh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 call 00007FCBB4EE8173h 0x0000001a mov edi, edx 0x0000001c pop ebx 0x0000001d mov dword ptr fs:[00000000h], esp 0x00000024 mov bl, 2Eh 0x00000026 mov eax, dword ptr [ebp+122D090Dh] 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007FCBB4EE8168h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 0000001Ah 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 push FFFFFFFFh 0x00000048 jc 00007FCBB4EE816Ch 0x0000004e mov ebx, dword ptr [ebp+122D3837h] 0x00000054 nop 0x00000055 jns 00007FCBB4EE817Bh 0x0000005b push eax 0x0000005c pushad 0x0000005d jnp 00007FCBB4EE8168h 0x00000063 pushad 0x00000064 push eax 0x00000065 push edx 0x00000066 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B144D4 second address: B144D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B144D8 second address: B144EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FCBB4EE816Ah 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B144EC second address: B144F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B144F2 second address: B144F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B144F6 second address: B144FA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B14716 second address: B14729 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B14729 second address: B14730 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1658B second address: B1658F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1658F second address: B16608 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007FCBB4F3EEB0h 0x0000000c pop ebx 0x0000000d popad 0x0000000e mov dword ptr [esp], eax 0x00000011 push 00000000h 0x00000013 push ebx 0x00000014 call 00007FCBB4F3EEA8h 0x00000019 pop ebx 0x0000001a mov dword ptr [esp+04h], ebx 0x0000001e add dword ptr [esp+04h], 00000017h 0x00000026 inc ebx 0x00000027 push ebx 0x00000028 ret 0x00000029 pop ebx 0x0000002a ret 0x0000002b pushad 0x0000002c sbb dh, 0000006Dh 0x0000002f sub dword ptr [ebp+122D369Fh], edi 0x00000035 popad 0x00000036 push 00000000h 0x00000038 mov di, B8DEh 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push edx 0x00000041 call 00007FCBB4F3EEA8h 0x00000046 pop edx 0x00000047 mov dword ptr [esp+04h], edx 0x0000004b add dword ptr [esp+04h], 00000017h 0x00000053 inc edx 0x00000054 push edx 0x00000055 ret 0x00000056 pop edx 0x00000057 ret 0x00000058 mov ebx, dword ptr [ebp+122D2BE5h] 0x0000005e xchg eax, esi 0x0000005f push eax 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B16608 second address: B1662D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e jmp 00007FCBB4EE8175h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1662D second address: B16636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B16636 second address: B1663A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B158DD second address: B158E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B158E7 second address: B158EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B175AC second address: B175DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jbe 00007FCBB4F3EEB4h 0x0000000f jmp 00007FCBB4F3EEAEh 0x00000014 popad 0x00000015 push eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B175DF second address: B175E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B16763 second address: B1676D instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B186B6 second address: B18703 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a popad 0x0000000b push ebx 0x0000000c push edx 0x0000000d pop edx 0x0000000e pop ebx 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007FCBB4EE8168h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 0000001Ah 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f cld 0x00000030 push 00000000h 0x00000032 push esi 0x00000033 mov edi, dword ptr [ebp+12476AABh] 0x00000039 pop edi 0x0000003a mov dword ptr [ebp+122D373Ah], ebx 0x00000040 xchg eax, esi 0x00000041 push edi 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1777A second address: B1778C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4F3EEAEh 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B19549 second address: B1954F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B18817 second address: B1881C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1881C second address: B18821 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B18821 second address: B1882D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1A51A second address: B1A55D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d ja 00007FCBB4EE8166h 0x00000013 pop ebx 0x00000014 pop edi 0x00000015 push 00000000h 0x00000017 mov di, 8A0Eh 0x0000001b call 00007FCBB4EE8172h 0x00000020 mov edi, dword ptr [ebp+122D29ADh] 0x00000026 pop ebx 0x00000027 push 00000000h 0x00000029 mov edi, dword ptr [ebp+122D29A1h] 0x0000002f stc 0x00000030 push eax 0x00000031 push eax 0x00000032 push edx 0x00000033 push ecx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1A55D second address: B1A562 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1A562 second address: B1A56D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FCBB4EE8166h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B197FC second address: B19806 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1B75A second address: B1B760 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1B760 second address: B1B765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1B803 second address: B1B809 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B2A33C second address: B2A34D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jno 00007FCBB4F3EEACh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B1C61C second address: B1C6D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007FCBB4EE816Ch 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007FCBB4EE8173h 0x00000011 nop 0x00000012 movzx ebx, di 0x00000015 push dword ptr fs:[00000000h] 0x0000001c push 00000000h 0x0000001e push ecx 0x0000001f call 00007FCBB4EE8168h 0x00000024 pop ecx 0x00000025 mov dword ptr [esp+04h], ecx 0x00000029 add dword ptr [esp+04h], 00000014h 0x00000031 inc ecx 0x00000032 push ecx 0x00000033 ret 0x00000034 pop ecx 0x00000035 ret 0x00000036 mov dword ptr fs:[00000000h], esp 0x0000003d xor edi, dword ptr [ebp+122D29C1h] 0x00000043 pushad 0x00000044 mov edi, dword ptr [ebp+122D372Eh] 0x0000004a add ax, 94B7h 0x0000004f popad 0x00000050 mov eax, dword ptr [ebp+122D07B5h] 0x00000056 or di, 84C1h 0x0000005b push FFFFFFFFh 0x0000005d and ebx, dword ptr [ebp+122D2945h] 0x00000063 call 00007FCBB4EE8174h 0x00000068 mov dword ptr [ebp+122D3077h], ebx 0x0000006e pop ebx 0x0000006f nop 0x00000070 jmp 00007FCBB4EE8175h 0x00000075 push eax 0x00000076 jc 00007FCBB4EE8174h 0x0000007c push eax 0x0000007d push edx 0x0000007e pushad 0x0000007f popad 0x00000080 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29790 second address: B29794 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29794 second address: B29798 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29798 second address: B297CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnc 00007FCBB4F3EEAEh 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 jmp 00007FCBB4F3EEB4h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B297CC second address: B297D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29C18 second address: B29C24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEAEh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29D85 second address: B29D89 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29EEB second address: B29F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FCBB4F3EEA6h 0x0000000c jmp 00007FCBB4F3EEB5h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B37141 second address: B37173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8172h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCBB4EE8171h 0x00000010 pushad 0x00000011 ja 00007FCBB4EE8166h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B37173 second address: B37179 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B37179 second address: B37184 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B37184 second address: B3718A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3718A second address: B37194 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35051 second address: B35069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB3h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35069 second address: B3506E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3506E second address: B35074 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35233 second address: B35252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35694 second address: B35698 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35994 second address: B3599C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3599C second address: B359A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35B40 second address: B35B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8175h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FCBB4EE8172h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 js 00007FCBB4EE8166h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35E14 second address: B35E18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35F76 second address: B35F7B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3685A second address: B36860 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B36860 second address: B3686F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FCBB4EE816Ah 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3686F second address: B368A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4F3EEBFh 0x00000008 jmp 00007FCBB4F3EEB3h 0x0000000d je 00007FCBB4F3EEA6h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBB4F3EEB0h 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B368A2 second address: B368A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B34D89 second address: B34D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B34D91 second address: B34D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ACC6C9 second address: ACC6CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DD50 second address: B3DD56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DD56 second address: B3DD5A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DD5A second address: B3DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBB4EE8173h 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DD73 second address: B3DD78 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DD78 second address: B3DD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DEBF second address: B3DECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FCBB4F3EEA6h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ABBF2E second address: ABBF33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ABBF33 second address: ABBF49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FCBB4F3EEA6h 0x0000000b jns 00007FCBB4F3EEA6h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ABBF49 second address: ABBF4F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ABBF4F second address: ABBF53 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B4F51B second address: B4F527 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4EE8166h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B4F527 second address: B4F52E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B587C0 second address: B587DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8178h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AC0EFC second address: AC0F00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AC0F00 second address: AC0F29 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 jc 00007FCBB4EE8166h 0x0000000f jmp 00007FCBB4EE8171h 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b push esi 0x0000001c pop esi 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AC0F29 second address: AC0F44 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEAEh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B5860D second address: B5863D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8174h 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FCBB4EE8174h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B5863D second address: B58641 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B611C0 second address: B611C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B611C7 second address: B611DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007FCBB4F3EEAAh 0x0000000a pop edi 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B60D4A second address: B60D82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FCBB4EE8179h 0x0000000c js 00007FCBB4EE817Dh 0x00000012 jmp 00007FCBB4EE8171h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ACFC09 second address: ACFC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8173h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FCBB4EE8166h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: AC4488 second address: AC44A4 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FCBB4EE8172h 0x00000008 jmp 00007FCBB4EE816Ch 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B74C3B second address: B74C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B74C45 second address: B74C96 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4EE8166h 0x0000000a jmp 00007FCBB4EE8178h 0x0000000f popad 0x00000010 pushad 0x00000011 push esi 0x00000012 pop esi 0x00000013 push eax 0x00000014 pop eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007FCBB4EE8173h 0x0000001c popad 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 jl 00007FCBB4EE8166h 0x00000026 push edx 0x00000027 pop edx 0x00000028 jnp 00007FCBB4EE8166h 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B77085 second address: B77090 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007FCBB4F3EEA6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A3D4 second address: B7A3EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FCBB4EE816Ah 0x0000000a pop ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 jns 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A3EF second address: B7A410 instructions: 0x00000000 rdtsc 0x00000002 js 00007FCBB4F3EEA6h 0x00000008 jmp 00007FCBB4F3EEB4h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A410 second address: B7A42E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FCBB4EE8176h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A27C second address: B7A284 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A284 second address: B7A28A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A28A second address: B7A298 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEAAh 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A298 second address: B7A29C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7A29C second address: B7A2A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29798 second address: B297CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 pushad 0x0000000a jnc 00007FCBB4EE816Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 jng 00007FCBB4EE8166h 0x00000018 jmp 00007FCBB4EE8174h 0x0000001d rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29C18 second address: B29C24 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4EE816Eh 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B29EEB second address: B29F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jng 00007FCBB4EE8166h 0x0000000c jmp 00007FCBB4EE8175h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B37141 second address: B37173 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4F3EEB2h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007FCBB4F3EEB1h 0x00000010 pushad 0x00000011 ja 00007FCBB4F3EEA6h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3718A second address: B37194 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35051 second address: B35069 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8173h 0x00000009 popad 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35233 second address: B35252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB9h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B35B40 second address: B35B73 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB5h 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007FCBB4F3EEB2h 0x00000011 jp 00007FCBB4F3EEA6h 0x00000017 js 00007FCBB4F3EEA6h 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B36860 second address: B3686F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jns 00007FCBB4F3EEAAh 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3686F second address: B368A2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FCBB4EE817Fh 0x00000008 jmp 00007FCBB4EE8173h 0x0000000d je 00007FCBB4EE8166h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FCBB4EE8170h 0x0000001a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DD5A second address: B3DD73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FCBB4F3EEB3h 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B3DEBF second address: B3DECE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 jo 00007FCBB4EE8166h 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ABBF33 second address: ABBF49 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007FCBB4EE8166h 0x0000000b jns 00007FCBB4EE8166h 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B8040E second address: B80425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FCBB4F3EEA6h 0x00000011 jp 00007FCBB4F3EEA6h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80425 second address: B80434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFD9 second address: B7FFDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFDD second address: B7FFE9 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFE9 second address: B7FFED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFED second address: B7FFF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFF3 second address: B7FFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FCBB4F3EEA6h 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFFF second address: B80011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FCBB4EE8166h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80011 second address: B80027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCBB4F3EEBEh 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FCBB4F3EEA6h 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80027 second address: B80032 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80175 second address: B80199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4F3EEB9h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80199 second address: B801A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B801A2 second address: B801A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA42E5 second address: BA42EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA42EB second address: BA42FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FCBB4F3EEA6h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA42FF second address: BA4309 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA4309 second address: BA432A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4F3EEAEh 0x00000008 jng 00007FCBB4F3EEA6h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA376A second address: BA3772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA3772 second address: BA3776 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA4011 second address: BA401A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA401A second address: BA4029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA4029 second address: BA403F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4EE8170h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA403F second address: BA405B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBB4F3EEADh 0x0000000e jns 00007FCBB4F3EEA6h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA6EE0 second address: BA6EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCBB4EE8166h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA83E1 second address: BA8413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBB4F3EEA6h 0x0000000a jns 00007FCBB4F3EEA6h 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push edi 0x00000018 jmp 00007FCBB4F3EEAEh 0x0000001d pop edi 0x0000001e popad 0x0000001f jo 00007FCBB4F3EEEBh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA8413 second address: BA841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B4F51B second address: B4F527 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FCBB4F3EEA6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAAF35 second address: BAAF61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FCBB4F3EEB6h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCBB4F3EEA6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAAF61 second address: BAAF65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAD7C5 second address: BAD7CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAD7CC second address: BAD7D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAD7D2 second address: BAD7D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAD7D6 second address: BAD7F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE8176h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAD8C9 second address: BAD8E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEAEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BADE8B second address: BADE91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BB106C second address: BB108F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBB4F3EEB3h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FCBB4F3EEA6h 0x00000015 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: ACFC09 second address: ACFC28 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007FCBB4F3EEA6h 0x00000011 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B8040E second address: B80425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007FCBB4EE8166h 0x00000011 jp 00007FCBB4EE8166h 0x00000017 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80425 second address: B80434 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEABh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFF3 second address: B7FFFF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jns 00007FCBB4EE8166h 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B7FFFF second address: B80011 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jns 00007FCBB4F3EEA6h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80011 second address: B80027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007FCBB4EE817Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007FCBB4EE8166h 0x00000016 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: B80175 second address: B80199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FCBB4EE8179h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA42EB second address: BA42FF instructions: 0x00000000 rdtsc 0x00000002 jp 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007FCBB4EE8166h 0x00000012 push edx 0x00000013 pop edx 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA42FF second address: BA4309 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA4309 second address: BA432A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FCBB4EE816Eh 0x00000008 jng 00007FCBB4EE8166h 0x0000000e push esi 0x0000000f pop esi 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA401A second address: BA4029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007FCBB4EE8166h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA4029 second address: BA403F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA403F second address: BA405B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FCBB4EE816Dh 0x0000000e jns 00007FCBB4EE8166h 0x00000014 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA6EE0 second address: BA6EEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007FCBB4F3EEA6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA83E1 second address: BA8413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FCBB4EE8166h 0x0000000a jns 00007FCBB4EE8166h 0x00000010 popad 0x00000011 push esi 0x00000012 pushad 0x00000013 popad 0x00000014 push edi 0x00000015 pop edi 0x00000016 pop esi 0x00000017 push edi 0x00000018 jmp 00007FCBB4EE816Eh 0x0000001d pop edi 0x0000001e popad 0x0000001f jo 00007FCBB4EE81ABh 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BA8413 second address: BA841D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAAF35 second address: BAAF61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 jmp 00007FCBB4EE8176h 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push eax 0x00000012 push edx 0x00000013 js 00007FCBB4EE8166h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAD7D6 second address: BAD7F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4F3EEB6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BAD8C9 second address: BAD8E1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FCBB4EE816Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	RDTSC instruction interceptor: First address: BB106C second address: BB108F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FCBB4EE8173h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edi 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jns 00007FCBB4EE8166h 0x00000015 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 59B108 second address: 59B10C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 59B10C second address: 59B112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714A85 second address: 714A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714A89 second address: 714AA7 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FCBB4EE8166h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007FCBB4EE816Bh 0x00000010 jns 00007FCBB4EE8166h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714D4B second address: 714D60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB0h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714D60 second address: 714D7C instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4EE816Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007FCBB4EE8166h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714D7C second address: 714D80 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714D80 second address: 714D86 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714D86 second address: 714DB4 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FCBB4F3EEB9h 0x00000008 pop ebx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c jng 00007FCBB4F3EEA6h 0x00000012 jng 00007FCBB4F3EEA6h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714EE4 second address: 714EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FCBB4EE8166h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714EEE second address: 714EFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714EFA second address: 714EFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714EFE second address: 714F0D instructions: 0x00000000 rdtsc 0x00000002 je 00007FCBB4F3EEA6h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 714F0D second address: 714F13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7152FE second address: 715317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FCBB4F3EEB5h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 6FF468 second address: 6FF470 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7345CE second address: 7345D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7345D4 second address: 7345DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7345DA second address: 7345DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 734715 second address: 734719 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 734719 second address: 73471F instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 73471F second address: 734725 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7348ED second address: 734903 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007FCBB4F3EEAEh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 734903 second address: 73490F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 734BDB second address: 734BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FCBB4F3EEA6h 0x0000000a rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 734EEB second address: 734EFD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FCBB4EE8166h 0x00000009 pop ecx 0x0000000a jbe 00007FCBB4EE817Bh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 73507C second address: 73509B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jne 00007FCBB4F3EEA6h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007FCBB4F3EEB0h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7355E2 second address: 7355ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push esi 0x00000007 push edx 0x00000008 pop edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 735750 second address: 735757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 735757 second address: 735770 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FCBB4EE8175h 0x00000009 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 735770 second address: 735774 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 72C419 second address: 72C42C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FCBB4EE8166h 0x0000000d jo 00007FCBB4EE8166h 0x00000013 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 72C42C second address: 72C430 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7358C3 second address: 7358C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7358C7 second address: 7358D5 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FCBB4F3EEA6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 7358D5 second address: 7358D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	RDTSC instruction interceptor: First address: 739386 second address: 73938B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Special instruction interceptor: First address: D5A897 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Special instruction interceptor: First address: EF949A instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Special instruction interceptor: First address: EF9857 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 95A897 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: AF949A instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: AF9857 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 59A897 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 73949A instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 739857 instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,	0_2_00C83320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,	6_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,	7_2_00883320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,	8_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,	12_2_004C3320

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 936	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 524	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 958	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 595	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1106	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1178	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1233	Jump to behavior

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_8-17288

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 6252	Thread sleep time: -56028s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 5092	Thread sleep count: 41 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 5092	Thread sleep time: -82041s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 2852	Thread sleep count: 300 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 2852	Thread sleep time: -30300s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe TID: 3840	Thread sleep count: 258 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7116	Thread sleep count: 130 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7116	Thread sleep time: -260130s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2740	Thread sleep count: 62 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2740	Thread sleep time: -124062s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3640	Thread sleep count: 936 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3640	Thread sleep time: -94536s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7156	Thread sleep count: 524 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7156	Thread sleep count: 196 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 612	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 612	Thread sleep time: -110055s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2704	Thread sleep count: 55 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2704	Thread sleep time: -110055s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3908	Thread sleep count: 116 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3908	Thread sleep time: -232116s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2120	Thread sleep count: 958 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2120	Thread sleep time: -96758s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1968	Thread sleep count: 595 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1968	Thread sleep count: 263 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6456	Thread sleep time: -56028s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4904	Thread sleep count: 1106 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 4904	Thread sleep time: -2213106s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5280	Thread sleep count: 45 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5280	Thread sleep count: 316 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5280	Thread sleep time: -31916s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6472	Thread sleep count: 270 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1088	Thread sleep time: -58029s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 736	Thread sleep count: 1178 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 736	Thread sleep time: -2357178s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5828	Thread sleep count: 1233 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 5828	Thread sleep time: -2467233s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2220	Thread sleep count: 50 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2220	Thread sleep count: 307 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 2220	Thread sleep time: -31007s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7204	Thread sleep count: 257 > 30	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004D0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Nscsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}owsf
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000K
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004DE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}A
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: !M#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: N-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA32
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000051E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}3
Source: MPGPH131.exe, 00000006.00000002.3376693028.00000000012FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}85S
Source: RageMP131.exe, 0000000C.00000003.2362394351.0000000000D32000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA32
Source: LisectAVT_2403002B_242.exe, 00000000.00000003.2143235948.0000000000516000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}2
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3376838901.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: MPGPH131.exe, 00000007.00000002.3376838901.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}!g
Source: MPGPH131.exe, 00000007.00000002.3376463341.00000000010FD000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}pe=
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D20000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: RageMP131.exe, 0000000C.00000003.2362394351.0000000000D34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b})
Source: MPGPH131.exe, 00000007.00000002.3376838901.00000000013CC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}?`
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA323
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}h
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;
Source: RageMP131.exe, 00000008.00000002.3376796312.00000000014FC000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}F
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.000000000050C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&M
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}i]
Source: MPGPH131.exe, 00000006.00000003.2165077681.0000000001537000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: k&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000D34000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_7B33DA32
Source: LisectAVT_2403002B_242.exe, 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}M
Source: MPGPH131.exe, 00000006.00000002.3377080253.000000000153F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Code function: 0_2_00C39360 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,

0_2_00C39360

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C83320 mov eax, dword ptr fs:[00000030h]	0_2_00C83320
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C83320 mov eax, dword ptr fs:[00000030h]	0_2_00C83320
Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Code function: 0_2_00C33F10 mov eax, dword ptr fs:[00000030h]	0_2_00C33F10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00883320 mov eax, dword ptr fs:[00000030h]	6_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00883320 mov eax, dword ptr fs:[00000030h]	6_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00833F10 mov eax, dword ptr fs:[00000030h]	6_2_00833F10
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00883320 mov eax, dword ptr fs:[00000030h]	7_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00883320 mov eax, dword ptr fs:[00000030h]	7_2_00883320
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 7_2_00833F10 mov eax, dword ptr fs:[00000030h]	7_2_00833F10
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004C3320 mov eax, dword ptr fs:[00000030h]	8_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_004C3320 mov eax, dword ptr fs:[00000030h]	8_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 8_2_00473F10 mov eax, dword ptr fs:[00000030h]	8_2_00473F10
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004C3320 mov eax, dword ptr fs:[00000030h]	12_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_004C3320 mov eax, dword ptr fs:[00000030h]	12_2_004C3320
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 12_2_00473F10 mov eax, dword ptr fs:[00000030h]	12_2_00473F10

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Code function: 0_2_00CFDE2D GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_00CFDE2D

Source: C:\Users\user\Desktop\LisectAVT_2403002B_242.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002B_242.exe PID: 4156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 1756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3220, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002B_242.exe PID: 4156, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 2020, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 500, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 1756, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 3220, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 Scheduled Task/Job	1 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	12 Virtualization/Sandbox Evasion	LSASS Memory	421 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	11 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	1 Process Injection	Security Account Manager	12 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	213 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002B_242.exe	100%	Avira	TR/Agent.kmrzu
LisectAVT_2403002B_242.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	TR/Agent.kmrzu
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	TR/Agent.kmrzu
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://ipinfo.io/	0%	URL Reputation	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTO	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT5	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT2F	0%	Avira URL Cloud	safe
https://www.maxmind.com/en/locate-my-ip-address	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	LisectAVT_2403002B_242.exe, 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002B_242.exe, 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT5	MPGPH131.exe, 00000007.00000002.3376838901.00000000013BA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT	LisectAVT_2403002B_242.exe, 00000000.00000002.3375441152.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3376838901.00000000013BA000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3376796312.00000000014BE000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipinfo.io/	RageMP131.exe	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORTO	MPGPH131.exe, 00000006.00000002.3377080253.00000000014FD000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.maxmind.com/en/locate-my-ip-address	RageMP131.exe	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORT2F	RageMP131.exe, 0000000C.00000002.3376567599.0000000000CF8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.74	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1481918
Start date and time:	2024-07-25 16:07:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 54s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	15
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002B_242.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002B_242.exe

Simulations

Behavior and APIs

Time	Type	Description
10:08:33	API Interceptor	2163432x Sleep call for process: LisectAVT_2403002B_242.exe modified
10:08:35	API Interceptor	4564x Sleep call for process: MPGPH131.exe modified
10:08:46	API Interceptor	1816670x Sleep call for process: RageMP131.exe modified
16:08:04	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
16:08:04	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
16:08:07	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
16:08:15	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.233.132.74	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	vGDqFBB1Jz.exe	Get hash	malicious	RisePro Stealer	Browse
	iKV7MCWDJF.exe	Get hash	malicious	RisePro Stealer	Browse
	8TFD6H44Pz.exe	Get hash	malicious	RisePro Stealer	Browse
	uRLTbkeYF7.exe	Get hash	malicious	RisePro Stealer	Browse
	7mIgg1hm7Q.exe	Get hash	malicious	RisePro Stealer	Browse
	mZHCe1PQGn.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	LisectAVT_2403002B_433.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	Lisect_AVT_24003_G1B_108.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.62
	Lisect_AVT_24003_G1A_89.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	Lisect_AVT_24003_G1A_37.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	LisectAVT_2403002A_262.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.190
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	hunta[1].exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62
	External Own 4.20.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	Aquantia_Setup 2.11.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse	147.45.47.64
	AdobeUpdaterV131.exe	Get hash	malicious	Bdaejec, RisePro Stealer	Browse	193.233.132.62

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2045964
Entropy (8bit):	7.945861814702523
Encrypted:	false
SSDEEP:	49152:Zy5er9fzkC23IfoWxBaVPNb33AVJ6rj3y7JRm1MyV8Wyx:Z4QuJWxBq1b3QXyj3y7JRmCi8Wy
MD5:	814C7D754DE0A807785F32A643082D2B
SHA1:	A3F7ABB4D5DC8BD5371F2E176B51E8C157B8F4BF
SHA-256:	5E4F50A70DEEB3A29049C06B1B3A73ABB6DEF3DDD4BEA47DBCE78E4EAA941333
SHA-512:	68AD7C541EAD4D551F586D70644B00F33C5FC14FF8EEB881C4DCEF5615BED7B5E196D1D7DD45AAE1945C87B26544F826DE90A2CC72BEF8CCDD4C283594F45486
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........k..............r......r.. ...r......"......."......."......."......r......r......r........................................~.............Rich............PE..L...eM.f...............'..............O...........@...........................P...........@.........................h.O.L...U`..i....0..X+...................a...................................................................................... . . ..........................@....rsrc...X+...0...,..................@....idata .....`......................@... .@&..p......................@...xdijjraj......9.....................@...xgxezfhn......O.....................@....taggant.0....O.."..................@...........................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2045964
Entropy (8bit):	7.945861814702523
Encrypted:	false
SSDEEP:	49152:Zy5er9fzkC23IfoWxBaVPNb33AVJ6rj3y7JRm1MyV8Wyx:Z4QuJWxBq1b3QXyj3y7JRmCi8Wy
MD5:	814C7D754DE0A807785F32A643082D2B
SHA1:	A3F7ABB4D5DC8BD5371F2E176B51E8C157B8F4BF
SHA-256:	5E4F50A70DEEB3A29049C06B1B3A73ABB6DEF3DDD4BEA47DBCE78E4EAA941333
SHA-512:	68AD7C541EAD4D551F586D70644B00F33C5FC14FF8EEB881C4DCEF5615BED7B5E196D1D7DD45AAE1945C87B26544F826DE90A2CC72BEF8CCDD4C283594F45486
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........k..............r......r.. ...r......"......."......."......."......r......r......r........................................~.............Rich............PE..L...eM.f...............'..............O...........@...........................P...........@.........................h.O.L...U`..i....0..X+...................a...................................................................................... . . ..........................@....rsrc...X+...0...,..................@....idata .....`......................@... .@&..p......................@...xdijjraj......9.....................@...xgxezfhn......O.....................@....taggant.0....O.."..................@...........................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	2.8150724101159437
Encrypted:	false
SSDEEP:	3:LEWh:lh
MD5:	E59F175A2F22F7631B47DF3CA82B8168
SHA1:	62618282F47D86DA64841A2ADB979425F5038D2E
SHA-256:	91FE24B5954D23C200A1226E15026B0F32776028E7DD77BCE235FDB8EAE646CA
SHA-512:	1CC836677438977400337FDB02C51DC03C6FE7B87A675C5C3091795CB4AB47D61D6C8E35A0059CC2C0F05DE32C732D2C970E2302B7F8ACC630BBD9536FA830FD
Malicious:	false
Reputation:	low
Preview:	1721922684710

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.945861814702523
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002B_242.exe
File size:	2'045'964 bytes
MD5:	814c7d754de0a807785f32a643082d2b
SHA1:	a3f7abb4d5dc8bd5371f2e176b51e8c157b8f4bf
SHA256:	5e4f50a70deeb3a29049c06b1b3a73abb6def3ddd4bea47dbce78e4eaa941333
SHA512:	68ad7c541ead4d551f586d70644b00f33c5fc14ff8eeb881c4dcef5615bed7b5e196d1d7dd45aae1945c87b26544f826de90a2cc72bef8ccdd4c283594f45486
SSDEEP:	49152:Zy5er9fzkC23IfoWxBaVPNb33AVJ6rj3y7JRm1MyV8Wyx:Z4QuJWxBq1b3QXyj3y7JRmCi8Wy
TLSH:	039533365C6F9F41CFB69B3556BAA7953E69252205322CDD3BDF2C2B7A2F059E340080
File Content Preview:	MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$........k...............r.......r.. ....r......"......."......."......."........r.......r.......r.....................................

File Icon


Icon Hash:	c769eccc64f6e2bb

Static PE Info

General

Entrypoint:	0x8fd000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x66004D65 [Sun Mar 24 15:57:25 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007FCBB4DB5BCAh
movhps xmm3, qword ptr [edi]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [0000000Ah], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
and dword ptr [eax], eax
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add eax, 0000000Ah
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax*4], cl
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x4fb968	0x4c	xdijjraj
IMAGE_DIRECTORY_ENTRY_IMPORT	0x136055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x133000	0x2b58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x1361f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x132000	0x8c800	506ca0b10816e2fa9e18fe7ab9dc560a	False	0.9939268933496441	data	7.935474542943052	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x133000	0x2b58	0x2c00	17ffeb7a45359e49f443d781e4bac350	False	0.22487571022727273	data	3.9670364194177874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x136000	0x1000	0x200	ef317f3bcb8069b9baae720ff5459274	False	0.146484375	data	0.998472215956371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x137000	0x264000	0x200	be1ab0a0a03526afc4efdc5a401afad0	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xdijjraj	0x39b000	0x161000	0x160a00	832d097713ce25e9dde996859f36503e	False	0.9947976670506913	data	7.953698825467194	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
xgxezfhn	0x4fc000	0x1000	0x400	625f6302a2d33d5024ea4589aa2fa001	False	0.783203125	data	6.057110716044971	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x4fd000	0x3000	0x2200	b331e3a0aa851fc9369f524969cbb587	False	0.06376378676470588	DOS executable (COM)	0.7027652358713922	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x133418	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Russian	Russia	0.1892116182572614
RT_GROUP_ICON	0x1359c0	0x14	data	Russian	Russia	1.15
RT_VERSION	0x133130	0x2e4	data	Russian	Russia	0.4689189189189189
RT_MANIFEST	0x1359d8	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Exports

Name	Ordinal	Address
Start	1	0x466a40

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T16:08:29.865110+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49721	58709	192.168.2.6	193.233.132.74
2024-07-25T16:08:10.131591+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49712	58709	192.168.2.6	193.233.132.74
2024-07-25T16:08:21.827803+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49715	58709	192.168.2.6	193.233.132.74
2024-07-25T16:08:10.225066+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49713	58709	192.168.2.6	193.233.132.74
2024-07-25T16:08:58.773939+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49723	40.68.123.157	192.168.2.6
2024-07-25T16:08:07.943795+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49710	58709	192.168.2.6	193.233.132.74
2024-07-25T16:08:21.030816+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49716	40.68.123.157	192.168.2.6
2024-07-25T16:08:04.974720+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49710	58709	192.168.2.6	193.233.132.74

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 16:08:04.946219921 CEST	49710	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:04.951667070 CEST	58709	49710	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:04.951893091 CEST	49710	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:04.974720001 CEST	49710	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:04.979816914 CEST	58709	49710	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:07.131839991 CEST	49712	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:07.136869907 CEST	58709	49712	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:07.136954069 CEST	49712	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:07.156455994 CEST	49712	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:07.161592960 CEST	58709	49712	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:07.207293034 CEST	49713	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:07.212958097 CEST	58709	49713	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:07.213040113 CEST	49713	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:07.230529070 CEST	49713	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:07.235996962 CEST	58709	49713	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:07.943794966 CEST	49710	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:07.949724913 CEST	58709	49710	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:10.131591082 CEST	49712	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:10.145345926 CEST	58709	49712	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:10.225065947 CEST	49713	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:10.232893944 CEST	58709	49713	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:18.800323009 CEST	49715	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:18.805346966 CEST	58709	49715	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:18.805471897 CEST	49715	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:18.833656073 CEST	49715	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:18.838560104 CEST	58709	49715	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:21.827802896 CEST	49715	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:21.834747076 CEST	58709	49715	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:26.383692026 CEST	58709	49710	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:26.387626886 CEST	49710	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:26.861432076 CEST	49721	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:26.866545916 CEST	58709	49721	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:26.866650105 CEST	49721	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:26.888385057 CEST	49721	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:26.896083117 CEST	58709	49721	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:28.533083916 CEST	58709	49712	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:28.533246994 CEST	49712	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:28.595839024 CEST	58709	49713	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:28.595964909 CEST	49713	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:29.865109921 CEST	49721	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:29.870203972 CEST	58709	49721	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:40.271244049 CEST	58709	49715	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:40.271481037 CEST	49715	58709	192.168.2.6	193.233.132.74
Jul 25, 2024 16:08:48.248692989 CEST	58709	49721	193.233.132.74	192.168.2.6
Jul 25, 2024 16:08:48.248822927 CEST	49721	58709	192.168.2.6	193.233.132.74

Target ID:	0
Start time:	10:08:02
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002B_242.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002B_242.exe"
Imagebase:	0xc20000
File size:	2'045'964 bytes
MD5 hash:	814C7D754DE0A807785F32A643082D2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2128160270.00000000043E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	10:08:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0xb40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:08:04
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	10:08:04
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0xb40000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	10:08:04
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	10:08:04
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x820000
File size:	2'045'964 bytes
MD5 hash:	814C7D754DE0A807785F32A643082D2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.2153204111.0000000004E00000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	10:08:04
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x820000
File size:	2'045'964 bytes
MD5 hash:	814C7D754DE0A807785F32A643082D2B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2154011051.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	10:08:15
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x460000
File size:	2'045'964 bytes
MD5 hash:	814C7D754DE0A807785F32A643082D2B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.2263129853.0000000004DC0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	12
Start time:	10:08:23
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x460000
File size:	2'045'964 bytes
MD5 hash:	814C7D754DE0A807785F32A643082D2B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000C.00000003.2342969300.00000000046C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.3%
Total number of Nodes:	598
Total number of Limit Nodes:	60

Executed Functions

Function 00C83320 Relevance: 6.2, APIs: 4, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 00C83333
GetCursorPos.USER32(?), ref: 00C83339
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00C83698), ref: 00C833E8
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00C83698), ref: 00C8349A

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: CursorSleep
String ID:
API String ID: 4211308429-0
Opcode ID: 046bf80c0a0a0cc80de41664d622b55472ecfedc69f65c18595a478a0678613b
Instruction ID: bf286889cca151cf213766bc6c2c8122b91cc82700135c7eca4703e8c148b8f3
Opcode Fuzzy Hash: 046bf80c0a0a0cc80de41664d622b55472ecfedc69f65c18595a478a0678613b
Instruction Fuzzy Hash: D151CD35A042958FCB25DF48C4D0EADBBB1EF85B08B195099D455AB321DB31EF46CB90

Function 00C3D4A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 00C3D4CB
socket.WS2_32(?,?,?), ref: 00C3D57F
connect.WS2_32(00000000,?,?), ref: 00C3D593
closesocket.WS2_32(00000000), ref: 00C3D59E

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 62ae8bf3da061c3bfac222b6d4fd5cfa952ff8e134550fab38a6671139d6eed2
Instruction ID: 09250625cf5c1f4e88000b6498e6973ec79d4f46b85cd75f386355ce0df1c1f8
Opcode Fuzzy Hash: 62ae8bf3da061c3bfac222b6d4fd5cfa952ff8e134550fab38a6671139d6eed2
Instruction Fuzzy Hash: 5131C1B15143006BD7209F25EC89B6BB7E4EB85338F005F1DF9B9932D0D3719A088B92

Function 00D12FA4 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2982756ab328e4202576d05f092469f786babe6fe95e49b537868d92aff26da8
Instruction ID: 2840f13d7154f6ba35973d5bd6e5f0df742c48b776042f64a643e597905c5dd1
Opcode Fuzzy Hash: 2982756ab328e4202576d05f092469f786babe6fe95e49b537868d92aff26da8
Instruction Fuzzy Hash: 50B1D570A08345BFDB11EF98E881BEE7BB1EF45320F184159E9459B382DB719A81CB74

Function 00C29D90 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00C29EA8

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: fcc91c2c94361164b54e1da8234e51ed57b4afa3494182f0f512b20a844b6872
Instruction ID: c3076d80042ad4678ab00fd9491e3e2eee6cf4418e6fb637e75ecd15963f3cd6
Opcode Fuzzy Hash: fcc91c2c94361164b54e1da8234e51ed57b4afa3494182f0f512b20a844b6872
Instruction Fuzzy Hash: BC610671900214ABDB18DF68EC49BAEBBA8EF45310F1481ADF8189F682D775DA41C7F1

Function 00D13E1D Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00D07C57,?,00000000,00000000,00000000,?,00000000,?,00C29F4B,00D07C57,00000000,00C29F4B,?,?), ref: 00D13FA3

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: cb6cbb70b77c750958dac33954ef20dc8212ea34f417abfc911a20275972b7d6
Instruction ID: 545278133341c71aabef9b25a6d08cb7162340ea42b016280c07a2169d05d369
Opcode Fuzzy Hash: cb6cbb70b77c750958dac33954ef20dc8212ea34f417abfc911a20275972b7d6
Instruction Fuzzy Hash: B161B1B1D04209BFDF11DFA8E845AEEBFB9AF09304F180145F904A7251DB31DA828B70

Function 00D03512 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7702887673c54bdb1028ff11f274f13f8dba8d83a0e0df4fe120d662ac619c8c
Instruction ID: 235f8e25eecda2edcc810b378c8d33efda21256c8500688f9861a583925995fa
Opcode Fuzzy Hash: 7702887673c54bdb1028ff11f274f13f8dba8d83a0e0df4fe120d662ac619c8c
Instruction Fuzzy Hash: D4519574A00248BFDB14DF58C845BAA7BB5EF49354F688158F84D9B392D372DE41CB60

Function 00D13493 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00D1337A,00000000,CF830579,00D4B810,0000000C,00D13436,00D0778D,?), ref: 00D134EA

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: e8973fb341140908d11426073c5f6bf4f5adac8896fa44c0dd8d2ba4eb3323e7
Instruction ID: 333ba9828c48543fc6c0540514ea4f1e8db4f7be8e064d65504f2c1f3acddf3c
Opcode Fuzzy Hash: e8973fb341140908d11426073c5f6bf4f5adac8896fa44c0dd8d2ba4eb3323e7
Instruction Fuzzy Hash: BD114C3650822436D6226234B852BFE6349CB83734F290159ED588B1C1DE629DC152B0

Function 00D0CC2C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00D4B4C8,00C29F4B,00000002,00C29F4B,00000000,?,?,?,00D0CD36,00000000,?,00C29F4B,00000002,00D4B4C8), ref: 00D0CC69

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 00ecf869aed8c32f58866e46503b0d12e941f32c4a0a70169957347b89bf2d40
Instruction ID: b261a290eeba4cea0f382177cafac16448ee5f5623e16b3b0fc9aaf866d03bc3
Opcode Fuzzy Hash: 00ecf869aed8c32f58866e46503b0d12e941f32c4a0a70169957347b89bf2d40
Instruction Fuzzy Hash: 580104326242056FDB05CF19CC55EAE3B19DB85330B241244E8599B2D0EA71ED8197A0

Function 00C22D70 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00C22DBF

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction ID: 5f3459924f86113cc29a3098e5ada5d1b5c25d6e9364b540a37ad19550c072f9
Opcode Fuzzy Hash: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction Fuzzy Hash: C2F05972100114ABCB186F60F8018F9B3E8EF24361B14043EF89DC7A42EB36DA80C7D0

Function 00D14D73 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00D07DC7,00000000,?,00D146F9,00000001,00000364,00000000,00000006,000000FF,?,00000000,00D0BE14,00D07593,00D07DC7,00000000), ref: 00D14DB5

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2f905872a69d168e32cfdcde4d27bace896a39440db13a1b5d9f3392aa127104
Instruction ID: f5493be31071db4ab91408ca138d34578be96130d00190cbc5aeafc4587efe49
Opcode Fuzzy Hash: 2f905872a69d168e32cfdcde4d27bace896a39440db13a1b5d9f3392aa127104
Instruction Fuzzy Hash: 5AF05E32605625769F667AA6B901BEE3B49DF427B0B294626ED08D7181DF20E8C146F0

Function 00D157AD Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,00D1ABF2,4D88C033,?,00D1ABF2,00000220,?,00D1416F,4D88C033), ref: 00D157E0

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a0b3451b66e720339ff763de1cabcf36929b3405d7d083efc7a12b6a049a7c34
Instruction ID: 50c2aff34e1e5d4840376d7f779ab52c4f57770a4ef51d75222c124efa3852d1
Opcode Fuzzy Hash: a0b3451b66e720339ff763de1cabcf36929b3405d7d083efc7a12b6a049a7c34
Instruction Fuzzy Hash: 66E03935240B21F6E6213665B802FEB2A49DBC27B0F190111FD58961C4DF68D8D0C6F1

Non-executed Functions

Function 00C39360 Relevance: 21.6, APIs: 2, Strings: 9, Instructions: 2347injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNEL32(00000000,00000000,?,00000218,00000000), ref: 00C395E1
WriteProcessMemory.KERNEL32(?,00000218,00C39240,00000110,00000000), ref: 00C39600

Strings

type must be boolean, but is , xrefs: 00C3B369, 00C3B39A, 00C3B45B
$, xrefs: 00C3B19D
%s|%s, xrefs: 00C395BD
:, xrefs: 00C394A7
,, xrefs: 00C39ADF
., xrefs: 00C39F60
131, xrefs: 00C3959D, 00C395A4, 00C395B5
,, xrefs: 00C39A02
., xrefs: 00C3A512

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: MemoryProcessWrite
String ID: $$%s|%s$,$,$.$.$131$:$type must be boolean, but is
API String ID: 3559483778-3347632522
Opcode ID: 2873073ab1287eaee241319d2bbf5697308c8995eb37cb4f6b3b35e57ccc2c76
Instruction ID: 9611a134957a752d36f02f4e8662d592f8e941cad9d5811d1863985bb43a68d4
Opcode Fuzzy Hash: 2873073ab1287eaee241319d2bbf5697308c8995eb37cb4f6b3b35e57ccc2c76
Instruction Fuzzy Hash: B823CF70D102588FDB29DF68C898BEDBBB0EF05304F148199E459AB292DB719F84DF91

Function 00CA4D20 Relevance: 15.2, APIs: 10, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 00CA4D6C
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 00CA4DAE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 00CA4DF6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 00CA4E37
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 00CA4E78
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 00CA4EB6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 00CA4EFE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 00CA4F46
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 00CA4F87
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 00CA4FCD

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: ce1d45acf9e2917cf8a39213021c350821629f7fe9def0f8170005f618f43f97
Instruction ID: 0d2df47dde116d9f96075a294d2b2792faa141f2582fedb0306e3db009d50414
Opcode Fuzzy Hash: ce1d45acf9e2917cf8a39213021c350821629f7fe9def0f8170005f618f43f97
Instruction Fuzzy Hash: E28172B0C1838D9EEF19CFA4D444AEFBBB8EF16304F50409ED841AA751E374520ADB65

Function 00C28890 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 327libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 00C2892E
GetProcAddress.KERNEL32(00000000,?), ref: 00C2893B
GetModuleHandleA.KERNEL32(?), ref: 00C289A5
GetProcAddress.KERNEL32(00000000,?), ref: 00C289AC
CloseHandle.KERNEL32(?), ref: 00C28BB2
CloseHandle.KERNEL32(?), ref: 00C28C14
CloseHandle.KERNEL32(00000000), ref: 00C28C41

Strings

File, xrefs: 00C28A93

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Handle$Close$AddressModuleProc
String ID: File
API String ID: 4110381430-749574446
Opcode ID: a959bc5f741e780e01aa2276051956cf881a35f8861082b51081309f84509a45
Instruction ID: e929d965855fe7179c94e1576376ee5ffb8b99a51acc574864bc7d8c2eb68c06
Opcode Fuzzy Hash: a959bc5f741e780e01aa2276051956cf881a35f8861082b51081309f84509a45
Instruction Fuzzy Hash: D0C1C170D112699FEF24DFA4DC85BEEBBB8EF05300F100059E504BB682DB749A49CB65

Function 00C28CC0 Relevance: 11.7, APIs: 2, Strings: 4, Instructions: 1151COMMON

Download Yara Rule

APIs

Process32Next.KERNEL32(00000000,?), ref: 00C28DC7

Strings

\, xrefs: 00C29038
/\/, xrefs: 00C2907A, 00C290BC
/, xrefs: 00C28FF2
exists, xrefs: 00C29A22

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: NextProcess32
String ID: /$/\/$\$exists
API String ID: 1850201408-2061510663
Opcode ID: 1ca611b26eab8498cbd0d59067e49d84f5cee0718df4a62e92776c6289f79f6f
Instruction ID: 88ffb420433e39a35b01d3d42e4a6e4fe98760d7fa9594dcc8499d9523a885d6
Opcode Fuzzy Hash: 1ca611b26eab8498cbd0d59067e49d84f5cee0718df4a62e92776c6289f79f6f
Instruction Fuzzy Hash: B5A20671D002699FCF18CFA8D8947EEBBB5EF05314F1442ADD459A7682E7305E8ACB60

Function 00D07070 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction ID: 23919712fccdf2b23e2c85dd7137c1ba6af6864d646b226dc33c70f2c9a2784a
Opcode Fuzzy Hash: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction Fuzzy Hash: 77022071E052199BDF14CFA9D8807ADBBF1FF48314F158269E919EB380D731A941CBA4

Function 00C94290 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

type must be string, but is , xrefs: 00C942F4
/Kim, xrefs: 00C94489
type must be number, but is , xrefs: 00C94421
/Kim, xrefs: 00C944A2

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: 9bff4615bec79261411965aa824a35715b27b7b3517680924e606401ec6e202e
Instruction ID: 39f7183d4ce69f7fa011338d2637a447de716b88c96ffd25d2de490c439bcd24
Opcode Fuzzy Hash: 9bff4615bec79261411965aa824a35715b27b7b3517680924e606401ec6e202e
Instruction Fuzzy Hash: 87913971E001189FCB08DFACD895BEDB7A9EB48314F14826EE819D7391E7359E06CB90

Function 00C96470 Relevance: 5.0, APIs: 3, Instructions: 453COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00C965E1
Concurrency::cancel_current_task.LIBCPMT ref: 00C96763

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: d89b2d818de653aaa44d1a7ae7b812e82364a980504facb64532ff4eb0cd38d7
Instruction ID: 78afaebc4d4f9bdcaec1750a95b2858c1010a8015db96932403dc42c27e5dfe4
Opcode Fuzzy Hash: d89b2d818de653aaa44d1a7ae7b812e82364a980504facb64532ff4eb0cd38d7
Instruction Fuzzy Hash: C1E1D3B1A001059FCF18DF6CC9859ADBBE5EF88310B148269E81ADB3D5E730EE51CB91

Function 00CA90B0 Relevance: 2.0, Strings: 1, Instructions: 751COMMON

Download Yara Rule

Strings

@?, xrefs: 00CA913F

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID: @?
API String ID: 0-130445511
Opcode ID: 015cf7ccceb20c27d697ebc78c6bb6a97c79c892c93c977b28b4d6205d348e14
Instruction ID: 5430fce5e6c7c1e17a4f1676f45c96efb58c752546862b43a385dbdab76528ae
Opcode Fuzzy Hash: 015cf7ccceb20c27d697ebc78c6bb6a97c79c892c93c977b28b4d6205d348e14
Instruction Fuzzy Hash: 2B628FB1E002069BDF04CF59C5856AEBBB1FF49308F2881ADD814AB392D775DA46CF91

Function 00D0AA7F Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

0, xrefs: 00D0ABEF

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 63f2e4b64d22b899263f48541cbdcccf6814e0c466ddcc6a018a8efdd4904dab
Instruction ID: d6c7741608120f019dfae9710053922e830b09aa7525ab0eca0ac6cc2cd15f1f
Opcode Fuzzy Hash: 63f2e4b64d22b899263f48541cbdcccf6814e0c466ddcc6a018a8efdd4904dab
Instruction Fuzzy Hash: 86B18B3490074A8FDB28CF6CC494BAABBB2EF05310F18461DD4AA9B6D1D730E945CB72

Function 00CFDE2D Relevance: 1.5, APIs: 1, Instructions: 28timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,?,00D2B1A2,000000FF,?,00CFD887,?,?,?,?,00C33EF6,?,00C8350C), ref: 00CFDE65

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: 2c851b5961cc5629725f73b488b2b6987c66e599d41019044971cc0f8528064d
Instruction ID: 3839ff8eb93fe9a20f14577d5bcd52a2b119bebb71448cfd1e7107701535cd61
Opcode Fuzzy Hash: 2c851b5961cc5629725f73b488b2b6987c66e599d41019044971cc0f8528064d
Instruction Fuzzy Hash: 85F0E536A44758EFC7128F44DC00BA9B7A9F704F10F000626EC12D7380C7746D008BA1

Function 00CA1220 Relevance: .4, Instructions: 369COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 14b2aa555127b7cb1f87bd345a9fbc850021cb9a1fde34dd0dca4617e45d9ddc
Instruction ID: f74c4ab11a0b35a26d15e974990134df9c7a35d18697a919f63a8981be1f61e1
Opcode Fuzzy Hash: 14b2aa555127b7cb1f87bd345a9fbc850021cb9a1fde34dd0dca4617e45d9ddc
Instruction Fuzzy Hash: 9DE11772E1122A8FCF15CFA9D5815ADFBF1BF89314F1A42A9D815B7340D630AE45CB90

Function 00D181A4 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d09f1decbe42e5bdc5c4148c5b77afc9bc1068256c1465d4d5c2b4fa90084641
Instruction ID: d66f25821f64845c06d12de48029086c6be84206048687805e014e94c4ed39bb
Opcode Fuzzy Hash: d09f1decbe42e5bdc5c4148c5b77afc9bc1068256c1465d4d5c2b4fa90084641
Instruction Fuzzy Hash: FBB19E31510609EFD715CF28D486BA47BE0FF05364F298658E8E9CF2A1CB35E981DB50

Function 00C224F0 Relevance: .2, Instructions: 222COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f6050a3edd7f05d47d2bf4a975f08ca7a5604a4f015a33e39f6b95eac1fd891
Instruction ID: 7704a077402cbea4c6d170e4f9e979ec424045416c3ad208898e6589b12cd76a
Opcode Fuzzy Hash: 8f6050a3edd7f05d47d2bf4a975f08ca7a5604a4f015a33e39f6b95eac1fd891
Instruction Fuzzy Hash: 5D71F8B5D04666AFDB14CF69E8D0BBFBBB4EB16300F044169E96497B42C3349909D7A0

Function 00CA5CE0 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f07840e6a471821205a77ecfc5471e14ae8a9aef5a9e9dff233e8ee69453a463
Instruction ID: 936500f12d06611641a76f2f25e159a9fe38697d42f4923f9686ffbf1c0b5948
Opcode Fuzzy Hash: f07840e6a471821205a77ecfc5471e14ae8a9aef5a9e9dff233e8ee69453a463
Instruction Fuzzy Hash: 9D6120B17246698FD728CF5EFCC05363361E78A3013868279EA85CF395C535EA26D6B0

Function 00C33F10 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e394c9b314a93df443a701140626de78be947bb89033ef9021eb62f8110a376
Instruction ID: 674afa15a6a76504e397ad763a82f6cdde3bc5b5291fcc3264f9d032b876f738
Opcode Fuzzy Hash: 5e394c9b314a93df443a701140626de78be947bb89033ef9021eb62f8110a376
Instruction Fuzzy Hash: 0D51ABB1E0020A9FCB18DF98C981BEEFBB5FB48310F144569E925A7341D735AA44CBA0

Function 00D05038 Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb45bec87b737a7ea1d9f35da19df6ee9abbf0d89f9d6ca8b671d014c107286e
Instruction ID: 41c7335e926c32aae3124b19c3040bb51d39f7fdff1be41ada85033538b5ed79
Opcode Fuzzy Hash: bb45bec87b737a7ea1d9f35da19df6ee9abbf0d89f9d6ca8b671d014c107286e
Instruction Fuzzy Hash: DE518C72D00219AFDF04CF98D840BEEBBB2FF88300F198098E955AB245D7749A40CFA1

Function 00D018B0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: 4d86dec6aec91c425b2437633acee359af654495ad855682da68f51bb83ec917
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 49112B7F20019347D605866EE4B47BAE3D5EBC632172D837AD0AA4B7D8D122EA459E20

Function 00C8F590 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C8F5B3
std::_Lockit::_Lockit.LIBCPMT ref: 00C8F5D5
std::_Lockit::~_Lockit.LIBCPMT ref: 00C8F5F5
std::_Lockit::~_Lockit.LIBCPMT ref: 00C8F61F
std::_Lockit::_Lockit.LIBCPMT ref: 00C8F68D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C8F6D9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00C8F6F3
std::_Lockit::~_Lockit.LIBCPMT ref: 00C8F788
std::_Facet_Register.LIBCPMT ref: 00C8F795

Strings

P#, xrefs: 00C8F6EB, 00C8F6F2
bad locale name, xrefs: 00C8F7AF

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$P#
API String ID: 3375549084-762106057
Opcode ID: adec29a684abd2514cd257ca39444a3b4e2728f9c5b535c2221e43526ff1c4ec
Instruction ID: 04f2a6ff2bce7caab1150489d3f1c23661ce1df233b8206c20a77d00e2db4ec5
Opcode Fuzzy Hash: adec29a684abd2514cd257ca39444a3b4e2728f9c5b535c2221e43526ff1c4ec
Instruction Fuzzy Hash: 816186B1D002589BDF10EFA4D985BAEBBB4EF14314F144128F914E7391E734EA06CBA5

Function 00C8DCF0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C8DD13
std::_Lockit::_Lockit.LIBCPMT ref: 00C8DD36
std::_Lockit::~_Lockit.LIBCPMT ref: 00C8DD56
std::_Facet_Register.LIBCPMT ref: 00C8DDCB
std::_Lockit::~_Lockit.LIBCPMT ref: 00C8DDE3
Concurrency::cancel_current_task.LIBCPMT ref: 00C8DDFB

Strings

PdN, xrefs: 00C8DD25, 00C8DDDA

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID: PdN
API String ID: 2081738530-50869654
Opcode ID: 8a45a0bc2f0354c765255265bd166b9b77839e808090d42bc4b6c094774ffc28
Instruction ID: 626f0675899cab7c0d35c00dc5166ae15037c53e387a1f2bf483a3be330cb64a
Opcode Fuzzy Hash: 8a45a0bc2f0354c765255265bd166b9b77839e808090d42bc4b6c094774ffc28
Instruction Fuzzy Hash: 1731E175900329CFCB11EF44D980BAEBBB0FB01724F14425AE816A7391C730AE45CBE1

Function 00C96950 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 489COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00C969A8
__floor_pentium4.LIBCMT ref: 00C96ACB

Strings

unordered_map/set too long, xrefs: 00C96B96

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__floor_pentium4
String ID: unordered_map/set too long
API String ID: 1502093491-306623848
Opcode ID: adfce5862f3b549dd515d8895654c79d9189970c84146c8af1e0b80e63069c58
Instruction ID: 8927a71b33d1120511e679aa2e38c3aa4751b7a2a79ed454f42bdd8d65de3dec
Opcode Fuzzy Hash: adfce5862f3b549dd515d8895654c79d9189970c84146c8af1e0b80e63069c58
Instruction Fuzzy Hash: 94F11771A00214DFCF14DF68C985AAEBBB5FF44310F148269E869AB385E731EE51DB90

Function 00C24BE0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 353COMMON

Download Yara Rule

Strings

: ", xrefs: 00C24CC1
", ", xrefs: 00C24CEC
recursive_directory_iterator::operator++, xrefs: 00C24EEC

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID:
String ID: ", "$: "$recursive_directory_iterator::operator++
API String ID: 0-2763324178
Opcode ID: a043ec08d0746418ecbe0c9e9dd045487b1a55683eaf29a24c69b545d498c805
Instruction ID: 1dc42e2132a55373fe0671fd064acd086ce00dcf2f37223cc4ba1b4a74c1f35a
Opcode Fuzzy Hash: a043ec08d0746418ecbe0c9e9dd045487b1a55683eaf29a24c69b545d498c805
Instruction Fuzzy Hash: 5BC114B1900214AFC718EF64E885BAEBBF8FF05710F10462DF51697B81DB74AA04DBA5

Function 00C239A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00C23A08
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00C23A54
__Getctype.LIBCPMT ref: 00C23A6A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00C23A96
std::_Lockit::~_Lockit.LIBCPMT ref: 00C23B2B

Strings

bad locale name, xrefs: 00C23B46

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: b07f7e719ebd58af48910af25d3006cfb3ea51edbed7dd085e4a523e061868da
Instruction ID: 3e26be34f3920bf16b7d08a159f6955573a9433a834c1ac4f000effb50bb62a9
Opcode Fuzzy Hash: b07f7e719ebd58af48910af25d3006cfb3ea51edbed7dd085e4a523e061868da
Instruction Fuzzy Hash: 065144B1D00258DFDF10DFD4D985B9EBBB8AF14314F184169E909AB381D779EA04CBA2

Function 00D019E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00D01A17
___except_validate_context_record.LIBVCRUNTIME ref: 00D01A1F
_ValidateLocalCookies.LIBCMT ref: 00D01AA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00D01AD3
_ValidateLocalCookies.LIBCMT ref: 00D01B28

Strings

csm, xrefs: 00D01ABD

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 019c9159650e567d97c15c377185220f03aaf72bad0e711e0287eb317477d85d
Instruction ID: 588dc92b4c2d15d3b0e628677935cc027a871821f2ca7e3cda2dd0d3c30d3058
Opcode Fuzzy Hash: 019c9159650e567d97c15c377185220f03aaf72bad0e711e0287eb317477d85d
Instruction Fuzzy Hash: 36419438A01218ABCF10DF68C885BAE7BA5FF45324F188155F8199B3D2D771DA06CBB1

Function 00C27660 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 276COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C27796
___std_exception_copy.LIBVCRUNTIME ref: 00C27931

Strings

type_error, xrefs: 00C2768A
out_of_range, xrefs: 00C27827

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: 48aa6c934616db370a1b201f500150b32f2c6d29036cc6b5ebd40df3c2ce56ab
Instruction ID: 783659a63fcc89793bd5516047a7400a1be74947b9676b182334da7353f8a338
Opcode Fuzzy Hash: 48aa6c934616db370a1b201f500150b32f2c6d29036cc6b5ebd40df3c2ce56ab
Instruction Fuzzy Hash: 8FA19FB1D002189FCB18DFA8E884BADBBF5EF49310F14822DE019E7B95D7749A44DB61

Function 00C27220 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00C2743E
___std_exception_destroy.LIBVCRUNTIME ref: 00C2744D

Strings

at line , xrefs: 00C27267
, column , xrefs: 00C272C4

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 5fc687796ace9fb8aae484ab55bdadbd1f57efe9c29485acd431dba55e06b408
Instruction ID: 51e08f5fea3529b580ff1182a14838d902d759d00ee1e0b12e31832766a27c3d
Opcode Fuzzy Hash: 5fc687796ace9fb8aae484ab55bdadbd1f57efe9c29485acd431dba55e06b408
Instruction Fuzzy Hash: 75618EB0D042189FCB18DF68E885BADFBB1FF49310F14826DE419A7782D77499819BA0

Function 00C23CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C23E2F

Strings

ios_base::badbit set, xrefs: 00C23DC7
ios_base::eofbit set, xrefs: 00C23DF1, 00C23E13
ios_base::failbit set, xrefs: 00C23CE2

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: aeb0b8d0aece4fbbba2c5b1fa4af10043b7fabbd4bb6af600f9ba16d5b10c7e7
Instruction ID: 4a9bb57ecc202aa82f66a276248e70cbb748ec5ae5404a81ea1ec4aa4b9ccd02
Opcode Fuzzy Hash: aeb0b8d0aece4fbbba2c5b1fa4af10043b7fabbd4bb6af600f9ba16d5b10c7e7
Instruction Fuzzy Hash: 1341B4B6900258AFC704DF58E841BAEB7F8EF49710F14852EF91997741D774AA05CBA0

Function 00C23D90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C23E2F

Strings

ios_base::badbit set, xrefs: 00C23DC7
ios_base::eofbit set, xrefs: 00C23DD8, 00C23DF1, 00C23E13
ios_base::failbit set, xrefs: 00C23CE2, 00C23DCE

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: d5f9237bf77a2131fcba5507f9c3f7ae9502d0ab1e6e618f02bce65a370a5366
Instruction ID: c29496a7bacfaad1ceb4a37abe9cef0a34ee6ac184d5d71c7c7762e977978ff4
Opcode Fuzzy Hash: d5f9237bf77a2131fcba5507f9c3f7ae9502d0ab1e6e618f02bce65a370a5366
Instruction Fuzzy Hash: FE21E7B39107186FC714DF58E801B96B7E8EF55310F08886AFA6887741E774EA15CBA1

Function 00CFCF39 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 00CFCF40
std::_Lockit::_Lockit.LIBCPMT ref: 00CFCF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 00CFCFB9

Part of subcall function 00CFD09C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 00CFD0B4

std::locale::_Setgloballocale.LIBCPMT ref: 00CFCF66

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 89db6e069501a444935f3a0629f388cc2b4b11538441e3bf6599963cd2a17c48
Instruction ID: aba94f21605ca3b14b98e1352e839dcf05c970de05976600a7260c38983ae9b5
Opcode Fuzzy Hash: 89db6e069501a444935f3a0629f388cc2b4b11538441e3bf6599963cd2a17c48
Instruction Fuzzy Hash: F601DF75A0032D9BDB46EB20D89167D7B72BF94750B180009FA1297391CF346E02DBE7

Function 00C26E80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00C271A9

Strings

parse_error, xrefs: 00C26EC7
parse error, xrefs: 00C26F14

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: eb7b276d7281b5bcee3830b3825de77fdaed96a8fd3955fe44b14d345723ea3a
Instruction ID: c7ce4cd8bb7cdabc6f48564e5fc5152d7be5c0e634d5e56b66a83803c45db01e
Opcode Fuzzy Hash: eb7b276d7281b5bcee3830b3825de77fdaed96a8fd3955fe44b14d345723ea3a
Instruction Fuzzy Hash: A8B18E70D04219CFDB18CF68EC84BADBBB1FF49300F148269E419AB792D7749A85DB61

Function 00C96060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00C961A6
Concurrency::cancel_current_task.LIBCPMT ref: 00C96341

Strings

Py"v, xrefs: 00C96112

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: Py"v
API String ID: 118556049-2948403528
Opcode ID: e7a8cd3e906cd43a7de6ae8cd2f6c2b45c7cc15296be1d2469c0358157dc966d
Instruction ID: 6054e0f90445eea142096699bf43cc2769b58acfe79f640da2a99bc88a5e95a5
Opcode Fuzzy Hash: e7a8cd3e906cd43a7de6ae8cd2f6c2b45c7cc15296be1d2469c0358157dc966d
Instruction Fuzzy Hash: 0C81E3B2A00605AFCB08DF68DD8997EB7A5EB45310B14832DE815D73D1EB30EE55CBA1

Function 00C26C10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00C26E51
___std_exception_destroy.LIBVCRUNTIME ref: 00C26E60

Strings

[json.exception., xrefs: 00C26C68

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: d64613219029a7562e8e838429f3d114631b8fd555c1a9c580699a88d9d26d17
Instruction ID: 808f2054fe7bc7a1b27e02a369516ed44f982b2a2b9b5c283181e7c95dddc3b4
Opcode Fuzzy Hash: d64613219029a7562e8e838429f3d114631b8fd555c1a9c580699a88d9d26d17
Instruction Fuzzy Hash: C971D7709002099FD718DF68E884B6DFBF5FF49310F14825DE4199BB82D774AA84DBA0

Function 00C9D630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00C9D6B0

Strings

type must be boolean, but is , xrefs: 00C9D7A2
type must be string, but is , xrefs: 00C9D718

Memory Dump Source

Source File: 00000000.00000002.3375843712.0000000000C21000.00000040.00000001.01000000.00000003.sdmp, Offset: 00C20000, based on PE: true

Associated: 00000000.00000002.3375807351.0000000000C20000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3375843712.0000000000D4E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376118583.0000000000D53000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000D57000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000EDE000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F6E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F71000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000F9E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FAD000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376159397.0000000000FBB000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3376742562.0000000000FBC000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377002468.000000000111C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3377050312.000000000111D000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_c20000_LisectAVT_2403002B_242.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: eebccfb98da04d366e154a754904eb12d9f53b5fd833430bf3222ee2a64b55f4
Instruction ID: 3af3fcbd020b995db32f36c5a1a29dea3e365135be318cdad187c3e1455cb0e5
Opcode Fuzzy Hash: eebccfb98da04d366e154a754904eb12d9f53b5fd833430bf3222ee2a64b55f4
Instruction Fuzzy Hash: 15412AB2D00248AFC700EFA8E805B9DF7A8EF14710F14457AF41AD7781E775AA54C7A2

Analysis Process: MPGPH131.exePID: 2020, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	598
Total number of Limit Nodes:	60

Executed Functions

Function 00883320 Relevance: 6.2, APIs: 4, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 00883333
GetCursorPos.USER32(?), ref: 00883339
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00883698), ref: 008833E8
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00883698), ref: 0088349A

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CursorSleep
String ID:
API String ID: 4211308429-0
Opcode ID: f06dc28920d391022b4d5254b4bfc1135cbcf3b442897f179f73cf5ae6c6304f
Instruction ID: 5059bb6ac6d68ad1b3483a8efe9964c29c3a315b2c54f259c7604df25767b2cc
Opcode Fuzzy Hash: f06dc28920d391022b4d5254b4bfc1135cbcf3b442897f179f73cf5ae6c6304f
Instruction Fuzzy Hash: 8151CB35A042198FCB25DF48C8D0EAEB7B1FF55B04B294099D445AB312DB31EE46CB80

Function 0083D4A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0083D4CB
socket.WS2_32(?,?,?), ref: 0083D57F
connect.WS2_32(00000000,?,?), ref: 0083D593
closesocket.WS2_32(00000000), ref: 0083D59E

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 02dbdd840bb1bc012a8deed0e07914d48888685b4e7ed124b902c478d4874717
Instruction ID: 35f088cbc967fa3c9d4ea0bc83f1e0e06b703c8e8a92601576cf6360a9019214
Opcode Fuzzy Hash: 02dbdd840bb1bc012a8deed0e07914d48888685b4e7ed124b902c478d4874717
Instruction Fuzzy Hash: 74318E755053006BD7209F699C89B6BB7E4FBC5338F105F19F9A8932D0E37199098B92

Function 00912FA4 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ea240951ec3768715b290f158268c088ada7009fffc5a042b469105711ec0e
Instruction ID: 0dafc8cc022b30edde62c365eb659dfb32340796cd87cfafb54feb312dea0830
Opcode Fuzzy Hash: e3ea240951ec3768715b290f158268c088ada7009fffc5a042b469105711ec0e
Instruction Fuzzy Hash: CEB10570F0824DAFDB11EF69C881BED7BB5AF89310F548558E5119B382C7719AC2CBA0

Function 00829D90 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00829EA8

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: a2ac1dbf719175a1d18ba90301f8c989f2902b401743bfbe551877e94c5e9117
Instruction ID: f29c7d7c7ebe2a5bc42a82c9307efc0560173c641d68d0089828b71e3f44343d
Opcode Fuzzy Hash: a2ac1dbf719175a1d18ba90301f8c989f2902b401743bfbe551877e94c5e9117
Instruction Fuzzy Hash: 426108719002149FDB14DF68EC45BAEBBA8FF45310F15816DF848DB282D7B5DA81C7A1

Function 00913E1D Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00907C57,?,00000000,00000000,00000000,?,00000000,?,00829F4B,00907C57,00000000,00829F4B,?,?), ref: 00913FA3

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e8f1d9c999dd31e7af0466c7c179d4f15009ac248bcde154c6c779d9395f459b
Instruction ID: 8902b8e7e8d8f43ab7472f84de3369a3fa18e8a9af241118b064b801edac4f39
Opcode Fuzzy Hash: e8f1d9c999dd31e7af0466c7c179d4f15009ac248bcde154c6c779d9395f459b
Instruction Fuzzy Hash: 8361C2B1E0420EAFEF11DFA8C845AEEBFB9AF49304F148595E904A7251D335DA82DB50

Function 00903512 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934cc1118b9447de699d8f73b1a6599304b86ce4b433dc4ef55c5dffa635d5c0
Instruction ID: bc869308d14fe682ce434efad27e84f8e5cc30534a920c51b2d5c1c8cc1f8106
Opcode Fuzzy Hash: 934cc1118b9447de699d8f73b1a6599304b86ce4b433dc4ef55c5dffa635d5c0
Instruction Fuzzy Hash: 4251B570A00108BFDB14DF58C846AA97BB9EF89314F24C158F8499B392D332DE41DB50

Function 00913493 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,0091337A,00000000,CF830579,0094B810,0000000C,00913436,0090778D,?), ref: 009134EA

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f9bfdf770c8343c56ec32a8cd237f445a0988304b092857704c3f5599112231b
Instruction ID: d55b5eadb1b19c272c60a9d20390764b2c232c4a27a0792a8b0467fada9e8ee9
Opcode Fuzzy Hash: f9bfdf770c8343c56ec32a8cd237f445a0988304b092857704c3f5599112231b
Instruction Fuzzy Hash: 82116F3371812C26D6326234A892BFE235D8BC2734F258559F9184F1D1DB629DC15280

Function 0090CC2C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,0094B4C8,00829F4B,00000002,00829F4B,00000000,?,?,?,0090CD36,00000000,?,00829F4B,00000002,0094B4C8), ref: 0090CC69

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ca11a3ab13347f43444a33d6ba9f864dce7f4a89db92d1f57403ff87f6279409
Instruction ID: 1d8ad1ead093b973eb481f8e1bde8e1564e63bbd9eb8128b161e5f4b42b3abb6
Opcode Fuzzy Hash: ca11a3ab13347f43444a33d6ba9f864dce7f4a89db92d1f57403ff87f6279409
Instruction Fuzzy Hash: A70126726141196FDF05CF19CC55EAE3B19DB85330B240B44F855AB1D0E671ED8197D0

Function 00822D70 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00822DBF

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction ID: 473fc2a0b49d2e7c2d046f90962b2bdbc082f16bbc3b6476e88e143d1729a00d
Opcode Fuzzy Hash: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction Fuzzy Hash: EDF0B472500218ABCB186F74E8059F9B3A8FF24361754057AE989C7252EB26D9948781

Function 00914D73 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00907DC7,00000000,?,009146F9,00000001,00000364,00000000,00000006,000000FF,?,00000000,0090BE14,00907593,00907DC7,00000000), ref: 00914DB5

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b0d5d3230dff19876d911df2f21e3b6ed4a6886e9db0fc7fa92cf61cd8f84e96
Instruction ID: 442ab15acf554aaa9348adbade78dbf5dd3e10383f397556d6ae34cec107f758
Opcode Fuzzy Hash: b0d5d3230dff19876d911df2f21e3b6ed4a6886e9db0fc7fa92cf61cd8f84e96
Instruction Fuzzy Hash: D7F0BE3934422D669F227AA2B801BEA374DDF8A7B0F254625EC18960C1CB20F8C146E0

Function 009157AD Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,0091ABF2,4D88C033,?,0091ABF2,00000220,?,0091416F,4D88C033), ref: 009157E0

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a072f3c1657c4a7adbbff39ef0cecf711989a24365ff1555a10cccf0ddfa1c6d
Instruction ID: 3bbfd32a7f6ad1d5eaded1873cd519ae5a61ef63a3f472520231ef8157e9e5aa
Opcode Fuzzy Hash: a072f3c1657c4a7adbbff39ef0cecf711989a24365ff1555a10cccf0ddfa1c6d
Instruction Fuzzy Hash: 78E03931314B29E6E62136665902FEB2A4DDBC27B0F170511ED29960C0DB6498C086F1

Non-executed Functions

Function 008A4D20 Relevance: 15.2, APIs: 10, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4D6C
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4DAE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 008A4DF6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4E37
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4E78
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 008A4EB6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4EFE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 008A4F46
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4F87
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4FCD

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 16917071bb3ede117609a139723471ecca915a05d31d4e780ae5c14dd2a35648
Instruction ID: 2569a414de2ee84eac9b327edc3f33cee247a22069eece0523cd05000bd80107
Opcode Fuzzy Hash: 16917071bb3ede117609a139723471ecca915a05d31d4e780ae5c14dd2a35648
Instruction Fuzzy Hash: 118162B0C1C38DAEEF19CFA8D445AEEBBB8EF16304F50409ED841AB651E3745209DB65

Function 00828890 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 327libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 0082892E
GetProcAddress.KERNEL32(00000000,?), ref: 0082893B
GetModuleHandleA.KERNEL32(?), ref: 008289A5
GetProcAddress.KERNEL32(00000000,?), ref: 008289AC
CloseHandle.KERNEL32(?), ref: 00828BB2
CloseHandle.KERNEL32(?), ref: 00828C14
CloseHandle.KERNEL32(00000000), ref: 00828C41

Strings

File, xrefs: 00828A93

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Handle$Close$AddressModuleProc
String ID: File
API String ID: 4110381430-749574446
Opcode ID: ef298c713191e9957478d590150846e0a948a3b6c25727de40aaec925d7432a5
Instruction ID: 351c63535d3176480f57891a05d43a999cc06f8b1104d6045841cbd1fdcff33d
Opcode Fuzzy Hash: ef298c713191e9957478d590150846e0a948a3b6c25727de40aaec925d7432a5
Instruction Fuzzy Hash: 06C1AE70905269DFEF24CBA4DC85BAEBBB8FF05300F144069E504EB282DB759985CB65

Function 00907070 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction ID: 20f07ce67db929d53c4cc8f92cd4cf07f51eebd879b1d91e5d944c97b3d6d119
Opcode Fuzzy Hash: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction Fuzzy Hash: 27022B71E052199FDF14CFA9D8806AEFBF5FF48324F248669E919E7380D731A9418B90

Function 0088F590 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0088F5B3
std::_Lockit::_Lockit.LIBCPMT ref: 0088F5D5
std::_Lockit::~_Lockit.LIBCPMT ref: 0088F5F5
std::_Lockit::~_Lockit.LIBCPMT ref: 0088F61F
std::_Lockit::_Lockit.LIBCPMT ref: 0088F68D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0088F6D9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0088F6F3
std::_Lockit::~_Lockit.LIBCPMT ref: 0088F788
std::_Facet_Register.LIBCPMT ref: 0088F795

Strings

bad locale name, xrefs: 0088F7AF
P#, xrefs: 0088F6EB, 0088F6F2

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$P#
API String ID: 3375549084-762106057
Opcode ID: ddc705bce0d7f527e981eb75e9ae6584dbaa4f12a942b78b09b08fe42a1abd61
Instruction ID: 7b54c195029383a8384cb886fa2fe78e67ce3c2442888853d1208da2f036331c
Opcode Fuzzy Hash: ddc705bce0d7f527e981eb75e9ae6584dbaa4f12a942b78b09b08fe42a1abd61
Instruction Fuzzy Hash: 976142B1D002489BDB10EFA8D945B9EBBB4FF54314F194168EA04E7392E735E905CBA2

Function 00896950 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 489COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008969A8
__floor_pentium4.LIBCMT ref: 00896ACB

Strings

unordered_map/set too long, xrefs: 00896B96

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__floor_pentium4
String ID: unordered_map/set too long
API String ID: 1502093491-306623848
Opcode ID: c3b215518d4feae5533ce5f328ebba8e2e5a736c9d51b792d1dcc5d02bc1b29c
Instruction ID: e5897c7b9650ab79ed7038a8f19c67ccb4f8ebf846e671138f473f2cb08efdb5
Opcode Fuzzy Hash: c3b215518d4feae5533ce5f328ebba8e2e5a736c9d51b792d1dcc5d02bc1b29c
Instruction Fuzzy Hash: 18F1F871A00218DFCF14EF58C5416AEB7B5FF44354F288269E815EB285E731ED61CB91

Function 00824BE0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 353COMMON

Download Yara Rule

Strings

recursive_directory_iterator::operator++, xrefs: 00824EEC
: ", xrefs: 00824CC1
", ", xrefs: 00824CEC

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: ", "$: "$recursive_directory_iterator::operator++
API String ID: 0-2763324178
Opcode ID: 81f1060d6387760c66a9080d2aec7c5e1a24da31d7af9e9377acef4b9a4b3a4a
Instruction ID: 0ad32d7731ae22d4411274a02b5c468fd20e336968419fdf986ccd6fad822cbd
Opcode Fuzzy Hash: 81f1060d6387760c66a9080d2aec7c5e1a24da31d7af9e9377acef4b9a4b3a4a
Instruction Fuzzy Hash: B6C1D0B1900614AFD728EF68E845BAEBBF8FF04710F10462DF516D7681DB74AA44CBA1

Function 008239A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00823A08
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00823A54
__Getctype.LIBCPMT ref: 00823A6A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00823A96
std::_Lockit::~_Lockit.LIBCPMT ref: 00823B2B

Strings

bad locale name, xrefs: 00823B46

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7a80625702d55ae32dc3a25cb93bfd9377d36d2e92097448865a4ea1c8d128f7
Instruction ID: e228040b93c7c91504ba4427e9abf1ce8d905fee1efa5e8a0d9794895d58903a
Opcode Fuzzy Hash: 7a80625702d55ae32dc3a25cb93bfd9377d36d2e92097448865a4ea1c8d128f7
Instruction Fuzzy Hash: DE5152B1D002589FDB10DFA8D855B9EBBB8FF14314F144069E909EB381D779DA44CB92

Function 009019E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00901A17
___except_validate_context_record.LIBVCRUNTIME ref: 00901A1F
_ValidateLocalCookies.LIBCMT ref: 00901AA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00901AD3
_ValidateLocalCookies.LIBCMT ref: 00901B28

Strings

csm, xrefs: 00901ABD

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9cda3a15b2874522081e198639dd7c57f8e1fbb86036cc7fd3410fc955376c72
Instruction ID: 09cd776f905c1b58851c7ec3414efc61c6c9501343187b6e983ded7df59e3772
Opcode Fuzzy Hash: 9cda3a15b2874522081e198639dd7c57f8e1fbb86036cc7fd3410fc955376c72
Instruction Fuzzy Hash: 5841BF34A01208AFCF10DFA8C885B9EBBB9BF85324F148555F8199B3D2D771EA45CB91

Function 0088DCF0 Relevance: 9.1, APIs: 6, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0088DD13
std::_Lockit::_Lockit.LIBCPMT ref: 0088DD36
std::_Lockit::~_Lockit.LIBCPMT ref: 0088DD56
std::_Facet_Register.LIBCPMT ref: 0088DDCB
std::_Lockit::~_Lockit.LIBCPMT ref: 0088DDE3
Concurrency::cancel_current_task.LIBCPMT ref: 0088DDFB

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: dba012179bdedbe7eec67d7cfe982e1e4fa32f4455f8e4c38c02bfa18d165bd6
Instruction ID: d3cd25d69e548b68423512bcb8509a9069386b34c49a7e9c150cc417d0b59ef7
Opcode Fuzzy Hash: dba012179bdedbe7eec67d7cfe982e1e4fa32f4455f8e4c38c02bfa18d165bd6
Instruction Fuzzy Hash: D531AD71900319DFCB25EF58D980BAEBBB4FB44720F148659E909A7391D730AE41CBD2

Function 00827660 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 276COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00827796
___std_exception_copy.LIBVCRUNTIME ref: 00827931

Strings

out_of_range, xrefs: 00827827
type_error, xrefs: 0082768A

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: e1e85dc0ff1dcbe18de36f270c21efa943358aa7d416736f9575b1902ff136a8
Instruction ID: 37f1acb43210a1f89ceaf0ebb026c7aff527adc1d6d279654fd9ce6fa92e4158
Opcode Fuzzy Hash: e1e85dc0ff1dcbe18de36f270c21efa943358aa7d416736f9575b1902ff136a8
Instruction Fuzzy Hash: ABA189B19042189FCB18DFA8E884BADBBF5FF48310F148229E059EB795E7749984CB51

Function 00827220 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0082743E
___std_exception_destroy.LIBVCRUNTIME ref: 0082744D

Strings

at line , xrefs: 00827267
, column , xrefs: 008272C4

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: d31647f921070f8d30a1f2d6d7f61d7e6693aa90f4b1113fd1d9e72377097448
Instruction ID: 1ae014ae8d295f14c8d11a5d71ad2e31690c5027f6c2985d37876cc3ecd4a066
Opcode Fuzzy Hash: d31647f921070f8d30a1f2d6d7f61d7e6693aa90f4b1113fd1d9e72377097448
Instruction Fuzzy Hash: 46617AB0E042189FDB18DF68E884BADBBF1FB49310F14826DE419E7786D77499808B94

Function 00823CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00823E2F

Strings

ios_base::badbit set, xrefs: 00823DC7
ios_base::failbit set, xrefs: 00823CE2
ios_base::eofbit set, xrefs: 00823DF1, 00823E13

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: e3c2994491292e3253bcaf5ec721d4c693b2ffbf3e476a8de7ba3be8498470e7
Instruction ID: 6f22e3230b9593a0080b45f7ab06ff63cbe66b8cddaf995f7c77b65a1e484264
Opcode Fuzzy Hash: e3c2994491292e3253bcaf5ec721d4c693b2ffbf3e476a8de7ba3be8498470e7
Instruction Fuzzy Hash: 7441C4B2900218AFC714DF68E851BEAB7F8FF48310F14852AF919D7641E774AA44CBA1

Function 00823D90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00823E2F

Strings

ios_base::badbit set, xrefs: 00823DC7
ios_base::failbit set, xrefs: 00823CE2, 00823DCE
ios_base::eofbit set, xrefs: 00823DD8, 00823DF1, 00823E13

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 544584d240b00bc8357678f909cbdb413f5f82ab91f73ce18aae5158f54223f7
Instruction ID: 0ac1b85fe92f6ff8f2546d4d1fb930bafd287e4cd4dfda1d500137c25e9a9e3d
Opcode Fuzzy Hash: 544584d240b00bc8357678f909cbdb413f5f82ab91f73ce18aae5158f54223f7
Instruction Fuzzy Hash: 3D21A5B29007286FC714DF58E811B96B7E8FF04310F18886AFA58D7681E774EA54CB91

Function 008FCF39 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FCF40
std::_Lockit::_Lockit.LIBCPMT ref: 008FCF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 008FCFB9

Part of subcall function 008FD09C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008FD0B4

std::locale::_Setgloballocale.LIBCPMT ref: 008FCF66

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 004b179a56f36d14e8de2a229c63300246ef87a202ec91829530006f4072754f
Instruction ID: 30d59514004b32a653b7665fb43f7d7d28afd4c229d522161da0f4f509920e9e
Opcode Fuzzy Hash: 004b179a56f36d14e8de2a229c63300246ef87a202ec91829530006f4072754f
Instruction Fuzzy Hash: E101B875A053299BCB06EB34D85167D7BA2FF84750B180009EA01973A2CF386E02DBC6

Function 00826E80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 008271A9

Strings

parse_error, xrefs: 00826EC7
parse error, xrefs: 00826F14

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: 981316015ba5343b165d9542da5100b4182d74a27b544084ba649e66fc177c98
Instruction ID: cb221d67a883d262f1e1400f228f0ccaeb4853dc9e9a151971d6c4e8a822de76
Opcode Fuzzy Hash: 981316015ba5343b165d9542da5100b4182d74a27b544084ba649e66fc177c98
Instruction Fuzzy Hash: EBB17D70D042198FDB18CF68EC84BADBBB1FF49310F148269E019EB792D7749A85CB91

Function 00896060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008961A6
Concurrency::cancel_current_task.LIBCPMT ref: 00896341

Strings

Py"v, xrefs: 00896112

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: Py"v
API String ID: 118556049-2948403528
Opcode ID: c7342fc91b0e48d358dcb7bb4eaa3d37a23a5ffae483882c6c78599f48bc2e25
Instruction ID: e89728f975fae6b4e30b9718f86984bc36aacacc1b33111f1e45b007ba8b111d
Opcode Fuzzy Hash: c7342fc91b0e48d358dcb7bb4eaa3d37a23a5ffae483882c6c78599f48bc2e25
Instruction Fuzzy Hash: BD810372A00205AFCB08EF6CDD8196EB7A5FB85310B18832CE815D7391E730EE65CB91

Function 00826C10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00826E51
___std_exception_destroy.LIBVCRUNTIME ref: 00826E60

Strings

[json.exception., xrefs: 00826C68

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 3df6906ccb5ef33b8b7d2eae077f9a706897bfd70a520094cc8e6d9bc031c9ae
Instruction ID: 58dbc1c5af74ffc14753f73936435a4f9975bc1b926fddaa691256ee5c0293ac
Opcode Fuzzy Hash: 3df6906ccb5ef33b8b7d2eae077f9a706897bfd70a520094cc8e6d9bc031c9ae
Instruction Fuzzy Hash: 1171B1B4A002099FDB18DF68E884BADFBF5FF48310F248259E419DB781D774A990CB91

Function 0089D630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0089D6B0

Strings

type must be string, but is , xrefs: 0089D718
type must be boolean, but is , xrefs: 0089D7A2

Memory Dump Source

Source File: 00000006.00000002.3375371093.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000006.00000002.3375327883.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375371093.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375631164.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3375661862.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376276910.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376516857.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000006.00000002.3376587417.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: f6f121f828c918919976ecd49bd337efa929f52bd630c926361b201ca5b6eb76
Instruction ID: 6e692840975c399fdde69c6e023a9633b7fdaf5eb466ca79a4b95d979d311408
Opcode Fuzzy Hash: f6f121f828c918919976ecd49bd337efa929f52bd630c926361b201ca5b6eb76
Instruction Fuzzy Hash: AC4125B2900208AFCB00EBACE801B9DB7A8FB54310F14817AE519D7781EB35A940C7D6

Analysis Process: MPGPH131.exePID: 500, Parent PID: 1064COMMON

Execution Graph

Execution Coverage:	3.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	640
Total number of Limit Nodes:	67

Executed Functions

Function 00883320 Relevance: 6.2, APIs: 4, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 00883333
GetCursorPos.USER32(?), ref: 00883339
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00883698), ref: 008833E8
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00883698), ref: 0088349A

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CursorSleep
String ID:
API String ID: 4211308429-0
Opcode ID: f06dc28920d391022b4d5254b4bfc1135cbcf3b442897f179f73cf5ae6c6304f
Instruction ID: 5059bb6ac6d68ad1b3483a8efe9964c29c3a315b2c54f259c7604df25767b2cc
Opcode Fuzzy Hash: f06dc28920d391022b4d5254b4bfc1135cbcf3b442897f179f73cf5ae6c6304f
Instruction Fuzzy Hash: 8151CB35A042198FCB25DF48C8D0EAEB7B1FF55B04B294099D445AB312DB31EE46CB80

Function 0083D4A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0083D4CB
socket.WS2_32(?,?,?), ref: 0083D57F
connect.WS2_32(00000000,?,?), ref: 0083D593
closesocket.WS2_32(00000000), ref: 0083D59E

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 02dbdd840bb1bc012a8deed0e07914d48888685b4e7ed124b902c478d4874717
Instruction ID: 35f088cbc967fa3c9d4ea0bc83f1e0e06b703c8e8a92601576cf6360a9019214
Opcode Fuzzy Hash: 02dbdd840bb1bc012a8deed0e07914d48888685b4e7ed124b902c478d4874717
Instruction Fuzzy Hash: 74318E755053006BD7209F699C89B6BB7E4FBC5338F105F19F9A8932D0E37199098B92

Function 00912FA4 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e3ea240951ec3768715b290f158268c088ada7009fffc5a042b469105711ec0e
Instruction ID: 0dafc8cc022b30edde62c365eb659dfb32340796cd87cfafb54feb312dea0830
Opcode Fuzzy Hash: e3ea240951ec3768715b290f158268c088ada7009fffc5a042b469105711ec0e
Instruction Fuzzy Hash: CEB10570F0824DAFDB11EF69C881BED7BB5AF89310F548558E5119B382C7719AC2CBA0

Function 00829D90 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00829EA8

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: a2ac1dbf719175a1d18ba90301f8c989f2902b401743bfbe551877e94c5e9117
Instruction ID: f29c7d7c7ebe2a5bc42a82c9307efc0560173c641d68d0089828b71e3f44343d
Opcode Fuzzy Hash: a2ac1dbf719175a1d18ba90301f8c989f2902b401743bfbe551877e94c5e9117
Instruction Fuzzy Hash: 426108719002149FDB14DF68EC45BAEBBA8FF45310F15816DF848DB282D7B5DA81C7A1

Function 00913E1D Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00907C57,?,00000000,00000000,00000000,?,00000000,?,00829F4B,00907C57,00000000,00829F4B,?,?), ref: 00913FA3

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: e8f1d9c999dd31e7af0466c7c179d4f15009ac248bcde154c6c779d9395f459b
Instruction ID: 8902b8e7e8d8f43ab7472f84de3369a3fa18e8a9af241118b064b801edac4f39
Opcode Fuzzy Hash: e8f1d9c999dd31e7af0466c7c179d4f15009ac248bcde154c6c779d9395f459b
Instruction Fuzzy Hash: 8361C2B1E0420EAFEF11DFA8C845AEEBFB9AF49304F148595E904A7251D335DA82DB50

Function 00903512 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 934cc1118b9447de699d8f73b1a6599304b86ce4b433dc4ef55c5dffa635d5c0
Instruction ID: bc869308d14fe682ce434efad27e84f8e5cc30534a920c51b2d5c1c8cc1f8106
Opcode Fuzzy Hash: 934cc1118b9447de699d8f73b1a6599304b86ce4b433dc4ef55c5dffa635d5c0
Instruction Fuzzy Hash: 4251B570A00108BFDB14DF58C846AA97BB9EF89314F24C158F8499B392D332DE41DB50

Function 00913493 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,0091337A,00000000,CF830579,0094B810,0000000C,00913436,0090778D,?), ref: 009134EA

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: f9bfdf770c8343c56ec32a8cd237f445a0988304b092857704c3f5599112231b
Instruction ID: d55b5eadb1b19c272c60a9d20390764b2c232c4a27a0792a8b0467fada9e8ee9
Opcode Fuzzy Hash: f9bfdf770c8343c56ec32a8cd237f445a0988304b092857704c3f5599112231b
Instruction Fuzzy Hash: 82116F3371812C26D6326234A892BFE235D8BC2734F258559F9184F1D1DB629DC15280

Function 0090CC2C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,0094B4C8,00829F4B,00000002,00829F4B,00000000,?,?,?,0090CD36,00000000,?,00829F4B,00000002,0094B4C8), ref: 0090CC69

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: ca11a3ab13347f43444a33d6ba9f864dce7f4a89db92d1f57403ff87f6279409
Instruction ID: 1d8ad1ead093b973eb481f8e1bde8e1564e63bbd9eb8128b161e5f4b42b3abb6
Opcode Fuzzy Hash: ca11a3ab13347f43444a33d6ba9f864dce7f4a89db92d1f57403ff87f6279409
Instruction Fuzzy Hash: A70126726141196FDF05CF19CC55EAE3B19DB85330B240B44F855AB1D0E671ED8197D0

Function 00822D70 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00822DBF

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction ID: 473fc2a0b49d2e7c2d046f90962b2bdbc082f16bbc3b6476e88e143d1729a00d
Opcode Fuzzy Hash: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction Fuzzy Hash: EDF0B472500218ABCB186F74E8059F9B3A8FF24361754057AE989C7252EB26D9948781

Function 00914D73 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00907DC7,00000000,?,009146F9,00000001,00000364,00000000,00000006,000000FF,?,00000000,0090BE14,00907593,00907DC7,00000000), ref: 00914DB5

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b0d5d3230dff19876d911df2f21e3b6ed4a6886e9db0fc7fa92cf61cd8f84e96
Instruction ID: 442ab15acf554aaa9348adbade78dbf5dd3e10383f397556d6ae34cec107f758
Opcode Fuzzy Hash: b0d5d3230dff19876d911df2f21e3b6ed4a6886e9db0fc7fa92cf61cd8f84e96
Instruction Fuzzy Hash: D7F0BE3934422D669F227AA2B801BEA374DDF8A7B0F254625EC18960C1CB20F8C146E0

Function 009157AD Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,0091ABF2,4D88C033,?,0091ABF2,00000220,?,0091416F,4D88C033), ref: 009157E0

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: a072f3c1657c4a7adbbff39ef0cecf711989a24365ff1555a10cccf0ddfa1c6d
Instruction ID: 3bbfd32a7f6ad1d5eaded1873cd519ae5a61ef63a3f472520231ef8157e9e5aa
Opcode Fuzzy Hash: a072f3c1657c4a7adbbff39ef0cecf711989a24365ff1555a10cccf0ddfa1c6d
Instruction Fuzzy Hash: 78E03931314B29E6E62136665902FEB2A4DDBC27B0F170511ED29960C0DB6498C086F1

Non-executed Functions

Function 008A4D20 Relevance: 15.2, APIs: 10, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4D6C
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4DAE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 008A4DF6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4E37
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4E78
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 008A4EB6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4EFE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 008A4F46
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4F87
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 008A4FCD

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 16917071bb3ede117609a139723471ecca915a05d31d4e780ae5c14dd2a35648
Instruction ID: 2569a414de2ee84eac9b327edc3f33cee247a22069eece0523cd05000bd80107
Opcode Fuzzy Hash: 16917071bb3ede117609a139723471ecca915a05d31d4e780ae5c14dd2a35648
Instruction Fuzzy Hash: 118162B0C1C38DAEEF19CFA8D445AEEBBB8EF16304F50409ED841AB651E3745209DB65

Function 00828890 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 327libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 0082892E
GetProcAddress.KERNEL32(00000000,?), ref: 0082893B
GetModuleHandleA.KERNEL32(?), ref: 008289A5
GetProcAddress.KERNEL32(00000000,?), ref: 008289AC
CloseHandle.KERNEL32(?), ref: 00828BB2
CloseHandle.KERNEL32(?), ref: 00828C14
CloseHandle.KERNEL32(00000000), ref: 00828C41

Strings

File, xrefs: 00828A93

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Handle$Close$AddressModuleProc
String ID: File
API String ID: 4110381430-749574446
Opcode ID: ef298c713191e9957478d590150846e0a948a3b6c25727de40aaec925d7432a5
Instruction ID: 351c63535d3176480f57891a05d43a999cc06f8b1104d6045841cbd1fdcff33d
Opcode Fuzzy Hash: ef298c713191e9957478d590150846e0a948a3b6c25727de40aaec925d7432a5
Instruction Fuzzy Hash: 06C1AE70905269DFEF24CBA4DC85BAEBBB8FF05300F144069E504EB282DB759985CB65

Function 00907070 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction ID: 20f07ce67db929d53c4cc8f92cd4cf07f51eebd879b1d91e5d944c97b3d6d119
Opcode Fuzzy Hash: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction Fuzzy Hash: 27022B71E052199FDF14CFA9D8806AEFBF5FF48324F248669E919E7380D731A9418B90

Function 0088F590 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0088F5B3
std::_Lockit::_Lockit.LIBCPMT ref: 0088F5D5
std::_Lockit::~_Lockit.LIBCPMT ref: 0088F5F5
std::_Lockit::~_Lockit.LIBCPMT ref: 0088F61F
std::_Lockit::_Lockit.LIBCPMT ref: 0088F68D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0088F6D9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0088F6F3
std::_Lockit::~_Lockit.LIBCPMT ref: 0088F788
std::_Facet_Register.LIBCPMT ref: 0088F795

Strings

bad locale name, xrefs: 0088F7AF
P#, xrefs: 0088F6EB, 0088F6F2

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$P#
API String ID: 3375549084-762106057
Opcode ID: ddc705bce0d7f527e981eb75e9ae6584dbaa4f12a942b78b09b08fe42a1abd61
Instruction ID: 7b54c195029383a8384cb886fa2fe78e67ce3c2442888853d1208da2f036331c
Opcode Fuzzy Hash: ddc705bce0d7f527e981eb75e9ae6584dbaa4f12a942b78b09b08fe42a1abd61
Instruction Fuzzy Hash: 976142B1D002489BDB10EFA8D945B9EBBB4FF54314F194168EA04E7392E735E905CBA2

Function 00896950 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 489COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008969A8
__floor_pentium4.LIBCMT ref: 00896ACB

Strings

unordered_map/set too long, xrefs: 00896B96

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__floor_pentium4
String ID: unordered_map/set too long
API String ID: 1502093491-306623848
Opcode ID: c3b215518d4feae5533ce5f328ebba8e2e5a736c9d51b792d1dcc5d02bc1b29c
Instruction ID: e5897c7b9650ab79ed7038a8f19c67ccb4f8ebf846e671138f473f2cb08efdb5
Opcode Fuzzy Hash: c3b215518d4feae5533ce5f328ebba8e2e5a736c9d51b792d1dcc5d02bc1b29c
Instruction Fuzzy Hash: 18F1F871A00218DFCF14EF58C5416AEB7B5FF44354F288269E815EB285E731ED61CB91

Function 00824BE0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 353COMMON

Download Yara Rule

Strings

recursive_directory_iterator::operator++, xrefs: 00824EEC
: ", xrefs: 00824CC1
", ", xrefs: 00824CEC

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID: ", "$: "$recursive_directory_iterator::operator++
API String ID: 0-2763324178
Opcode ID: 81f1060d6387760c66a9080d2aec7c5e1a24da31d7af9e9377acef4b9a4b3a4a
Instruction ID: 0ad32d7731ae22d4411274a02b5c468fd20e336968419fdf986ccd6fad822cbd
Opcode Fuzzy Hash: 81f1060d6387760c66a9080d2aec7c5e1a24da31d7af9e9377acef4b9a4b3a4a
Instruction Fuzzy Hash: B6C1D0B1900614AFD728EF68E845BAEBBF8FF04710F10462DF516D7681DB74AA44CBA1

Function 008239A0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00823A08
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00823A54
__Getctype.LIBCPMT ref: 00823A6A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00823A96
std::_Lockit::~_Lockit.LIBCPMT ref: 00823B2B

Strings

bad locale name, xrefs: 00823B46

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7a80625702d55ae32dc3a25cb93bfd9377d36d2e92097448865a4ea1c8d128f7
Instruction ID: e228040b93c7c91504ba4427e9abf1ce8d905fee1efa5e8a0d9794895d58903a
Opcode Fuzzy Hash: 7a80625702d55ae32dc3a25cb93bfd9377d36d2e92097448865a4ea1c8d128f7
Instruction Fuzzy Hash: DE5152B1D002589FDB10DFA8D855B9EBBB8FF14314F144069E909EB381D779DA44CB92

Function 009019E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00901A17
___except_validate_context_record.LIBVCRUNTIME ref: 00901A1F
_ValidateLocalCookies.LIBCMT ref: 00901AA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00901AD3
_ValidateLocalCookies.LIBCMT ref: 00901B28

Strings

csm, xrefs: 00901ABD

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 9cda3a15b2874522081e198639dd7c57f8e1fbb86036cc7fd3410fc955376c72
Instruction ID: 09cd776f905c1b58851c7ec3414efc61c6c9501343187b6e983ded7df59e3772
Opcode Fuzzy Hash: 9cda3a15b2874522081e198639dd7c57f8e1fbb86036cc7fd3410fc955376c72
Instruction Fuzzy Hash: 5841BF34A01208AFCF10DFA8C885B9EBBB9BF85324F148555F8199B3D2D771EA45CB91

Function 0088DCF0 Relevance: 9.1, APIs: 6, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0088DD13
std::_Lockit::_Lockit.LIBCPMT ref: 0088DD36
std::_Lockit::~_Lockit.LIBCPMT ref: 0088DD56
std::_Facet_Register.LIBCPMT ref: 0088DDCB
std::_Lockit::~_Lockit.LIBCPMT ref: 0088DDE3
Concurrency::cancel_current_task.LIBCPMT ref: 0088DDFB

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: dba012179bdedbe7eec67d7cfe982e1e4fa32f4455f8e4c38c02bfa18d165bd6
Instruction ID: d3cd25d69e548b68423512bcb8509a9069386b34c49a7e9c150cc417d0b59ef7
Opcode Fuzzy Hash: dba012179bdedbe7eec67d7cfe982e1e4fa32f4455f8e4c38c02bfa18d165bd6
Instruction Fuzzy Hash: D531AD71900319DFCB25EF58D980BAEBBB4FB44720F148659E909A7391D730AE41CBD2

Function 00827660 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 276COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00827796
___std_exception_copy.LIBVCRUNTIME ref: 00827931

Strings

type_error, xrefs: 0082768A
out_of_range, xrefs: 00827827

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: e1e85dc0ff1dcbe18de36f270c21efa943358aa7d416736f9575b1902ff136a8
Instruction ID: 37f1acb43210a1f89ceaf0ebb026c7aff527adc1d6d279654fd9ce6fa92e4158
Opcode Fuzzy Hash: e1e85dc0ff1dcbe18de36f270c21efa943358aa7d416736f9575b1902ff136a8
Instruction Fuzzy Hash: ABA189B19042189FCB18DFA8E884BADBBF5FF48310F148229E059EB795E7749984CB51

Function 00827220 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0082743E
___std_exception_destroy.LIBVCRUNTIME ref: 0082744D

Strings

at line , xrefs: 00827267
, column , xrefs: 008272C4

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: d31647f921070f8d30a1f2d6d7f61d7e6693aa90f4b1113fd1d9e72377097448
Instruction ID: 1ae014ae8d295f14c8d11a5d71ad2e31690c5027f6c2985d37876cc3ecd4a066
Opcode Fuzzy Hash: d31647f921070f8d30a1f2d6d7f61d7e6693aa90f4b1113fd1d9e72377097448
Instruction Fuzzy Hash: 46617AB0E042189FDB18DF68E884BADBBF1FB49310F14826DE419E7786D77499808B94

Function 00823CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00823E2F

Strings

ios_base::badbit set, xrefs: 00823DC7
ios_base::eofbit set, xrefs: 00823DF1, 00823E13
ios_base::failbit set, xrefs: 00823CE2

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: e3c2994491292e3253bcaf5ec721d4c693b2ffbf3e476a8de7ba3be8498470e7
Instruction ID: 6f22e3230b9593a0080b45f7ab06ff63cbe66b8cddaf995f7c77b65a1e484264
Opcode Fuzzy Hash: e3c2994491292e3253bcaf5ec721d4c693b2ffbf3e476a8de7ba3be8498470e7
Instruction Fuzzy Hash: 7441C4B2900218AFC714DF68E851BEAB7F8FF48310F14852AF919D7641E774AA44CBA1

Function 00823D90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00823E2F

Strings

ios_base::badbit set, xrefs: 00823DC7
ios_base::eofbit set, xrefs: 00823DD8, 00823DF1, 00823E13
ios_base::failbit set, xrefs: 00823CE2, 00823DCE

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 544584d240b00bc8357678f909cbdb413f5f82ab91f73ce18aae5158f54223f7
Instruction ID: 0ac1b85fe92f6ff8f2546d4d1fb930bafd287e4cd4dfda1d500137c25e9a9e3d
Opcode Fuzzy Hash: 544584d240b00bc8357678f909cbdb413f5f82ab91f73ce18aae5158f54223f7
Instruction Fuzzy Hash: 3D21A5B29007286FC714DF58E811B96B7E8FF04310F18886AFA58D7681E774EA54CB91

Function 008FCF39 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 008FCF40
std::_Lockit::_Lockit.LIBCPMT ref: 008FCF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 008FCFB9

Part of subcall function 008FD09C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 008FD0B4

std::locale::_Setgloballocale.LIBCPMT ref: 008FCF66

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 004b179a56f36d14e8de2a229c63300246ef87a202ec91829530006f4072754f
Instruction ID: 30d59514004b32a653b7665fb43f7d7d28afd4c229d522161da0f4f509920e9e
Opcode Fuzzy Hash: 004b179a56f36d14e8de2a229c63300246ef87a202ec91829530006f4072754f
Instruction Fuzzy Hash: E101B875A053299BCB06EB34D85167D7BA2FF84750B180009EA01973A2CF386E02DBC6

Function 00826E80 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 284COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 008271A9

Strings

parse error, xrefs: 00826F14
parse_error, xrefs: 00826EC7

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: 981316015ba5343b165d9542da5100b4182d74a27b544084ba649e66fc177c98
Instruction ID: cb221d67a883d262f1e1400f228f0ccaeb4853dc9e9a151971d6c4e8a822de76
Opcode Fuzzy Hash: 981316015ba5343b165d9542da5100b4182d74a27b544084ba649e66fc177c98
Instruction Fuzzy Hash: EBB17D70D042198FDB18CF68EC84BADBBB1FF49310F148269E019EB792D7749A85CB91

Function 00896060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 008961A6
Concurrency::cancel_current_task.LIBCPMT ref: 00896341

Strings

Py"v, xrefs: 00896112

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: Py"v
API String ID: 118556049-2948403528
Opcode ID: c7342fc91b0e48d358dcb7bb4eaa3d37a23a5ffae483882c6c78599f48bc2e25
Instruction ID: e89728f975fae6b4e30b9718f86984bc36aacacc1b33111f1e45b007ba8b111d
Opcode Fuzzy Hash: c7342fc91b0e48d358dcb7bb4eaa3d37a23a5ffae483882c6c78599f48bc2e25
Instruction Fuzzy Hash: BD810372A00205AFCB08EF6CDD8196EB7A5FB85310B18832CE815D7391E730EE65CB91

Function 00826C10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00826E51
___std_exception_destroy.LIBVCRUNTIME ref: 00826E60

Strings

[json.exception., xrefs: 00826C68

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 3df6906ccb5ef33b8b7d2eae077f9a706897bfd70a520094cc8e6d9bc031c9ae
Instruction ID: 58dbc1c5af74ffc14753f73936435a4f9975bc1b926fddaa691256ee5c0293ac
Opcode Fuzzy Hash: 3df6906ccb5ef33b8b7d2eae077f9a706897bfd70a520094cc8e6d9bc031c9ae
Instruction Fuzzy Hash: 1171B1B4A002099FDB18DF68E884BADFBF5FF48310F248259E419DB781D774A990CB91

Function 0089D630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0089D6B0

Strings

type must be boolean, but is , xrefs: 0089D7A2
type must be string, but is , xrefs: 0089D718

Memory Dump Source

Source File: 00000007.00000002.3375363971.0000000000821000.00000040.00000001.01000000.00000004.sdmp, Offset: 00820000, based on PE: true

Associated: 00000007.00000002.3375329300.0000000000820000.00000004.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375363971.000000000094E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375549813.0000000000953000.00000008.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000957000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000ADE000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B6E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B71000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000B9E000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BAD000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3375585687.0000000000BBB000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376129085.0000000000BBC000.00000080.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376340860.0000000000D1C000.00000040.00000001.01000000.00000004.sdmpDownload File
Associated: 00000007.00000002.3376372410.0000000000D1D000.00000080.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_820000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: f6f121f828c918919976ecd49bd337efa929f52bd630c926361b201ca5b6eb76
Instruction ID: 6e692840975c399fdde69c6e023a9633b7fdaf5eb466ca79a4b95d979d311408
Opcode Fuzzy Hash: f6f121f828c918919976ecd49bd337efa929f52bd630c926361b201ca5b6eb76
Instruction Fuzzy Hash: AC4125B2900208AFCB00EBACE801B9DB7A8FB54310F14817AE519D7781EB35A940C7D6

Analysis Process: RageMP131.exePID: 1756, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	944
Total number of Limit Nodes:	57

Executed Functions

Function 004C3320 Relevance: 6.2, APIs: 4, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 004C3333
GetCursorPos.USER32(?), ref: 004C3339
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,004C3698), ref: 004C33E8
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,004C3698), ref: 004C349A

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: CursorSleep
String ID:
API String ID: 4211308429-0
Opcode ID: b4de5810029956a59720bcf2270dfec89371c70174376176d90aea493a4d671a
Instruction ID: e278dba0085ff63259e53feaab331d49bc5fdd74d4d8daf24dd467b41a04aef3
Opcode Fuzzy Hash: b4de5810029956a59720bcf2270dfec89371c70174376176d90aea493a4d671a
Instruction Fuzzy Hash: D451CB39A042558FCB29CF48C4D0FAAB7B1EF45705B19809ED845AB322DB35EE05CB94

Function 0047E5C0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 290
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(00000358,0000FFFF,00001006,?,00000008), ref: 0047E664
recv.WS2_32(?,00000004,00000002), ref: 0047E67B
recv.WS2_32(?,0000000C,00000002,0000000C), ref: 0047E6E6
recv.WS2_32(?,0000000C,00000008), ref: 0047E708
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 0047E77D
recv.WS2_32(?,?,00000008), ref: 0047E795

Strings

\"Y, xrefs: 0047E625

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: recv$setsockopt
String ID: \"Y
API String ID: 833079357-803381686
Opcode ID: 884f003343b1b5e70fe3f4a176718300f533df8d41ba69be50387d13f7ee043f
Instruction ID: 9a25225df0bc18de12a847be973f98009b81472513c91c925a93da1d22e65554
Opcode Fuzzy Hash: 884f003343b1b5e70fe3f4a176718300f533df8d41ba69be50387d13f7ee043f
Instruction Fuzzy Hash: 37C1AEB0D00208AFDB14DFA9DC85BADBBB1FB48310F10866AE419AB391D7746C49DB94

Function 0047D9C0 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 354
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,00000000,-005927F8), ref: 0047DCF7
GetProcAddress.KERNEL32(00000000,FEEDF8FD), ref: 0047DCFE
WSASend.WS2_32(0000000F,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,-005927F8), ref: 0047DD13

Strings

t#Y, xrefs: 0047EB4A
131, xrefs: 0047EC48
\"Y, xrefs: 0047E625
Ws2_32.dll, xrefs: 0047DCEE
\, xrefs: 0047DFE4

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcSend
String ID: 131$Ws2_32.dll$\$\"Y$t#Y
API String ID: 2819740048-2542141955
Opcode ID: f68b85c2ed489ee7243be54f5fbf67b910d9b898fff704496cd34e91a209d290
Instruction ID: 740b92406a79477fb821970b768fa2f34c0729e6ad47074b1d4164d49753709d
Opcode Fuzzy Hash: f68b85c2ed489ee7243be54f5fbf67b910d9b898fff704496cd34e91a209d290
Instruction Fuzzy Hash: 07D1FF71D142588FCB25CBA4C8857EEBBB0BF06310F19815ED849BB385E3792D46CB99

Function 0047D4A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0047D4CB
socket.WS2_32(?,?,?), ref: 0047D57F
connect.WS2_32(00000000,?,?), ref: 0047D593
closesocket.WS2_32(00000000), ref: 0047D59E

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 9e068281c3ad265281c45d507b5aa519fc99fca1261778d46c928f27c294a10d
Instruction ID: d2e22feb16d068cd8fd9ca9774753e3c76a7c4ec6e2007528c76219c44bbb25f
Opcode Fuzzy Hash: 9e068281c3ad265281c45d507b5aa519fc99fca1261778d46c928f27c294a10d
Instruction Fuzzy Hash: 1031C271505300ABD7209F258C49B6BB7F4EF85328F005F1EF9A8932D0D37599088B96

Function 00553E1D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00547C57,?,00000000,00000000,00000000,?,00000000,?,00469F4B,W|T,00000000,00469F4B,?,?), ref: 00553FA3

Strings

W|T, xrefs: 00553E1F

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID: W|T
API String ID: 3934441357-2034123312
Opcode ID: e749a4aaffcbfb38f7a8b16dfd40fb715e34b0a8c8d94e1024ecf9d9b3e9bde7
Instruction ID: 0293c524745c6202c46845b1c1bc22630e96d7031ec30680120f9c37065c8dcc
Opcode Fuzzy Hash: e749a4aaffcbfb38f7a8b16dfd40fb715e34b0a8c8d94e1024ecf9d9b3e9bde7
Instruction Fuzzy Hash: 686102B1C0410AAFDF11DFA8C895AEEBFB9BF49345F140586ED08AB251D335DA09CB60

Function 00552FA4 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19270a06a8a1005ac99e5dceea41f38d814de2f70999fa3743eeef15cac0c450
Instruction ID: 1dde382f468cdb04fd93373fbfbf355035a507493b88d6f12014c9eeb72de575
Opcode Fuzzy Hash: 19270a06a8a1005ac99e5dceea41f38d814de2f70999fa3743eeef15cac0c450
Instruction Fuzzy Hash: 99B14770A08606AFDB01DFA8C8A4BAD7FB5BF85355F14458AED085B292C770DB09CB50

Function 00469D90 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00469EA8

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd8ce95d9f63d4291176967185a86eeef44689c27755c852cf32694b27ed8206
Instruction ID: 1bf027e2c32559c3e19d0a56edfb4755cd2596841a4ba327c3370cb74a2fef14
Opcode Fuzzy Hash: dd8ce95d9f63d4291176967185a86eeef44689c27755c852cf32694b27ed8206
Instruction Fuzzy Hash: 176139719002059BDB18DF54DC49BAFBBA8FF85304F14416EF8089B382E7B99E41C7A6

Function 00543512 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361addd5ad79db09e9582149397a97babbb045ab946d35af48baa897347d9d5f
Instruction ID: a9ff0ea1780d214f0ac29d5be9dc12d632e2f20d7a1f6af6fe66899c6bdea504
Opcode Fuzzy Hash: 361addd5ad79db09e9582149397a97babbb045ab946d35af48baa897347d9d5f
Instruction Fuzzy Hash: 1A518F70A00209BFDF14DF58C885AE9BFA1BB89368F258159F8499B362D371DE41DB90

Function 00553493 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,0055337A,00000000,CF830579,0058B810,0000000C,00553436,0054778D,?), ref: 005534EA

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 064a5288f1ba5c79ba6821277a6e2dd672e1105fc5a78605dc58e19cf2e07381
Instruction ID: 5e43142c5915eeb03e970b2f93dea35988b1c41afaeef90806bed3411f53402a
Opcode Fuzzy Hash: 064a5288f1ba5c79ba6821277a6e2dd672e1105fc5a78605dc58e19cf2e07381
Instruction Fuzzy Hash: 5D11AF33508124A5CB322234A87EB7E1F4AAFC2776F25054BFC0C4B1D1EB72894C5180

Function 0054CC2C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,0058B4C8,00469F4B,00000002,00469F4B,00000000,?,?,?,0054CD36,00000000,?,00469F4B,00000002,0058B4C8), ref: 0054CC69

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 524a44269f9114b9fab7fd01fb958f533be35001fa93c01ca02f2fd54cf4e440
Instruction ID: 8e0d42cac31cb3a532e2c991b6d13498958c8cdea445a8e6f5059095ad138b98
Opcode Fuzzy Hash: 524a44269f9114b9fab7fd01fb958f533be35001fa93c01ca02f2fd54cf4e440
Instruction Fuzzy Hash: E7010432614125AECB05CF19CC99DAE3F19EBC5334B250644E8259B290E671ED419790

Function 00462D70 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00462DBF

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction ID: 80f6fc6e79ab65b91391697d9b6174b75a6875605a37bce379ce23a54221ba6d
Opcode Fuzzy Hash: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction Fuzzy Hash: D2F024B2200505ABCB186F64E9058EAB7FCEF64366714087FE888C7212F76ADA408791

Function 00554D73 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00547DC7,00000000,?,005546F9,00000001,00000364,00000000,00000006,000000FF,?,00000000,0054BE14,00547593,00547DC7,00000000), ref: 00554DB5

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e03b72786a83b4e3d290129deb97d6bb0534c912894a56e948c14c6cca5166d0
Instruction ID: 8fae411ba43f9bb60870c2a8b9e56d0d931287354a458ffc4f7fd6b39da7347d
Opcode Fuzzy Hash: e03b72786a83b4e3d290129deb97d6bb0534c912894a56e948c14c6cca5166d0
Instruction Fuzzy Hash: BDF0E93210053567DB226A625C25B6F3F79BF817B6F154213EC08971C1CB20E8894EE4

Function 005557AD Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,0055ABF2,4D88C033,?,0055ABF2,00000220,?,0055416F,4D88C033), ref: 005557E0

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 32e2cace0bbd8fe1bc636c0c131821d7f043426827f3193c6f5abe75db6958eb
Instruction ID: 115f416bd69b75c8f80364bc868e070c9da331fe14206b1bfb14f5c7ed9c2c14
Opcode Fuzzy Hash: 32e2cace0bbd8fe1bc636c0c131821d7f043426827f3193c6f5abe75db6958eb
Instruction Fuzzy Hash: BBE06D31220F2697E62536765C35FAB3E49FF8A7F2F150523ED18961C0EB10DC4886E9

Non-executed Functions

Function 004E4D20 Relevance: 15.2, APIs: 10, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4D6C
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4DAE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 004E4DF6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4E37
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4E78
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 004E4EB6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4EFE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 004E4F46
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4F87
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4FCD

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 607d8261986945a4c4324970d497c9217e0a31680db26621d3fbdd4d70d00188
Instruction ID: a60dbe664e6472e00e1a5863635c958c6711d75411534544572e9dd20062ecca
Opcode Fuzzy Hash: 607d8261986945a4c4324970d497c9217e0a31680db26621d3fbdd4d70d00188
Instruction Fuzzy Hash: 068154B0C1838DAEEF19CF98D444AEEBBB8EF16304F51409FD441AB651D3745209DBA9

Function 00468890 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 327libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 0046892E
GetProcAddress.KERNEL32(00000000,?), ref: 0046893B
GetModuleHandleA.KERNEL32(?), ref: 004689A5
GetProcAddress.KERNEL32(00000000,?), ref: 004689AC
CloseHandle.KERNEL32(?), ref: 00468BB2
CloseHandle.KERNEL32(?), ref: 00468C14
CloseHandle.KERNEL32(00000000), ref: 00468C41

Strings

File, xrefs: 00468A93

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Handle$Close$AddressModuleProc
String ID: File
API String ID: 4110381430-749574446
Opcode ID: 3626a999ed1c01f521b3509838af8904081567d419e15fb4da1978775266c846
Instruction ID: d097018fc1a966017e7d12abefc5969dcab67f1e98ae584780056f3b66e3ad85
Opcode Fuzzy Hash: 3626a999ed1c01f521b3509838af8904081567d419e15fb4da1978775266c846
Instruction Fuzzy Hash: DFC19F70D042599BEF24CFA4CC85BAEBBB4FF05304F10055EE544BB281EB75A945CB6A

Function 00547070 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction ID: 5bad394fd6efddcbff89a158496ec1f2af2ebc959212b9dcc09242c380e86b36
Opcode Fuzzy Hash: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction Fuzzy Hash: 66023C71E052199BDF14CFA9C8806EEBBF1FF48318F258669E919E7381D731A941CB90

Function 004CF590 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004CF5B3
std::_Lockit::_Lockit.LIBCPMT ref: 004CF5D5
std::_Lockit::~_Lockit.LIBCPMT ref: 004CF5F5
std::_Lockit::~_Lockit.LIBCPMT ref: 004CF61F
std::_Lockit::_Lockit.LIBCPMT ref: 004CF68D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004CF6D9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004CF6F3
std::_Lockit::~_Lockit.LIBCPMT ref: 004CF788
std::_Facet_Register.LIBCPMT ref: 004CF795

Strings

bad locale name, xrefs: 004CF7AF
fXW, xrefs: 004CF6EB, 004CF6F2

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$fXW
API String ID: 3375549084-28943737
Opcode ID: 0529c43b1f2e310dd24f45cd95d7bcd59bfb46350b0d00096ff075e12e03383e
Instruction ID: 8dbd80a4c2d8827007839650745c600f066d8a3c91e9f99d6d8297f7a2b87164
Opcode Fuzzy Hash: 0529c43b1f2e310dd24f45cd95d7bcd59bfb46350b0d00096ff075e12e03383e
Instruction Fuzzy Hash: 9261EEB5E012499BDF11DFA4C849B9EBFB5BF54310F14402AE804B7341E738E90ACBA5

Function 004639A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00463A08
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00463A54
__Getctype.LIBCPMT ref: 00463A6A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00463A96
std::_Lockit::~_Lockit.LIBCPMT ref: 00463B2B

Strings

`<F, xrefs: 00463A64
bad locale name, xrefs: 00463B46

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: `<F$bad locale name
API String ID: 1840309910-1676782154
Opcode ID: 26054f2eda05760c104a77f682bc948be06a9abc031039b3a060d44a72c8ec7a
Instruction ID: c2a5368965ea7faed27b406beb3cd4744b9fd03aa4ea87e8206037cb169bd193
Opcode Fuzzy Hash: 26054f2eda05760c104a77f682bc948be06a9abc031039b3a060d44a72c8ec7a
Instruction Fuzzy Hash: A85152B1D002489BDF10DF94D845B9EBFB8BF54714F144069E809AB341E779EA04CBA6

Function 004D6950 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 489COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004D69A8
__floor_pentium4.LIBCMT ref: 004D6ACB

Strings

unordered_map/set too long, xrefs: 004D6B96

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__floor_pentium4
String ID: unordered_map/set too long
API String ID: 1502093491-306623848
Opcode ID: 1dc2a618929728eeb5ee1ecb2b3358f088344a7ec20300c03261417aa5479c28
Instruction ID: 816f520e28b79048fb671673f26edf897a4c876c331094ed8c34e46e298d3ed9
Opcode Fuzzy Hash: 1dc2a618929728eeb5ee1ecb2b3358f088344a7ec20300c03261417aa5479c28
Instruction Fuzzy Hash: 2AF14771A00214DFCB04DF58C991AAEBBB5FF84314F15826BE859AB385D738EE11CB94

Function 00464BE0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 353COMMON

Download Yara Rule

Strings

recursive_directory_iterator::operator++, xrefs: 00464EEC
: ", xrefs: 00464CC1
", ", xrefs: 00464CEC

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: ", "$: "$recursive_directory_iterator::operator++
API String ID: 0-2763324178
Opcode ID: a63a110b313988646ea76711894fbdaf5f85e2bbb507c34fbd6c6e7b0e3c5179
Instruction ID: 77cb15eb4c392e877551054dff70b8dfc5f596555456237ef9c1ca7b9359d245
Opcode Fuzzy Hash: a63a110b313988646ea76711894fbdaf5f85e2bbb507c34fbd6c6e7b0e3c5179
Instruction Fuzzy Hash: 4FC102B1900204AFCB18EF64D845B9EBBF8FF45714F04462EF41697781EB78AA04CBA5

Function 005419E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00541A17
___except_validate_context_record.LIBVCRUNTIME ref: 00541A1F
_ValidateLocalCookies.LIBCMT ref: 00541AA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00541AD3
_ValidateLocalCookies.LIBCMT ref: 00541B28

Strings

csm, xrefs: 00541ABD

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 018fb2c0306c60c3331f2db91f0fff85f9f79a08c572489ed6eb8acc2e72a324
Instruction ID: 4dcebbc1489f744c04d39888856cd7bab131ccadb3fe2688f4587d02ecf59aed
Opcode Fuzzy Hash: 018fb2c0306c60c3331f2db91f0fff85f9f79a08c572489ed6eb8acc2e72a324
Instruction Fuzzy Hash: 7E410030A00619ABCF10DF69C889ADE7FB4FF85368F148455E8049B392D731EA85CBD4

Function 004CDCF0 Relevance: 9.1, APIs: 6, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004CDD13
std::_Lockit::_Lockit.LIBCPMT ref: 004CDD36
std::_Lockit::~_Lockit.LIBCPMT ref: 004CDD56
std::_Facet_Register.LIBCPMT ref: 004CDDCB
std::_Lockit::~_Lockit.LIBCPMT ref: 004CDDE3
Concurrency::cancel_current_task.LIBCPMT ref: 004CDDFB

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: d61c6e6cf72d247dc606c5f8075c81188a27926c6e2f6d0374be2bd87ea6737e
Instruction ID: fdbf992da7fa01e2078f64fed348b8938cc662f46d386f15a2aeaddb93e147ec
Opcode Fuzzy Hash: d61c6e6cf72d247dc606c5f8075c81188a27926c6e2f6d0374be2bd87ea6737e
Instruction Fuzzy Hash: 9031EC79C0022A9FCB51DF54C884BAEBBB0FB80320F15862EE81A67351D734AE45CBD5

Function 00467660 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00467796
___std_exception_copy.LIBVCRUNTIME ref: 00467931

Strings

out_of_range, xrefs: 00467827
type_error, xrefs: 0046768A
@nF, xrefs: 00467778, 00467913

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$out_of_range$type_error
API String ID: 2659868963-1879671698
Opcode ID: b2f10256b767c38a02ceb83ce414ea9644eab09569d95f14b9feadc99e98a006
Instruction ID: 4fe945529a8efc2fb04f967d837d4e6a87b93e7024a6e4047e72e0f97e07b98b
Opcode Fuzzy Hash: b2f10256b767c38a02ceb83ce414ea9644eab09569d95f14b9feadc99e98a006
Instruction Fuzzy Hash: 97A19DB1D002089FDB18DFA8D885BADBBF1BF49304F14862EE019E7751E778A944CB65

Function 00466E80 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 284COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004671A9

Strings

parse_error, xrefs: 00466EC7
@nF, xrefs: 00467184
parse error, xrefs: 00466F14

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$parse error$parse_error
API String ID: 2659868963-3223604060
Opcode ID: 357ba9c27c605872098eaab78fc3261cbff2fdd51396d6d118eb46ff7c3e4f81
Instruction ID: 60abd793aa98d02ac640e143fbb577c90f9dd408d7f729379ea53fe3f64a153e
Opcode Fuzzy Hash: 357ba9c27c605872098eaab78fc3261cbff2fdd51396d6d118eb46ff7c3e4f81
Instruction Fuzzy Hash: D4B1A170D002098FDB08CF68DD95BADFBF1BF49304F14825AE019AB792E7749A80CB65

Function 00467220 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0046743E
___std_exception_destroy.LIBVCRUNTIME ref: 0046744D

Strings

at line , xrefs: 00467267
, column , xrefs: 004672C4

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 774eec79154162989b73fe2c0a317585b000a1d585bce003fb1a98724dc8c3c9
Instruction ID: 35be139df3a1e7dd6063b746dc8e0e1a7e31e28afb65b5e8c7ffc8b79b5b5210
Opcode Fuzzy Hash: 774eec79154162989b73fe2c0a317585b000a1d585bce003fb1a98724dc8c3c9
Instruction Fuzzy Hash: E66192B0E042059FC718DF68D885BADFBF1BF49314F14826EE419A7782D7789980CB55

Function 00463CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00463E2F

Strings

ios_base::badbit set, xrefs: 00463DC7
ios_base::failbit set, xrefs: 00463CE2
ios_base::eofbit set, xrefs: 00463DF1, 00463E13

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: b36a3dca853737a33933b6aa4071c4aaab78f8aeb2f71137555970123648af1c
Instruction ID: c4b5763e82ea3b811324ea45073a81c893712f7038fe522839801c2c7566cd6b
Opcode Fuzzy Hash: b36a3dca853737a33933b6aa4071c4aaab78f8aeb2f71137555970123648af1c
Instruction Fuzzy Hash: EB41AFB6A00244AFCB04DF58C845BEABBF8FF49710F14852BE91997741E775AA00CBA5

Function 004674A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004675F8

Strings

AqL, xrefs: 0046763D
@nF, xrefs: 004675DA
invalid_iterator, xrefs: 004674EB

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$AqL$invalid_iterator
API String ID: 2659868963-798898470
Opcode ID: 3dac7f184fd91c8cc3c8d73f220fe682646c9f044f69d39a5e56f91abf668ff7
Instruction ID: e6149a1994fca2805a944e458db97dee6a85e28c4271d239daba2f92c8577f3a
Opcode Fuzzy Hash: 3dac7f184fd91c8cc3c8d73f220fe682646c9f044f69d39a5e56f91abf668ff7
Instruction Fuzzy Hash: 8A51AFB1D002089FCB18CF68D8847AEFBF5FB48314F14866EE01AA7791E774A944CB95

Function 00463D90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00463E2F

Strings

ios_base::badbit set, xrefs: 00463DC7
ios_base::failbit set, xrefs: 00463CE2, 00463DCE
ios_base::eofbit set, xrefs: 00463DD8, 00463DF1, 00463E13

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 0de74049617cb03e1e63ed52f899b2d3b691347ec35ecedd7897c75204426b25
Instruction ID: 596ecd052d6e5dda8c7e8071fdb02a16a92644559a18164d06442d259a2d628c
Opcode Fuzzy Hash: 0de74049617cb03e1e63ed52f899b2d3b691347ec35ecedd7897c75204426b25
Instruction Fuzzy Hash: 7C2105B2A00704ABC704DF58D801B96BBECBF04311F18842BF91887341F775EA04CBA6

Function 0053CF39 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0053CF40
std::_Lockit::_Lockit.LIBCPMT ref: 0053CF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0053CFB9

Part of subcall function 0053D09C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0053D0B4

std::locale::_Setgloballocale.LIBCPMT ref: 0053CF66

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 8c655635316c435088a6f99dfbe3dd507961bae738bbc066a34ce5d4ab5fc950
Instruction ID: 633e03158c5dd330446f826f46bd86d46fbccd1216fffa8f33b5d140193348fb
Opcode Fuzzy Hash: 8c655635316c435088a6f99dfbe3dd507961bae738bbc066a34ce5d4ab5fc950
Instruction Fuzzy Hash: B801DF76A006229BCB0AEB20E84A57D7FB1FFD4740F19040AE80167391DF746E46DBDA

Function 004D6060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004D61A6
Concurrency::cancel_current_task.LIBCPMT ref: 004D6341

Strings

Py"v, xrefs: 004D6112

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: Py"v
API String ID: 118556049-2948403528
Opcode ID: 10903d2f9587ed01dd017d2e519334c363aaf9660c6c83ace470442a108501ff
Instruction ID: 8fac0d4fc47538f9e39cf39b289036a5c9f4fe46134165d41ab9c7c7acf38d38
Opcode Fuzzy Hash: 10903d2f9587ed01dd017d2e519334c363aaf9660c6c83ace470442a108501ff
Instruction Fuzzy Hash: 8A81F472A00101AFCB08DF6CDDA596EB7A5EB95300B15836FE80987391E734EE55C794

Function 00466C10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00466E51
___std_exception_destroy.LIBVCRUNTIME ref: 00466E60

Strings

[json.exception., xrefs: 00466C68

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 13c51f5e1bfe26069c918e20c7e740efdca381c990602d1ed3c9f108a5ef58b1
Instruction ID: 5bbb1b041e1f438a112a4c5c5aa07e8b7ecb8daa908aa12fa66a10ffc0d60de0
Opcode Fuzzy Hash: 13c51f5e1bfe26069c918e20c7e740efdca381c990602d1ed3c9f108a5ef58b1
Instruction Fuzzy Hash: 4D71A3B0A002059FD718DF68D985B9EFBF5FF49310F10821EE4199B781E774A980CB95

Function 004679A0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00467AE3

Strings

other_error, xrefs: 004679CA
@nF, xrefs: 00467AC1

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$other_error
API String ID: 2659868963-48232177
Opcode ID: 2939056cb060dce6d33b3d327a20b260fbfae03af7381f8cd1e396e98783f291
Instruction ID: 3f2957aba7209f2456b19490f5bdb2141e71df54d06368c692e8d2af4c27694d
Opcode Fuzzy Hash: 2939056cb060dce6d33b3d327a20b260fbfae03af7381f8cd1e396e98783f291
Instruction Fuzzy Hash: B671C271E002049FDB14CFA8DC85B9EBBF1FF88314F14826AE419AB791E774A940CB95

Function 004DD630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004DD6B0

Strings

type must be string, but is , xrefs: 004DD718
type must be boolean, but is , xrefs: 004DD7A2

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: a07e3f60a01bef22eec29ac7f8e453f4537be376eac639655353863e89515409
Instruction ID: d68400627ca2492bc2e45ca604f19d7b5d554e75e6371cb1c00653d9315bb220
Opcode Fuzzy Hash: a07e3f60a01bef22eec29ac7f8e453f4537be376eac639655353863e89515409
Instruction Fuzzy Hash: 154135B2E00648AFC700EFA8D801B9EBBE8EB04314F14457BE419D7741EB78A910CBD6

Function 004CD030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004CD04F
___std_exception_copy.LIBVCRUNTIME ref: 004CD076

Strings

@nF, xrefs: 004CD054

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF
API String ID: 2659868963-3944412766
Opcode ID: d67d042dee8c344cb3842a30f7837767eaba347b3e91cabeb7d478a2a40bb856
Instruction ID: 464fff5a71d8d2ed677af63581b430ea2977c84de2058947e5c6117d39159c85
Opcode Fuzzy Hash: d67d042dee8c344cb3842a30f7837767eaba347b3e91cabeb7d478a2a40bb856
Instruction Fuzzy Hash: 1001E4BAA00706AF8708CF99E405886FBF8FB48310701C52BE51AC7B00E770E518CFA0

Function 004DA5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004DA5FF
___std_exception_copy.LIBVCRUNTIME ref: 004DA626

Strings

@nF, xrefs: 004DA604

Memory Dump Source

Source File: 00000008.00000002.3375310931.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 00000008.00000002.3375202386.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375310931.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375514063.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3375547902.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376119794.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376337589.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000008.00000002.3376371523.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF
API String ID: 2659868963-3944412766
Opcode ID: 35e4f042faf38721b8adadb45d79be86fe77e401e8f0e3c2f5737c13016f900d
Instruction ID: 3af50310659dbe6e466b855d05ee4faae631fade1dbc85187a53ad53ec2ac004
Opcode Fuzzy Hash: 35e4f042faf38721b8adadb45d79be86fe77e401e8f0e3c2f5737c13016f900d
Instruction Fuzzy Hash: D7F0C9B6A04706AF8708DF55E505886BBF8FA58310701896BE51AC7B10E770E514CFA4

Analysis Process: RageMP131.exePID: 3220, Parent PID: 4004COMMON

Execution Graph

Execution Coverage:	3.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	0%
Total number of Nodes:	944
Total number of Limit Nodes:	57

Executed Functions

Function 004C3320 Relevance: 6.2, APIs: 4, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCursorPos.USER32(?), ref: 004C3333
GetCursorPos.USER32(?), ref: 004C3339
Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,004C3698), ref: 004C33E8
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,004C3698), ref: 004C349A

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: CursorSleep
String ID:
API String ID: 4211308429-0
Opcode ID: b4de5810029956a59720bcf2270dfec89371c70174376176d90aea493a4d671a
Instruction ID: e278dba0085ff63259e53feaab331d49bc5fdd74d4d8daf24dd467b41a04aef3
Opcode Fuzzy Hash: b4de5810029956a59720bcf2270dfec89371c70174376176d90aea493a4d671a
Instruction Fuzzy Hash: D451CB39A042558FCB29CF48C4D0FAAB7B1EF45705B19809ED845AB322DB35EE05CB94

Function 0047E5C0 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 290
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

setsockopt.WS2_32(000002DC,0000FFFF,00001006,?,00000008), ref: 0047E664
recv.WS2_32(?,00000004,00000002), ref: 0047E67B
recv.WS2_32(?,0000000C,00000002,0000000C), ref: 0047E6E6
recv.WS2_32(?,0000000C,00000008), ref: 0047E708
setsockopt.WS2_32(0000FFFF,00001006,?,00000008,?), ref: 0047E77D
recv.WS2_32(?,?,00000008), ref: 0047E795

Strings

\"Y, xrefs: 0047E625

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: recv$setsockopt
String ID: \"Y
API String ID: 833079357-803381686
Opcode ID: 884f003343b1b5e70fe3f4a176718300f533df8d41ba69be50387d13f7ee043f
Instruction ID: 9a25225df0bc18de12a847be973f98009b81472513c91c925a93da1d22e65554
Opcode Fuzzy Hash: 884f003343b1b5e70fe3f4a176718300f533df8d41ba69be50387d13f7ee043f
Instruction Fuzzy Hash: 37C1AEB0D00208AFDB14DFA9DC85BADBBB1FB48310F10866AE419AB391D7746C49DB94

Function 0047D9C0 Relevance: 14.4, APIs: 3, Strings: 5, Instructions: 354
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(Ws2_32.dll,?,?,?,?,?,00000000,-005927F8), ref: 0047DCF7
GetProcAddress.KERNEL32(00000000,FEEDF8FD), ref: 0047DCFE
WSASend.WS2_32(0000000F,?,00000001,00000000,00000000,00000000,00000000,?,?,?,?,?,00000000,-005927F8), ref: 0047DD13

Strings

\"Y, xrefs: 0047E625
Ws2_32.dll, xrefs: 0047DCEE
131, xrefs: 0047EC48
\, xrefs: 0047DFE4
t#Y, xrefs: 0047EB4A

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AddressHandleModuleProcSend
String ID: 131$Ws2_32.dll$\$\"Y$t#Y
API String ID: 2819740048-2542141955
Opcode ID: f68b85c2ed489ee7243be54f5fbf67b910d9b898fff704496cd34e91a209d290
Instruction ID: 740b92406a79477fb821970b768fa2f34c0729e6ad47074b1d4164d49753709d
Opcode Fuzzy Hash: f68b85c2ed489ee7243be54f5fbf67b910d9b898fff704496cd34e91a209d290
Instruction Fuzzy Hash: 07D1FF71D142588FCB25CBA4C8857EEBBB0BF06310F19815ED849BB385E3792D46CB99

Function 0047D4A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0047D4CB
socket.WS2_32(?,?,?), ref: 0047D57F
connect.WS2_32(00000000,?,?), ref: 0047D593
closesocket.WS2_32(00000000), ref: 0047D59E

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 9e068281c3ad265281c45d507b5aa519fc99fca1261778d46c928f27c294a10d
Instruction ID: d2e22feb16d068cd8fd9ca9774753e3c76a7c4ec6e2007528c76219c44bbb25f
Opcode Fuzzy Hash: 9e068281c3ad265281c45d507b5aa519fc99fca1261778d46c928f27c294a10d
Instruction Fuzzy Hash: 1031C271505300ABD7209F258C49B6BB7F4EF85328F005F1EF9A8932D0D37599088B96

Function 00553E1D Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00547C57,?,00000000,00000000,00000000,?,00000000,?,00469F4B,W|T,00000000,00469F4B,?,?), ref: 00553FA3

Strings

W|T, xrefs: 00553E1F

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID: W|T
API String ID: 3934441357-2034123312
Opcode ID: e749a4aaffcbfb38f7a8b16dfd40fb715e34b0a8c8d94e1024ecf9d9b3e9bde7
Instruction ID: 0293c524745c6202c46845b1c1bc22630e96d7031ec30680120f9c37065c8dcc
Opcode Fuzzy Hash: e749a4aaffcbfb38f7a8b16dfd40fb715e34b0a8c8d94e1024ecf9d9b3e9bde7
Instruction Fuzzy Hash: 686102B1C0410AAFDF11DFA8C895AEEBFB9BF49345F140586ED08AB251D335DA09CB60

Function 00552FA4 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 19270a06a8a1005ac99e5dceea41f38d814de2f70999fa3743eeef15cac0c450
Instruction ID: 1dde382f468cdb04fd93373fbfbf355035a507493b88d6f12014c9eeb72de575
Opcode Fuzzy Hash: 19270a06a8a1005ac99e5dceea41f38d814de2f70999fa3743eeef15cac0c450
Instruction Fuzzy Hash: 99B14770A08606AFDB01DFA8C8A4BAD7FB5BF85355F14458AED085B292C770DB09CB50

Function 00469D90 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 00469EA8

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: dd8ce95d9f63d4291176967185a86eeef44689c27755c852cf32694b27ed8206
Instruction ID: 1bf027e2c32559c3e19d0a56edfb4755cd2596841a4ba327c3370cb74a2fef14
Opcode Fuzzy Hash: dd8ce95d9f63d4291176967185a86eeef44689c27755c852cf32694b27ed8206
Instruction Fuzzy Hash: 176139719002059BDB18DF54DC49BAFBBA8FF85304F14416EF8089B382E7B99E41C7A6

Function 00543512 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 361addd5ad79db09e9582149397a97babbb045ab946d35af48baa897347d9d5f
Instruction ID: a9ff0ea1780d214f0ac29d5be9dc12d632e2f20d7a1f6af6fe66899c6bdea504
Opcode Fuzzy Hash: 361addd5ad79db09e9582149397a97babbb045ab946d35af48baa897347d9d5f
Instruction Fuzzy Hash: 1A518F70A00209BFDF14DF58C885AE9BFA1BB89368F258159F8499B362D371DE41DB90

Function 00553493 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,0055337A,00000000,CF830579,0058B810,0000000C,00553436,0054778D,?), ref: 005534EA

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 064a5288f1ba5c79ba6821277a6e2dd672e1105fc5a78605dc58e19cf2e07381
Instruction ID: 5e43142c5915eeb03e970b2f93dea35988b1c41afaeef90806bed3411f53402a
Opcode Fuzzy Hash: 064a5288f1ba5c79ba6821277a6e2dd672e1105fc5a78605dc58e19cf2e07381
Instruction Fuzzy Hash: 5D11AF33508124A5CB322234A87EB7E1F4AAFC2776F25054BFC0C4B1D1EB72894C5180

Function 0054CC2C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,0058B4C8,00469F4B,00000002,00469F4B,00000000,?,?,?,0054CD36,00000000,?,00469F4B,00000002,0058B4C8), ref: 0054CC69

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 524a44269f9114b9fab7fd01fb958f533be35001fa93c01ca02f2fd54cf4e440
Instruction ID: 8e0d42cac31cb3a532e2c991b6d13498958c8cdea445a8e6f5059095ad138b98
Opcode Fuzzy Hash: 524a44269f9114b9fab7fd01fb958f533be35001fa93c01ca02f2fd54cf4e440
Instruction Fuzzy Hash: E7010432614125AECB05CF19CC99DAE3F19EBC5334B250644E8259B290E671ED419790

Function 00462D70 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00462DBF

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction ID: 80f6fc6e79ab65b91391697d9b6174b75a6875605a37bce379ce23a54221ba6d
Opcode Fuzzy Hash: 326ee97673e7adb1608e1cb46f795dec6370eba03380352c4d7ae6dd60fbcf19
Instruction Fuzzy Hash: D2F024B2200505ABCB186F64E9058EAB7FCEF64366714087FE888C7212F76ADA408791

Function 00554D73 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000008,00547DC7,00000000,?,005546F9,00000001,00000364,00000000,00000006,000000FF,?,00000000,0054BE14,00547593,00547DC7,00000000), ref: 00554DB5

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: e03b72786a83b4e3d290129deb97d6bb0534c912894a56e948c14c6cca5166d0
Instruction ID: 8fae411ba43f9bb60870c2a8b9e56d0d931287354a458ffc4f7fd6b39da7347d
Opcode Fuzzy Hash: e03b72786a83b4e3d290129deb97d6bb0534c912894a56e948c14c6cca5166d0
Instruction Fuzzy Hash: BDF0E93210053567DB226A625C25B6F3F79BF817B6F154213EC08971C1CB20E8894EE4

Function 005557AD Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000,0055ABF2,4D88C033,?,0055ABF2,00000220,?,0055416F,4D88C033), ref: 005557E0

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 32e2cace0bbd8fe1bc636c0c131821d7f043426827f3193c6f5abe75db6958eb
Instruction ID: 115f416bd69b75c8f80364bc868e070c9da331fe14206b1bfb14f5c7ed9c2c14
Opcode Fuzzy Hash: 32e2cace0bbd8fe1bc636c0c131821d7f043426827f3193c6f5abe75db6958eb
Instruction Fuzzy Hash: BBE06D31220F2697E62536765C35FAB3E49FF8A7F2F150523ED18961C0EB10DC4886E9

Non-executed Functions

Function 004E4D20 Relevance: 15.2, APIs: 10, Instructions: 187libraryloaderCOMMON

Download Yara Rule

APIs

GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4D6C
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4DAE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 004E4DF6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4E37
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4E78
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 004E4EB6
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4EFE
GetProcAddress.KERNEL32(00000000,DDD8DFE2), ref: 004E4F46
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4F87
GetProcAddress.KERNEL32(00000000,C8D8C5E3), ref: 004E4FCD

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: AddressProc
String ID:
API String ID: 190572456-0
Opcode ID: 607d8261986945a4c4324970d497c9217e0a31680db26621d3fbdd4d70d00188
Instruction ID: a60dbe664e6472e00e1a5863635c958c6711d75411534544572e9dd20062ecca
Opcode Fuzzy Hash: 607d8261986945a4c4324970d497c9217e0a31680db26621d3fbdd4d70d00188
Instruction Fuzzy Hash: 068154B0C1838DAEEF19CF98D444AEEBBB8EF16304F51409FD441AB651D3745209DBA9

Function 00468890 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 327libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?), ref: 0046892E
GetProcAddress.KERNEL32(00000000,?), ref: 0046893B
GetModuleHandleA.KERNEL32(?), ref: 004689A5
GetProcAddress.KERNEL32(00000000,?), ref: 004689AC
CloseHandle.KERNEL32(?), ref: 00468BB2
CloseHandle.KERNEL32(?), ref: 00468C14
CloseHandle.KERNEL32(00000000), ref: 00468C41

Strings

File, xrefs: 00468A93

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Handle$Close$AddressModuleProc
String ID: File
API String ID: 4110381430-749574446
Opcode ID: 3626a999ed1c01f521b3509838af8904081567d419e15fb4da1978775266c846
Instruction ID: d097018fc1a966017e7d12abefc5969dcab67f1e98ae584780056f3b66e3ad85
Opcode Fuzzy Hash: 3626a999ed1c01f521b3509838af8904081567d419e15fb4da1978775266c846
Instruction Fuzzy Hash: DFC19F70D042599BEF24CFA4CC85BAEBBB4FF05304F10055EE544BB281EB75A945CB6A

Function 00547070 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction ID: 5bad394fd6efddcbff89a158496ec1f2af2ebc959212b9dcc09242c380e86b36
Opcode Fuzzy Hash: 61965cb8cb4c3d11271a02d73999b519a6a23ab072505813c3df16f2acd370b1
Instruction Fuzzy Hash: 66023C71E052199BDF14CFA9C8806EEBBF1FF48318F258669E919E7381D731A941CB90

Function 004CF590 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004CF5B3
std::_Lockit::_Lockit.LIBCPMT ref: 004CF5D5
std::_Lockit::~_Lockit.LIBCPMT ref: 004CF5F5
std::_Lockit::~_Lockit.LIBCPMT ref: 004CF61F
std::_Lockit::_Lockit.LIBCPMT ref: 004CF68D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004CF6D9
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004CF6F3
std::_Lockit::~_Lockit.LIBCPMT ref: 004CF788
std::_Facet_Register.LIBCPMT ref: 004CF795

Strings

fXW, xrefs: 004CF6EB, 004CF6F2
bad locale name, xrefs: 004CF7AF

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$fXW
API String ID: 3375549084-28943737
Opcode ID: 0529c43b1f2e310dd24f45cd95d7bcd59bfb46350b0d00096ff075e12e03383e
Instruction ID: 8dbd80a4c2d8827007839650745c600f066d8a3c91e9f99d6d8297f7a2b87164
Opcode Fuzzy Hash: 0529c43b1f2e310dd24f45cd95d7bcd59bfb46350b0d00096ff075e12e03383e
Instruction Fuzzy Hash: 9261EEB5E012499BDF11DFA4C849B9EBFB5BF54310F14402AE804B7341E738E90ACBA5

Function 004639A0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 156COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00463A08
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00463A54
__Getctype.LIBCPMT ref: 00463A6A
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00463A96
std::_Lockit::~_Lockit.LIBCPMT ref: 00463B2B

Strings

bad locale name, xrefs: 00463B46
`<F, xrefs: 00463A64

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: `<F$bad locale name
API String ID: 1840309910-1676782154
Opcode ID: 26054f2eda05760c104a77f682bc948be06a9abc031039b3a060d44a72c8ec7a
Instruction ID: c2a5368965ea7faed27b406beb3cd4744b9fd03aa4ea87e8206037cb169bd193
Opcode Fuzzy Hash: 26054f2eda05760c104a77f682bc948be06a9abc031039b3a060d44a72c8ec7a
Instruction Fuzzy Hash: A85152B1D002489BDF10DF94D845B9EBFB8BF54714F144069E809AB341E779EA04CBA6

Function 004D6950 Relevance: 11.0, APIs: 5, Strings: 1, Instructions: 489COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004D69A8
__floor_pentium4.LIBCMT ref: 004D6ACB

Strings

unordered_map/set too long, xrefs: 004D6B96

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task__floor_pentium4
String ID: unordered_map/set too long
API String ID: 1502093491-306623848
Opcode ID: 1dc2a618929728eeb5ee1ecb2b3358f088344a7ec20300c03261417aa5479c28
Instruction ID: 816f520e28b79048fb671673f26edf897a4c876c331094ed8c34e46e298d3ed9
Opcode Fuzzy Hash: 1dc2a618929728eeb5ee1ecb2b3358f088344a7ec20300c03261417aa5479c28
Instruction Fuzzy Hash: 2AF14771A00214DFCB04DF58C991AAEBBB5FF84314F15826BE859AB385D738EE11CB94

Function 00464BE0 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 353COMMON

Download Yara Rule

Strings

recursive_directory_iterator::operator++, xrefs: 00464EEC
: ", xrefs: 00464CC1
", ", xrefs: 00464CEC

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: ", "$: "$recursive_directory_iterator::operator++
API String ID: 0-2763324178
Opcode ID: a63a110b313988646ea76711894fbdaf5f85e2bbb507c34fbd6c6e7b0e3c5179
Instruction ID: 77cb15eb4c392e877551054dff70b8dfc5f596555456237ef9c1ca7b9359d245
Opcode Fuzzy Hash: a63a110b313988646ea76711894fbdaf5f85e2bbb507c34fbd6c6e7b0e3c5179
Instruction Fuzzy Hash: 4FC102B1900204AFCB18EF64D845B9EBBF8FF45714F04462EF41697781EB78AA04CBA5

Function 005419E0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00541A17
___except_validate_context_record.LIBVCRUNTIME ref: 00541A1F
_ValidateLocalCookies.LIBCMT ref: 00541AA8
__IsNonwritableInCurrentImage.LIBCMT ref: 00541AD3
_ValidateLocalCookies.LIBCMT ref: 00541B28

Strings

csm, xrefs: 00541ABD

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 018fb2c0306c60c3331f2db91f0fff85f9f79a08c572489ed6eb8acc2e72a324
Instruction ID: 4dcebbc1489f744c04d39888856cd7bab131ccadb3fe2688f4587d02ecf59aed
Opcode Fuzzy Hash: 018fb2c0306c60c3331f2db91f0fff85f9f79a08c572489ed6eb8acc2e72a324
Instruction Fuzzy Hash: 7E410030A00619ABCF10DF69C889ADE7FB4FF85368F148455E8049B392D731EA85CBD4

Function 004CDCF0 Relevance: 9.1, APIs: 6, Instructions: 104COMMONLIBRARYCODE

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 004CDD13
std::_Lockit::_Lockit.LIBCPMT ref: 004CDD36
std::_Lockit::~_Lockit.LIBCPMT ref: 004CDD56
std::_Facet_Register.LIBCPMT ref: 004CDDCB
std::_Lockit::~_Lockit.LIBCPMT ref: 004CDDE3
Concurrency::cancel_current_task.LIBCPMT ref: 004CDDFB

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: d61c6e6cf72d247dc606c5f8075c81188a27926c6e2f6d0374be2bd87ea6737e
Instruction ID: fdbf992da7fa01e2078f64fed348b8938cc662f46d386f15a2aeaddb93e147ec
Opcode Fuzzy Hash: d61c6e6cf72d247dc606c5f8075c81188a27926c6e2f6d0374be2bd87ea6737e
Instruction Fuzzy Hash: 9031EC79C0022A9FCB51DF54C884BAEBBB0FB80320F15862EE81A67351D734AE45CBD5

Function 00467660 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 276COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00467796
___std_exception_copy.LIBVCRUNTIME ref: 00467931

Strings

out_of_range, xrefs: 00467827
@nF, xrefs: 00467778, 00467913
type_error, xrefs: 0046768A

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$out_of_range$type_error
API String ID: 2659868963-1879671698
Opcode ID: b2f10256b767c38a02ceb83ce414ea9644eab09569d95f14b9feadc99e98a006
Instruction ID: 4fe945529a8efc2fb04f967d837d4e6a87b93e7024a6e4047e72e0f97e07b98b
Opcode Fuzzy Hash: b2f10256b767c38a02ceb83ce414ea9644eab09569d95f14b9feadc99e98a006
Instruction Fuzzy Hash: 97A19DB1D002089FDB18DFA8D885BADBBF1BF49304F14862EE019E7751E778A944CB65

Function 00466E80 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 284COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004671A9

Strings

@nF, xrefs: 00467184
parse error, xrefs: 00466F14
parse_error, xrefs: 00466EC7

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$parse error$parse_error
API String ID: 2659868963-3223604060
Opcode ID: 357ba9c27c605872098eaab78fc3261cbff2fdd51396d6d118eb46ff7c3e4f81
Instruction ID: 60abd793aa98d02ac640e143fbb577c90f9dd408d7f729379ea53fe3f64a153e
Opcode Fuzzy Hash: 357ba9c27c605872098eaab78fc3261cbff2fdd51396d6d118eb46ff7c3e4f81
Instruction Fuzzy Hash: D4B1A170D002098FDB08CF68DD95BADFBF1BF49304F14825AE019AB792E7749A80CB65

Function 00467220 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 195COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 0046743E
___std_exception_destroy.LIBVCRUNTIME ref: 0046744D

Strings

at line , xrefs: 00467267
, column , xrefs: 004672C4

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 774eec79154162989b73fe2c0a317585b000a1d585bce003fb1a98724dc8c3c9
Instruction ID: 35be139df3a1e7dd6063b746dc8e0e1a7e31e28afb65b5e8c7ffc8b79b5b5210
Opcode Fuzzy Hash: 774eec79154162989b73fe2c0a317585b000a1d585bce003fb1a98724dc8c3c9
Instruction Fuzzy Hash: E66192B0E042059FC718DF68D885BADFBF1BF49314F14826EE419A7782D7789980CB55

Function 00463CC0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00463E2F

Strings

ios_base::badbit set, xrefs: 00463DC7
ios_base::failbit set, xrefs: 00463CE2
ios_base::eofbit set, xrefs: 00463DF1, 00463E13

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: b36a3dca853737a33933b6aa4071c4aaab78f8aeb2f71137555970123648af1c
Instruction ID: c4b5763e82ea3b811324ea45073a81c893712f7038fe522839801c2c7566cd6b
Opcode Fuzzy Hash: b36a3dca853737a33933b6aa4071c4aaab78f8aeb2f71137555970123648af1c
Instruction Fuzzy Hash: EB41AFB6A00244AFCB04DF58C845BEABBF8FF49710F14852BE91997741E775AA00CBA5

Function 004674A0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 146COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004675F8

Strings

AqL, xrefs: 0046763D
@nF, xrefs: 004675DA
invalid_iterator, xrefs: 004674EB

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$AqL$invalid_iterator
API String ID: 2659868963-798898470
Opcode ID: 3dac7f184fd91c8cc3c8d73f220fe682646c9f044f69d39a5e56f91abf668ff7
Instruction ID: e6149a1994fca2805a944e458db97dee6a85e28c4271d239daba2f92c8577f3a
Opcode Fuzzy Hash: 3dac7f184fd91c8cc3c8d73f220fe682646c9f044f69d39a5e56f91abf668ff7
Instruction Fuzzy Hash: 8A51AFB1D002089FCB18CF68D8847AEFBF5FB48314F14866EE01AA7791E774A944CB95

Function 00463D90 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00463E2F

Strings

ios_base::badbit set, xrefs: 00463DC7
ios_base::failbit set, xrefs: 00463CE2, 00463DCE
ios_base::eofbit set, xrefs: 00463DD8, 00463DF1, 00463E13

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 0de74049617cb03e1e63ed52f899b2d3b691347ec35ecedd7897c75204426b25
Instruction ID: 596ecd052d6e5dda8c7e8071fdb02a16a92644559a18164d06442d259a2d628c
Opcode Fuzzy Hash: 0de74049617cb03e1e63ed52f899b2d3b691347ec35ecedd7897c75204426b25
Instruction Fuzzy Hash: 7C2105B2A00704ABC704DF58D801B96BBECBF04311F18842BF91887341F775EA04CBA6

Function 0053CF39 Relevance: 6.0, APIs: 4, Instructions: 44COMMONLIBRARYCODE

Download Yara Rule

APIs

__EH_prolog3.LIBCMT ref: 0053CF40
std::_Lockit::_Lockit.LIBCPMT ref: 0053CF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0053CFB9

Part of subcall function 0053D09C: std::locale::_Locimp::_Locimp.LIBCPMT ref: 0053D0B4

std::locale::_Setgloballocale.LIBCPMT ref: 0053CF66

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Lockitstd::_std::locale::_$H_prolog3LocimpLocimp::_Lockit::_Lockit::~_Setgloballocale
String ID:
API String ID: 677527491-0
Opcode ID: 8c655635316c435088a6f99dfbe3dd507961bae738bbc066a34ce5d4ab5fc950
Instruction ID: 633e03158c5dd330446f826f46bd86d46fbccd1216fffa8f33b5d140193348fb
Opcode Fuzzy Hash: 8c655635316c435088a6f99dfbe3dd507961bae738bbc066a34ce5d4ab5fc950
Instruction Fuzzy Hash: B801DF76A006229BCB0AEB20E84A57D7FB1FFD4740F19040AE80167391DF746E46DBDA

Function 004D6060 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 275COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004D61A6
Concurrency::cancel_current_task.LIBCPMT ref: 004D6341

Strings

Py"v, xrefs: 004D6112

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: Py"v
API String ID: 118556049-2948403528
Opcode ID: 10903d2f9587ed01dd017d2e519334c363aaf9660c6c83ace470442a108501ff
Instruction ID: 8fac0d4fc47538f9e39cf39b289036a5c9f4fe46134165d41ab9c7c7acf38d38
Opcode Fuzzy Hash: 10903d2f9587ed01dd017d2e519334c363aaf9660c6c83ace470442a108501ff
Instruction Fuzzy Hash: 8A81F472A00101AFCB08DF6CDDA596EB7A5EB95300B15836FE80987391E734EE55C794

Function 00466C10 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 209COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00466E51
___std_exception_destroy.LIBVCRUNTIME ref: 00466E60

Strings

[json.exception., xrefs: 00466C68

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 13c51f5e1bfe26069c918e20c7e740efdca381c990602d1ed3c9f108a5ef58b1
Instruction ID: 5bbb1b041e1f438a112a4c5c5aa07e8b7ecb8daa908aa12fa66a10ffc0d60de0
Opcode Fuzzy Hash: 13c51f5e1bfe26069c918e20c7e740efdca381c990602d1ed3c9f108a5ef58b1
Instruction Fuzzy Hash: 4D71A3B0A002059FD718DF68D985B9EFBF5FF49310F10821EE4199B781E774A980CB95

Function 004679A0 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 207COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00467AE3

Strings

other_error, xrefs: 004679CA
@nF, xrefs: 00467AC1

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF$other_error
API String ID: 2659868963-48232177
Opcode ID: 2939056cb060dce6d33b3d327a20b260fbfae03af7381f8cd1e396e98783f291
Instruction ID: 3f2957aba7209f2456b19490f5bdb2141e71df54d06368c692e8d2af4c27694d
Opcode Fuzzy Hash: 2939056cb060dce6d33b3d327a20b260fbfae03af7381f8cd1e396e98783f291
Instruction Fuzzy Hash: B671C271E002049FDB14CFA8DC85B9EBBF1FF88314F14826AE419AB791E774A940CB95

Function 004DD630 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 163COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 004DD6B0

Strings

type must be string, but is , xrefs: 004DD718
type must be boolean, but is , xrefs: 004DD7A2

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: a07e3f60a01bef22eec29ac7f8e453f4537be376eac639655353863e89515409
Instruction ID: d68400627ca2492bc2e45ca604f19d7b5d554e75e6371cb1c00653d9315bb220
Opcode Fuzzy Hash: a07e3f60a01bef22eec29ac7f8e453f4537be376eac639655353863e89515409
Instruction Fuzzy Hash: 154135B2E00648AFC700EFA8D801B9EBBE8EB04314F14457BE419D7741EB78A910CBD6

Function 004CD030 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004CD04F
___std_exception_copy.LIBVCRUNTIME ref: 004CD076

Strings

@nF, xrefs: 004CD054

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF
API String ID: 2659868963-3944412766
Opcode ID: d67d042dee8c344cb3842a30f7837767eaba347b3e91cabeb7d478a2a40bb856
Instruction ID: 464fff5a71d8d2ed677af63581b430ea2977c84de2058947e5c6117d39159c85
Opcode Fuzzy Hash: d67d042dee8c344cb3842a30f7837767eaba347b3e91cabeb7d478a2a40bb856
Instruction Fuzzy Hash: 1001E4BAA00706AF8708CF99E405886FBF8FB48310701C52BE51AC7B00E770E518CFA0

Function 004DA5E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 004DA5FF
___std_exception_copy.LIBVCRUNTIME ref: 004DA626

Strings

@nF, xrefs: 004DA604

Memory Dump Source

Source File: 0000000C.00000002.3375376710.0000000000461000.00000040.00000001.01000000.00000005.sdmp, Offset: 00460000, based on PE: true

Associated: 0000000C.00000002.3375348356.0000000000460000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375376710.000000000058E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375571059.0000000000593000.00000008.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.0000000000597000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.000000000071E000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007AE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007B1000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007DE000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007ED000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3375602728.00000000007FB000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376116862.00000000007FC000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376304167.000000000095C000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 0000000C.00000002.3376338358.000000000095D000.00000080.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_460000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @nF
API String ID: 2659868963-3944412766
Opcode ID: 35e4f042faf38721b8adadb45d79be86fe77e401e8f0e3c2f5737c13016f900d
Instruction ID: 3af50310659dbe6e466b855d05ee4faae631fade1dbc85187a53ad53ec2ac004
Opcode Fuzzy Hash: 35e4f042faf38721b8adadb45d79be86fe77e401e8f0e3c2f5737c13016f900d
Instruction Fuzzy Hash: D7F0C9B6A04706AF8708DF55E505886BBF8FA58310701896BE51AC7B10E770E514CFA4

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002B_242.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
LisectAVT_2403002B_242.exe

Function 00C83320 Relevance: 6.2, APIs: 4, Instructions: 157
sleepCOMMON

Function 00C3D4A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Function 00D12FA4 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Function 00C29D90 Relevance: 1.7, APIs: 1, Instructions: 218
COMMON

Function 00D13E1D Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Function 00D03512 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Function 00D13493 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 00D0CC2C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Function 00C22D70 Relevance: 1.5, APIs: 1, Instructions: 47
COMMONLIBRARYCODE

Function 00D14D73 Relevance: 1.5, APIs: 1, Instructions: 40
memoryCOMMONLIBRARYCODE

Function 00D157AD Relevance: 1.5, APIs: 1, Instructions: 33
memoryCOMMONLIBRARYCODE