Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_376.exe

Overview

General Information

Sample name:LisectAVT_2403002A_376.exe
Analysis ID:1482303
MD5:45d835beaaf607e4ce243297cd053469
SHA1:f96c5d84a6d93983b106cdd5a3daf5900270285d
SHA256:e35b5f6aa2e9ffc815083030e2c09a5e55df2a02528db2fc24d6f480910f0036
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found API chain indicative of sandbox detection
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Contains capabilities to detect virtual machines
Contains functionality to detect sandboxes (mouse cursor move detection)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_376.exe (PID: 4320 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_376.exe" MD5: 45D835BEAAF607E4CE243297CD053469)
    • schtasks.exe (PID: 6396 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6468 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 3140 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5664 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 6284 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 45D835BEAAF607E4CE243297CD053469)
  • MPGPH131.exe (PID: 4612 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 45D835BEAAF607E4CE243297CD053469)
  • RageMP131.exe (PID: 4676 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 45D835BEAAF607E4CE243297CD053469)
  • RageMP131.exe (PID: 7424 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 45D835BEAAF607E4CE243297CD053469)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe, ProcessId: 4320, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T21:01:48.505627+0200
            SID:2049060
            Source Port:49704
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:01:50.747098+0200
            SID:2049060
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:02:44.930427+0200
            SID:2022930
            Source Port:443
            Destination Port:49716
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:01:50.746738+0200
            SID:2049060
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:02:13.893192+0200
            SID:2046269
            Source Port:49715
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:01:53.721499+0200
            SID:2046269
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:02:06.675891+0200
            SID:2022930
            Source Port:443
            Destination Port:49708
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:01:53.690409+0200
            SID:2046269
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:01:51.487117+0200
            SID:2046269
            Source Port:49704
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T21:02:05.596394+0200
            SID:2046269
            Source Port:49707
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002A_376.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeAvira: detection malicious, Label: TR/AD.Nekark.rxrem
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: TR/AD.Nekark.rxrem
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: LisectAVT_2403002A_376.exeJoe Sandbox ML: detected
            Source: LisectAVT_2403002A_376.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.233.132.74:58709
            Source: Joe Sandbox ViewIP Address: 193.233.132.74 193.233.132.74
            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_0062E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,0_2_0062E0A0
            Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319335738.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
            Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTWj

            System Summary

            barindex
            PE file contains section with special chars
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_007098240_2_00709824
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006850B00_2_006850B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006998800_2_00699880
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006191A00_2_006191A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006873F00_2_006873F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006F646A0_2_006F646A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006F2CE00_2_006F2CE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006124F00_2_006124F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006F84A00_2_006F84A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_00618D700_2_00618D70
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006965500_2_00696550
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006955B00_2_006955B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006FBEAF0_2_006FBEAF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_0070F7710_2_0070F771
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_00629F500_2_00629F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005698246_2_00569824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004F98806_2_004F9880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E50B06_2_004E50B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004791A06_2_004791A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004E73F06_2_004E73F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0055646A6_2_0055646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00552CE06_2_00552CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004724F06_2_004724F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_005584A06_2_005584A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004F65506_2_004F6550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00478D706_2_00478D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004F55B06_2_004F55B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0055BEAF6_2_0055BEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00489F506_2_00489F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_005698247_2_00569824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004F98807_2_004F9880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004E50B07_2_004E50B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004791A07_2_004791A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004E73F07_2_004E73F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0055646A7_2_0055646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00552CE07_2_00552CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004724F07_2_004724F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_005584A07_2_005584A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004F65507_2_004F6550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00478D707_2_00478D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004F55B07_2_004F55B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0055BEAF7_2_0055BEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00489F507_2_00489F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E950B08_2_00E950B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00EA98808_2_00EA9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F198248_2_00F19824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E291A08_2_00E291A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E973F08_2_00E973F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F423648_2_00F42364
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F423688_2_00F42368
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F423188_2_00F42318
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F02CE08_2_00F02CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E224F08_2_00E224F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F424C48_2_00F424C4
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F084A08_2_00F084A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F424988_2_00F42498
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F0646A8_2_00F0646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F424088_2_00F42408
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00EA55B08_2_00EA55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E28D708_2_00E28D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00EA65508_2_00EA6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F0BEAF8_2_00F0BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00F1F7718_2_00F1F771
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E39F508_2_00E39F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E950B010_2_00E950B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00EA988010_2_00EA9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F1982410_2_00F19824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E291A010_2_00E291A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E973F010_2_00E973F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F4236410_2_00F42364
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F4236810_2_00F42368
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F4231810_2_00F42318
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F02CE010_2_00F02CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E224F010_2_00E224F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F424C410_2_00F424C4
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F084A010_2_00F084A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F4249810_2_00F42498
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F0646A10_2_00F0646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F4240810_2_00F42408
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00EA55B010_2_00EA55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E28D7010_2_00E28D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00EA655010_2_00EA6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F0BEAF10_2_00F0BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00F1F77110_2_00F1F771
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E39F5010_2_00E39F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 0054FED0 appears 52 times
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: String function: 00EFFED0 appears 52 times
            Source: LisectAVT_2403002A_376.exe, 00000000.00000000.2049821270.0000000000748000.00000008.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_376.exe
            Source: LisectAVT_2403002A_376.exeBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_376.exe
            Source: LisectAVT_2403002A_376.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: LisectAVT_2403002A_376.exeStatic PE information: Section: ZLIB complexity 0.9931361607142857
            Source: LisectAVT_2403002A_376.exeStatic PE information: Section: sryzlqip ZLIB complexity 0.9946141311689481
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9931361607142857
            Source: RageMP131.exe.0.drStatic PE information: Section: sryzlqip ZLIB complexity 0.9946141311689481
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9931361607142857
            Source: MPGPH131.exe.0.drStatic PE information: Section: sryzlqip ZLIB complexity 0.9946141311689481
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@0/1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5664:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6468:120:WilError_03
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCommand line argument: nIq0_2_007148C0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCommand line argument: nIW6_2_005748C0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCommand line argument: nIW7_2_005748C0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: LisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: LisectAVT_2403002A_376.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe "C:\Users\user\Desktop\LisectAVT_2403002A_376.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: LisectAVT_2403002A_376.exeStatic file information: File size 2038792 > 1048576
            Source: LisectAVT_2403002A_376.exeStatic PE information: Raw size of sryzlqip is bigger than: 0x100000 < 0x15b000

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeUnpacked PE file: 0.2.LisectAVT_2403002A_376.exe.610000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 7.2.MPGPH131.exe.470000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 8.2.RageMP131.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 10.2.RageMP131.exe.e20000.0.unpack :EW;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW; vs :ER;.rsrc:W;.idata :W; :EW;sryzlqip:EW;dhhlsvvc:EW;.taggant:EW;
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_00629F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,0_2_00629F50
            Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
            Source: LisectAVT_2403002A_376.exeStatic PE information: real checksum: 0x1f712c should be: 0x1ff09e
            Source: RageMP131.exe.0.drStatic PE information: real checksum: 0x1f712c should be: 0x1ff09e
            Source: MPGPH131.exe.0.drStatic PE information: real checksum: 0x1f712c should be: 0x1ff09e
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name: sryzlqip
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name: dhhlsvvc
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name: .taggant
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: sryzlqip
            Source: RageMP131.exe.0.drStatic PE information: section name: dhhlsvvc
            Source: RageMP131.exe.0.drStatic PE information: section name: .taggant
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: sryzlqip
            Source: MPGPH131.exe.0.drStatic PE information: section name: dhhlsvvc
            Source: MPGPH131.exe.0.drStatic PE information: section name: .taggant
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006EFA97 push ecx; ret 0_2_006EFAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0054FA97 push ecx; ret 6_2_0054FAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_0054FA97 push ecx; ret 7_2_0054FAAA
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00EFFA97 push ecx; ret 8_2_00EFFAAA
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00EFFA97 push ecx; ret 10_2_00EFFAAA
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name: entropy: 7.9345365893427315
            Source: LisectAVT_2403002A_376.exeStatic PE information: section name: sryzlqip entropy: 7.95317001843216
            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.9345365893427315
            Source: RageMP131.exe.0.drStatic PE information: section name: sryzlqip entropy: 7.95317001843216
            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.9345365893427315
            Source: MPGPH131.exe.0.drStatic PE information: section name: sryzlqip entropy: 7.95317001843216
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

            Boot Survival

            barindex
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006955B0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_006955B0

            Malware Analysis System Evasion

            barindex
            Found API chain indicative of sandbox detection
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_8-18170
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_6-16597
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSandbox detection routine: GetCursorPos, DecisionNode, Sleepgraph_0-17152
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_6-16598
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_8-18171
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-17153
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C9887 second address: 8C989B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C989B second address: 8C98E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB75C865F96h 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d js 00007FB75C865FB0h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB75C865FA8h 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d jnl 00007FB75C865F96h 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB75C865F9Fh 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C98E3 second address: 8C98E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8B94A4 second address: 8B94F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 jmp 00007FB75C865FA9h 0x0000000c jmp 00007FB75C865FA8h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB75C865FA2h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8B94F3 second address: 8B9510 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB75D0E6D86h 0x00000008 jmp 00007FB75D0E6D93h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C88AF second address: 8C88B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C88B3 second address: 8C88D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB75D0E6D97h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C88D3 second address: 8C88D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C88D9 second address: 8C8900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB75D0E6D96h 0x0000000c jmp 00007FB75D0E6D8Ah 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C8D62 second address: 8C8D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C9025 second address: 8C9031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8C9031 second address: 8C903A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EBC45 second address: 8EBC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EBC4A second address: 8EBC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8E9BCD second address: 8E9BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8E9BD1 second address: 8E9BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8E9BD5 second address: 8E9BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8E9BDF second address: 8E9BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8E9BE5 second address: 8E9BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8E9BE9 second address: 8E9BF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EA5A3 second address: 8EA5B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FB75D0E6D86h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FB75D0E6D86h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EAC46 second address: 8EAC50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EAC50 second address: 8EAC68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB370 second address: 8EB376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB376 second address: 8EB38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB513 second address: 8EB517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB517 second address: 8EB51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB51D second address: 8EB54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865FA9h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75C865F9Bh 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB68E second address: 8EB694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB694 second address: 8EB6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Dh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB6A6 second address: 8EB6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EB6B2 second address: 8EB6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EBAA8 second address: 8EBAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 jnl 00007FB75D0E6D86h 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EBAC2 second address: 8EBACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EBACA second address: 8EBB03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FB75D0E6D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D90h 0x00000015 jmp 00007FB75D0E6D99h 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EBB03 second address: 8EBB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB75C865F96h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EEC36 second address: 8EEC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EEC3C second address: 8EEC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EEC41 second address: 8EEC57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D91h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EEC57 second address: 8EEC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA2h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB75C865FA3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8EEC8C second address: 8EEC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F02C7 second address: 8F02E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865F9Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F246F second address: 8F2474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F36F9 second address: 8F3712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007FB75C865F98h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 ja 00007FB75C865F96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F715F second address: 8F7164 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F7164 second address: 8F7189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FB75C865F9Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jno 00007FB75C865F96h 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F7189 second address: 8F71CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FB75D0E6D8Dh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FB75D0E6D8Eh 0x00000019 pop eax 0x0000001a mov di, cx 0x0000001d push FE6F782Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FB75D0E6D86h 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F71CE second address: 8F71D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F71D2 second address: 8F71D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F75B2 second address: 8F75BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB75C865F96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F75BC second address: 8F75CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F79C9 second address: 8F79D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F79D8 second address: 8F79E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F8012 second address: 8F8016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F82AC second address: 8F82CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D94h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F8512 second address: 8F8518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F8518 second address: 8F851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F8A23 second address: 8F8A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75C865FA0h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F9235 second address: 8F9239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F9239 second address: 8F9247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F9247 second address: 8F924D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FA757 second address: 8FA75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FB128 second address: 8FB137 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FB137 second address: 8FB13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FB13B second address: 8FB141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FB141 second address: 8FB147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FB147 second address: 8FB1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FB75D0E6D88h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, C544h 0x00000027 push 00000000h 0x00000029 call 00007FB75D0E6D8Ch 0x0000002e mov edi, dword ptr [ebp+122D37AEh] 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 jne 00007FB75D0E6D8Bh 0x0000003e add edx, dword ptr [ebp+12474F4Ah] 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FB1A6 second address: 8FB1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FC76E second address: 8FC7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jp 00007FB75D0E6D8Ch 0x00000014 jne 00007FB75D0E6D86h 0x0000001a popad 0x0000001b nop 0x0000001c mov si, 893Fh 0x00000020 push 00000000h 0x00000022 movsx edi, cx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FB75D0E6D88h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov di, 8A13h 0x00000045 xchg eax, ebx 0x00000046 je 00007FB75D0E6D92h 0x0000004c jp 00007FB75D0E6D8Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FC7CD second address: 8FC7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FC7D8 second address: 8FC7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FE98B second address: 8FE98F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FD084 second address: 8FD090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FE98F second address: 8FE995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8FD090 second address: 8FD094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90034A second address: 9003AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FB75C865F98h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D3101h] 0x0000002a push 00000000h 0x0000002c jmp 00007FB75C865FA3h 0x00000031 push 00000000h 0x00000033 sub ebx, dword ptr [ebp+122D29AAh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB75C865FA2h 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 901362 second address: 901367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9004C1 second address: 9004CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB75C865F96h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 902195 second address: 902199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90314C second address: 90317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75C865FA6h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75C865F9Eh 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9042A3 second address: 904314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75D0E6D88h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75D0E6D88h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75D0E6D91h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9054AC second address: 9054B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90639A second address: 9063A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB75D0E6D86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 907479 second address: 90747F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9082F4 second address: 9082F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9082F8 second address: 908311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FB75C865F9Ch 0x0000000f jnc 00007FB75C865F96h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 908311 second address: 908369 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FB75D0E6D88h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 pushad 0x00000027 mov dx, bx 0x0000002a cmc 0x0000002b popad 0x0000002c sub dword ptr [ebp+122D2FF1h], eax 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2E0Ah] 0x0000003a push 00000000h 0x0000003c xchg eax, esi 0x0000003d jnl 00007FB75D0E6D91h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 908369 second address: 90837F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90A29C second address: 90A2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90A2B4 second address: 90A2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90A530 second address: 90A535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9093E7 second address: 9093F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90B4BB second address: 90B4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90D40F second address: 90D414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90B4BF second address: 90B4C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90C59B second address: 90C59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8F9A91 second address: 8F9A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90C59F second address: 90C5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90B5BE second address: 90B5C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90D751 second address: 90D755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90C5A9 second address: 90C5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90B5C4 second address: 90B5D7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90E6E8 second address: 90E6EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90C5AD second address: 90C5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90F631 second address: 90F636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90F636 second address: 90F6ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FB75C865F98h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FB75C865F98h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 js 00007FB75C865F9Ch 0x00000048 mov ebx, dword ptr [ebp+122D3791h] 0x0000004e push 00000000h 0x00000050 pushad 0x00000051 mov bl, ah 0x00000053 pushad 0x00000054 jns 00007FB75C865F96h 0x0000005a popad 0x0000005b popad 0x0000005c xchg eax, esi 0x0000005d jne 00007FB75C865FADh 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FB75C865FA8h 0x0000006c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90E7B2 second address: 90E7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90F6ED second address: 90F6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 90F8D5 second address: 90F8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 912829 second address: 91282F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91282F second address: 912842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 912842 second address: 91284B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ecx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91F116 second address: 91F11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91F11A second address: 91F157 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB75C865FA9h 0x00000008 jmp 00007FB75C865FA2h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75C865F9Ah 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91F157 second address: 91F194 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75D0E6DA0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D99h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91F194 second address: 91F198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91F890 second address: 91F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91F8A0 second address: 91F8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB75C865FA0h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91F8BD second address: 91F8E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FB75D0E6D8Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 jng 00007FB75D0E6D86h 0x00000016 pushad 0x00000017 jp 00007FB75D0E6D86h 0x0000001d jp 00007FB75D0E6D86h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91FB84 second address: 91FB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91FB8C second address: 91FB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 91FE1A second address: 91FE32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007FB75C865F96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9200F7 second address: 9200FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9200FB second address: 9200FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9200FF second address: 920105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 920105 second address: 92010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92010F second address: 920113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 920113 second address: 920119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 920119 second address: 920123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92BD5E second address: 92BD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92BD6C second address: 92BD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D8Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92BD83 second address: 92BD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92BD87 second address: 92BDA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75D0E6D93h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8B283D second address: 8B2843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8B2843 second address: 8B2851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Ah 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 929FA1 second address: 929FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 929FA7 second address: 929FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 929FAD second address: 929FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB75C865F9Dh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92A29A second address: 92A2BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D97h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92A44D second address: 92A462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75C865F96h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FB75C865F96h 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92A462 second address: 92A468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92A786 second address: 92A793 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92A8E1 second address: 92A906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FB75D0E6D8Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75D0E6D8Eh 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92A906 second address: 92A90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92AA60 second address: 92AA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92AA6A second address: 92AA75 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92AA75 second address: 92AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007FB75D0E6D8Ch 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92AA8E second address: 92AA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92AD9E second address: 92ADA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92B467 second address: 92B489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75C865F96h 0x0000000a popad 0x0000000b jmp 00007FB75C865FA3h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92B489 second address: 92B48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92B48F second address: 92B493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 92BBC8 second address: 92BC1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007FB75D0E6D86h 0x00000012 pop ecx 0x00000013 jc 00007FB75D0E6D88h 0x00000019 push eax 0x0000001a pop eax 0x0000001b ja 00007FB75D0E6D8Eh 0x00000021 push eax 0x00000022 pop eax 0x00000023 jl 00007FB75D0E6D86h 0x00000029 popad 0x0000002a pushad 0x0000002b jmp 00007FB75D0E6D8Dh 0x00000030 push eax 0x00000031 push edx 0x00000032 jng 00007FB75D0E6D86h 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9299CC second address: 9299D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 933369 second address: 933396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D94h 0x00000009 pop ebx 0x0000000a jmp 00007FB75D0E6D8Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 933396 second address: 93339C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8BC9C5 second address: 8BC9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB75D0E6D97h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 932E9D second address: 932EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB75C865F9Ch 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 932EB2 second address: 932EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007FB75D0E6D8Ch 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75D0E6D92h 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 932EDC second address: 932EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 932EE0 second address: 932EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB75D0E6D86h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 933039 second address: 93303D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 93303D second address: 933043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 933043 second address: 93307F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB75C865F9Fh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jns 00007FB75C865F96h 0x0000001f jne 00007FB75C865F96h 0x00000025 pop esi 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 93307F second address: 933092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75D0E6D8Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 933092 second address: 933096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9503C8 second address: 9503CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9558C9 second address: 9558FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB75C865FA2h 0x0000000a pushad 0x0000000b jmp 00007FB75C865FA1h 0x00000010 jc 00007FB75C865F96h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9558FB second address: 955905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 955905 second address: 95590D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9555F1 second address: 9555FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9555FB second address: 955605 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 957AAD second address: 957AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 957AB7 second address: 957ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 963009 second address: 96300E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 96300E second address: 96304E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007FB75C865FA5h 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007FB75C865F96h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB75C865FA0h 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 96304E second address: 96305E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB75D0E6D86h 0x00000008 js 00007FB75D0E6D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 8B5D77 second address: 8B5DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FB75C865F96h 0x0000000c popad 0x0000000d jmp 00007FB75C865FA0h 0x00000012 pushad 0x00000013 jmp 00007FB75C865FA5h 0x00000018 jng 00007FB75C865F9Ah 0x0000001e push edx 0x0000001f pop edx 0x00000020 pushad 0x00000021 popad 0x00000022 jc 00007FB75C865F9Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 96F878 second address: 96F886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB75D0E6D8Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 96F886 second address: 96F8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d ja 00007FB75C865F96h 0x00000013 jg 00007FB75C865F96h 0x00000019 pop eax 0x0000001a jl 00007FB75C865F9Eh 0x00000020 jbe 00007FB75C865F96h 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 96F8B4 second address: 96F8CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D92h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 972299 second address: 9722A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB75C865F96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9722A4 second address: 9722E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D97h 0x00000009 ja 00007FB75D0E6D86h 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007FB75D0E6D95h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9956BB second address: 9956C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9949F5 second address: 994A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D96h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994A0F second address: 994A15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994A15 second address: 994A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB75D0E6D86h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994A23 second address: 994A2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994A2F second address: 994A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994A3F second address: 994A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75C865F96h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994A49 second address: 994A78 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75D0E6D86h 0x00000008 jmp 00007FB75D0E6D99h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FB75D0E6D86h 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994BA1 second address: 994BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994BAC second address: 994BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 994E42 second address: 994E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007FB75C865F96h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 99800F second address: 998013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9985E4 second address: 998626 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sub dx, E1FFh 0x00000011 push dword ptr [ebp+122D3076h] 0x00000017 jg 00007FB75C865FA2h 0x0000001d push EF668F1Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FB75C865F9Eh 0x0000002a push edi 0x0000002b pop edi 0x0000002c popad 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 9997E5 second address: 999803 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB75D0E6D86h 0x00000008 ja 00007FB75D0E6D86h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB75D0E6D8Eh 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 99B4E8 second address: 99B50F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB75C865F96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FB75C865FABh 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 99B50F second address: 99B519 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75D0E6D8Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 99CEC2 second address: 99CEEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB75C865F9Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007FB75C865FA2h 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 99CEEF second address: 99CEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeRDTSC instruction interceptor: First address: 99CEF4 second address: 99CEFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB75C865F96h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 729887 second address: 72989B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 72989B second address: 7298E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB75C865F96h 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d js 00007FB75C865FB0h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB75C865FA8h 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d jnl 00007FB75C865F96h 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB75C865F9Fh 0x0000002b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7298E3 second address: 7298E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7194A4 second address: 7194F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 jmp 00007FB75C865FA9h 0x0000000c jmp 00007FB75C865FA8h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB75C865FA2h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7194F3 second address: 719510 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB75D0E6D86h 0x00000008 jmp 00007FB75D0E6D93h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7288AF second address: 7288B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7288B3 second address: 7288D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB75D0E6D97h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7288D3 second address: 7288D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7288D9 second address: 728900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB75D0E6D96h 0x0000000c jmp 00007FB75D0E6D8Ah 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 728D62 second address: 728D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 729025 second address: 729031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 729031 second address: 72903A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74BC45 second address: 74BC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74BC4A second address: 74BC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 749BCD second address: 749BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 749BD1 second address: 749BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 749BD5 second address: 749BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 749BDF second address: 749BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 749BE5 second address: 749BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 749BE9 second address: 749BF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74A5A3 second address: 74A5B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FB75D0E6D86h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FB75D0E6D86h 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74AC46 second address: 74AC50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74AC50 second address: 74AC68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D94h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B370 second address: 74B376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B376 second address: 74B38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D90h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B513 second address: 74B517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B517 second address: 74B51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B51D second address: 74B54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865FA9h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75C865F9Bh 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B68E second address: 74B694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B694 second address: 74B6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Dh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B6A6 second address: 74B6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74B6B2 second address: 74B6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74BAA8 second address: 74BAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 jnl 00007FB75D0E6D86h 0x0000000f popad 0x00000010 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74BAC2 second address: 74BACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74BACA second address: 74BB03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FB75D0E6D86h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D90h 0x00000015 jmp 00007FB75D0E6D99h 0x0000001a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74BB03 second address: 74BB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB75C865F96h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74EC36 second address: 74EC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74EC3C second address: 74EC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74EC41 second address: 74EC57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D91h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74EC57 second address: 74EC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA2h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB75C865FA3h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 74EC8C second address: 74EC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7502C7 second address: 7502E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865F9Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75246F second address: 752474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7536F9 second address: 753712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007FB75C865F98h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 ja 00007FB75C865F96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75715F second address: 757164 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 757164 second address: 757189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FB75C865F9Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jno 00007FB75C865F96h 0x0000001c popad 0x0000001d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 757189 second address: 7571CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FB75D0E6D8Dh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FB75D0E6D8Eh 0x00000019 pop eax 0x0000001a mov di, cx 0x0000001d push FE6F782Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FB75D0E6D86h 0x0000002c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7571CE second address: 7571D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7571D2 second address: 7571D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7575B2 second address: 7575BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB75C865F96h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7575BC second address: 7575CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7579C9 second address: 7579D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7579D8 second address: 7579E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 758012 second address: 758016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7582AC second address: 7582CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D94h 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 758512 second address: 758518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 758518 second address: 75851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 758A23 second address: 758A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75C865FA0h 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 759235 second address: 759239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 759239 second address: 759247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 759247 second address: 75924D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75A757 second address: 75A75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75B128 second address: 75B137 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75B137 second address: 75B13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75B13B second address: 75B141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75B141 second address: 75B147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75B147 second address: 75B1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FB75D0E6D88h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, C544h 0x00000027 push 00000000h 0x00000029 call 00007FB75D0E6D8Ch 0x0000002e mov edi, dword ptr [ebp+122D37AEh] 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 jne 00007FB75D0E6D8Bh 0x0000003e add edx, dword ptr [ebp+12474F4Ah] 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75B1A6 second address: 75B1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75C76E second address: 75C7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jp 00007FB75D0E6D8Ch 0x00000014 jne 00007FB75D0E6D86h 0x0000001a popad 0x0000001b nop 0x0000001c mov si, 893Fh 0x00000020 push 00000000h 0x00000022 movsx edi, cx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FB75D0E6D88h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov di, 8A13h 0x00000045 xchg eax, ebx 0x00000046 je 00007FB75D0E6D92h 0x0000004c jp 00007FB75D0E6D8Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75C7CD second address: 75C7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75C7D8 second address: 75C7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75E98B second address: 75E98F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75E98F second address: 75E995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75D084 second address: 75D090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 75D090 second address: 75D094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76034A second address: 7603AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FB75C865F98h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D3101h] 0x0000002a push 00000000h 0x0000002c jmp 00007FB75C865FA3h 0x00000031 push 00000000h 0x00000033 sub ebx, dword ptr [ebp+122D29AAh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB75C865FA2h 0x00000041 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 761362 second address: 761367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7604C1 second address: 7604CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB75C865F96h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 762195 second address: 762199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76314C second address: 76317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75C865FA6h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75C865F9Eh 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7642A3 second address: 764314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75D0E6D88h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75D0E6D88h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75D0E6D91h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7654AC second address: 7654B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76639A second address: 7663A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB75D0E6D86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7682F4 second address: 7682F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7682F8 second address: 768311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FB75D0E6D8Ch 0x0000000f jnc 00007FB75D0E6D86h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 768311 second address: 768369 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FB75C865F98h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 pushad 0x00000027 mov dx, bx 0x0000002a cmc 0x0000002b popad 0x0000002c sub dword ptr [ebp+122D2FF1h], eax 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2E0Ah] 0x0000003a push 00000000h 0x0000003c xchg eax, esi 0x0000003d jnl 00007FB75C865FA1h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 768369 second address: 76837F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D92h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 767479 second address: 76747F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76A29C second address: 76A2B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76A2B4 second address: 76A2B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7693E7 second address: 7693F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76A530 second address: 76A535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76B4BB second address: 76B4BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76B4BF second address: 76B4C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76B5BE second address: 76B5C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76B5C4 second address: 76B5D7 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e pushad 0x0000000f push edx 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76D40F second address: 76D414 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76C59B second address: 76C59F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76C59F second address: 76C5A9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76C5A9 second address: 76C5AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76C5AD second address: 76C5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76D751 second address: 76D755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76F631 second address: 76F636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76F636 second address: 76F6ED instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push esi 0x0000000f call 00007FB75C865F98h 0x00000014 pop esi 0x00000015 mov dword ptr [esp+04h], esi 0x00000019 add dword ptr [esp+04h], 0000001Dh 0x00000021 inc esi 0x00000022 push esi 0x00000023 ret 0x00000024 pop esi 0x00000025 ret 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push esi 0x0000002b call 00007FB75C865F98h 0x00000030 pop esi 0x00000031 mov dword ptr [esp+04h], esi 0x00000035 add dword ptr [esp+04h], 00000017h 0x0000003d inc esi 0x0000003e push esi 0x0000003f ret 0x00000040 pop esi 0x00000041 ret 0x00000042 js 00007FB75C865F9Ch 0x00000048 mov ebx, dword ptr [ebp+122D3791h] 0x0000004e push 00000000h 0x00000050 pushad 0x00000051 mov bl, ah 0x00000053 pushad 0x00000054 jns 00007FB75C865F96h 0x0000005a popad 0x0000005b popad 0x0000005c xchg eax, esi 0x0000005d jne 00007FB75C865FADh 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 jmp 00007FB75C865FA8h 0x0000006c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76F6ED second address: 76F6F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76E6E8 second address: 76E6EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76E7B2 second address: 76E7B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 772829 second address: 77282F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77282F second address: 772842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 772842 second address: 77284B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ecx 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76F8D5 second address: 76F8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F116 second address: 77F11A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F11A second address: 77F157 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB75D0E6D99h 0x00000008 jmp 00007FB75D0E6D92h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75D0E6D8Ah 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F157 second address: 77F194 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75C865FB0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75C865FA9h 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F194 second address: 77F198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F890 second address: 77F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F8A0 second address: 77F8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB75D0E6D90h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F8BD second address: 77F8E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FB75C865F9Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 jng 00007FB75C865F96h 0x00000016 pushad 0x00000017 jp 00007FB75C865F96h 0x0000001d jp 00007FB75C865F96h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77FB84 second address: 77FB8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77FB8C second address: 77FB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB75C865F96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77FE1A second address: 77FE32 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D8Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jns 00007FB75D0E6D86h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7800F7 second address: 7800FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7800FB second address: 7800FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7800FF second address: 780105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 780105 second address: 78010F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78010F second address: 780113 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 780113 second address: 780119 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 780119 second address: 780123 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FB75C865F96h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78BD5E second address: 78BD6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78BD6C second address: 78BD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75C865F9Bh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78BD83 second address: 78BD87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78BD87 second address: 78BDA0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75C865FA3h 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 71283D second address: 712843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 712843 second address: 712851 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Ah 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 789FA1 second address: 789FA7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 789FA7 second address: 789FAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 789FAD second address: 789FC0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007FB75D0E6D8Dh 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78A29A second address: 78A2BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78A44D second address: 78A462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75D0E6D86h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jp 00007FB75D0E6D86h 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78A462 second address: 78A468 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78A786 second address: 78A793 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78A8E1 second address: 78A906 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jns 00007FB75C865F9Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75C865F9Eh 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78A906 second address: 78A90A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78AA60 second address: 78AA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FB75C865F96h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78AA6A second address: 78AA75 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78AA75 second address: 78AA8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pushad 0x00000007 push edx 0x00000008 jmp 00007FB75C865F9Ch 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78AA8E second address: 78AA92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78AD9E second address: 78ADA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78B467 second address: 78B489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75D0E6D86h 0x0000000a popad 0x0000000b jmp 00007FB75D0E6D93h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78B489 second address: 78B48F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78B48F second address: 78B493 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 759A91 second address: 759A95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 78BBC8 second address: 78BC1C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75D0E6D99h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c je 00007FB75D0E6D86h 0x00000012 pop ecx 0x00000013 jc 00007FB75D0E6D88h 0x00000019 push eax 0x0000001a pop eax 0x0000001b ja 00007FB75D0E6D8Eh 0x00000021 push eax 0x00000022 pop eax 0x00000023 jl 00007FB75D0E6D86h 0x00000029 popad 0x0000002a pushad 0x0000002b jmp 00007FB75D0E6D8Dh 0x00000030 push eax 0x00000031 push edx 0x00000032 jng 00007FB75D0E6D86h 0x00000038 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7899CC second address: 7899D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 793369 second address: 793396 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D94h 0x00000009 pop ebx 0x0000000a jmp 00007FB75D0E6D8Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 793396 second address: 79339C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 71C9C5 second address: 71C9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007FB75D0E6D97h 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 792E9D second address: 792EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FB75C865F9Ch 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 792EB2 second address: 792EDC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnl 00007FB75D0E6D8Ch 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75D0E6D92h 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 792EDC second address: 792EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 792EE0 second address: 792EEE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jc 00007FB75D0E6D86h 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 793039 second address: 79303D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 79303D second address: 793043 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 793043 second address: 79307F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007FB75C865F9Fh 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 push esi 0x00000019 jns 00007FB75C865F96h 0x0000001f jne 00007FB75C865F96h 0x00000025 pop esi 0x00000026 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 79307F second address: 793092 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75D0E6D8Dh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 793092 second address: 793096 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 76314C second address: 76317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75D0E6D96h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D8Eh 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7642A3 second address: 764314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75C865F98h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75C865F98h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75C865FA1h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B03C8 second address: 7B03CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77282F second address: 772842 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B58C9 second address: 7B58FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FB75C865FA2h 0x0000000a pushad 0x0000000b jmp 00007FB75C865FA1h 0x00000010 jc 00007FB75C865F96h 0x00000016 pushad 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B58FB second address: 7B5905 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B5905 second address: 7B590D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B55F1 second address: 7B55FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B55FB second address: 7B5605 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75C865F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B7AAD second address: 7B7AB7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7B7AB7 second address: 7B7ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F11A second address: 77F157 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007FB75C865FA9h 0x00000008 jmp 00007FB75C865FA2h 0x0000000d pop edi 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FB75C865F9Ah 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F157 second address: 77F194 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75D0E6DA0h 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75D0E6D99h 0x0000000f rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F890 second address: 77F8A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F8A0 second address: 77F8BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007FB75C865FA0h 0x0000000a popad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push esi 0x00000011 pop esi 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77F8BD second address: 77F8E2 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jnp 00007FB75D0E6D8Eh 0x0000000e push edi 0x0000000f pop edi 0x00000010 jng 00007FB75D0E6D86h 0x00000016 pushad 0x00000017 jp 00007FB75D0E6D86h 0x0000001d jp 00007FB75D0E6D86h 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 77FB8C second address: 77FB98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FB75D0E6D86h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7C3009 second address: 7C300E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7C300E second address: 7C304E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c jmp 00007FB75D0E6D95h 0x00000011 pushad 0x00000012 popad 0x00000013 jo 00007FB75D0E6D86h 0x00000019 popad 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007FB75D0E6D90h 0x00000025 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7C304E second address: 7C305E instructions: 0x00000000 rdtsc 0x00000002 jl 00007FB75C865F96h 0x00000008 js 00007FB75C865F96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 715D77 second address: 715DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007FB75D0E6D86h 0x0000000c popad 0x0000000d jmp 00007FB75D0E6D90h 0x00000012 pushad 0x00000013 jmp 00007FB75D0E6D95h 0x00000018 jng 00007FB75D0E6D8Ah 0x0000001e push edx 0x0000001f pop edx 0x00000020 pushad 0x00000021 popad 0x00000022 jc 00007FB75D0E6D8Eh 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7CF878 second address: 7CF886 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FB75C865F9Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7CF886 second address: 7CF8B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d ja 00007FB75D0E6D86h 0x00000013 jg 00007FB75D0E6D86h 0x00000019 pop eax 0x0000001a jl 00007FB75D0E6D8Eh 0x00000020 jbe 00007FB75D0E6D86h 0x00000026 push esi 0x00000027 pop esi 0x00000028 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7CF8B4 second address: 7CF8CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA2h 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7D2299 second address: 7D22A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jnl 00007FB75D0E6D86h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7D22A4 second address: 7D22E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA7h 0x00000009 ja 00007FB75C865F96h 0x0000000f popad 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jmp 00007FB75C865FA5h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F56BB second address: 7F56C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F49F5 second address: 7F4A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865FA6h 0x00000009 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4A0F second address: 7F4A15 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4A15 second address: 7F4A23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnc 00007FB75C865F96h 0x0000000e rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4A23 second address: 7F4A2F instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4A2F second address: 7F4A3F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pushad 0x0000000a popad 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4A3F second address: 7F4A49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4A49 second address: 7F4A78 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA9h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ecx 0x00000010 pushad 0x00000011 popad 0x00000012 pop ecx 0x00000013 push eax 0x00000014 push edx 0x00000015 jnp 00007FB75C865F96h 0x0000001b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4BA1 second address: 7F4BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4BAC second address: 7F4BB0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F4E42 second address: 7F4E52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 js 00007FB75D0E6D86h 0x0000000c popad 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F800F second address: 7F8013 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F85E4 second address: 7F8626 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c sub dx, E1FFh 0x00000011 push dword ptr [ebp+122D3076h] 0x00000017 jg 00007FB75D0E6D92h 0x0000001d push EF668F1Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 jmp 00007FB75D0E6D8Eh 0x0000002a push edi 0x0000002b pop edi 0x0000002c popad 0x0000002d rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7F97E5 second address: 7F9803 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FB75C865F96h 0x00000008 ja 00007FB75C865F96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007FB75C865F9Eh 0x00000015 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7FB4E8 second address: 7FB50F instructions: 0x00000000 rdtsc 0x00000002 jg 00007FB75D0E6D86h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007FB75D0E6D9Bh 0x00000012 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7FB50F second address: 7FB519 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FB75C865F9Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7FCEC2 second address: 7FCEEF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007FB75D0E6D8Eh 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e jmp 00007FB75D0E6D92h 0x00000013 pop eax 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7FCEEF second address: 7FCEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeRDTSC instruction interceptor: First address: 7FCEF4 second address: 7FCEFE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D9887 second address: 10D989B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D989B second address: 10D98E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FB75D0E6D86h 0x0000000a popad 0x0000000b pop esi 0x0000000c pushad 0x0000000d js 00007FB75D0E6DA0h 0x00000013 pushad 0x00000014 popad 0x00000015 jmp 00007FB75D0E6D98h 0x0000001a push eax 0x0000001b pushad 0x0000001c popad 0x0000001d jnl 00007FB75D0E6D86h 0x00000023 pop eax 0x00000024 push eax 0x00000025 push edx 0x00000026 jmp 00007FB75D0E6D8Fh 0x0000002b rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D98E3 second address: 10D98E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10C94A4 second address: 10C94F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 jmp 00007FB75D0E6D99h 0x0000000c jmp 00007FB75D0E6D98h 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FB75D0E6D92h 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10C94F3 second address: 10C9510 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FB75C865F96h 0x00000008 jmp 00007FB75C865FA3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D88AF second address: 10D88B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D88B3 second address: 10D88D3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FB75C865FA7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D88D3 second address: 10D88D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D88D9 second address: 10D8900 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FB75C865FA6h 0x0000000c jmp 00007FB75C865F9Ah 0x00000011 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D8D62 second address: 10D8D68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D9025 second address: 10D9031 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007FB75C865F96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10D9031 second address: 10D903A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FBC45 second address: 10FBC4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FBC4A second address: 10FBC56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10F9BCD second address: 10F9BD1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10F9BD1 second address: 10F9BD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10F9BD5 second address: 10F9BDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10F9BDF second address: 10F9BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10F9BE5 second address: 10F9BE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10F9BE9 second address: 10F9BF3 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FB75D0E6D86h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FA5A3 second address: 10FA5B5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jl 00007FB75C865F96h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FB75C865F96h 0x00000012 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FAC46 second address: 10FAC50 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FAC50 second address: 10FAC68 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB370 second address: 10FB376 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB376 second address: 10FB38E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB513 second address: 10FB517 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB517 second address: 10FB51D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB51D second address: 10FB54B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75D0E6D99h 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007FB75D0E6D8Bh 0x00000014 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB68E second address: 10FB694 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB694 second address: 10FB6A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D8Dh 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB6A6 second address: 10FB6B2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FB6B2 second address: 10FB6B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FBAA8 second address: 10FBAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75C865F9Fh 0x00000009 jnl 00007FB75C865F96h 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FBAC2 second address: 10FBACA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FBACA second address: 10FBB03 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 ja 00007FB75C865F96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75C865FA0h 0x00000015 jmp 00007FB75C865FA9h 0x0000001a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FBB03 second address: 10FBB10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FB75D0E6D86h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FEC36 second address: 10FEC3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FEC3C second address: 10FEC41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FEC41 second address: 10FEC57 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA1h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FEC57 second address: 10FEC8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FB75D0E6D92h 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FB75D0E6D93h 0x00000014 push eax 0x00000015 push edx 0x00000016 push edx 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 10FEC8C second address: 10FEC90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11002C7 second address: 11002E0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FB75D0E6D8Eh 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110246F second address: 1102474 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11036F9 second address: 1103712 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jbe 00007FB75D0E6D88h 0x0000000e push edx 0x0000000f pop edx 0x00000010 pushad 0x00000011 ja 00007FB75D0E6D86h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110715F second address: 1107164 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1107164 second address: 1107189 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FB75D0E6D8Dh 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 jno 00007FB75D0E6D86h 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1107189 second address: 11071CE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865F9Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FB75C865F9Dh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 jmp 00007FB75C865F9Eh 0x00000019 pop eax 0x0000001a mov di, cx 0x0000001d push FE6F782Ch 0x00000022 push eax 0x00000023 push edx 0x00000024 push eax 0x00000025 push edx 0x00000026 je 00007FB75C865F96h 0x0000002c rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11071CE second address: 11071D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11071D2 second address: 11071D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11075B2 second address: 11075BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FB75D0E6D86h 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11075BC second address: 11075CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b push edi 0x0000000c pop edi 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11079C9 second address: 11079D8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e pop ecx 0x0000000f rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11079D8 second address: 11079E2 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FB75C865F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1108012 second address: 1108016 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11082AC second address: 11082CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007FB75C865FA4h 0x0000000f rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1108512 second address: 1108518 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1108518 second address: 110851C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1108A23 second address: 1108A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FB75D0E6D90h 0x00000009 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1109235 second address: 1109239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1109239 second address: 1109247 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ecx 0x0000000e rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1109247 second address: 110924D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110A757 second address: 110A75D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110B128 second address: 110B137 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110B137 second address: 110B13B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110B13B second address: 110B141 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110B141 second address: 110B147 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110B147 second address: 110B1A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007FB75C865F98h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 0000001Ah 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 mov di, C544h 0x00000027 push 00000000h 0x00000029 call 00007FB75C865F9Ch 0x0000002e mov edi, dword ptr [ebp+122D37AEh] 0x00000034 pop edi 0x00000035 push 00000000h 0x00000037 pushad 0x00000038 jne 00007FB75C865F9Bh 0x0000003e add edx, dword ptr [ebp+12474F4Ah] 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 push eax 0x00000047 push edx 0x00000048 push edx 0x00000049 push eax 0x0000004a push edx 0x0000004b rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110B1A6 second address: 110B1AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110C76E second address: 110C7CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push esi 0x0000000c pop esi 0x0000000d popad 0x0000000e jp 00007FB75C865F9Ch 0x00000014 jne 00007FB75C865F96h 0x0000001a popad 0x0000001b nop 0x0000001c mov si, 893Fh 0x00000020 push 00000000h 0x00000022 movsx edi, cx 0x00000025 push 00000000h 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007FB75C865F98h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 0000001Dh 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 mov di, 8A13h 0x00000045 xchg eax, ebx 0x00000046 je 00007FB75C865FA2h 0x0000004c jp 00007FB75C865F9Ch 0x00000052 push eax 0x00000053 push edx 0x00000054 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110C7CD second address: 110C7D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110C7D8 second address: 110C7DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110E98B second address: 110E98F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110E98F second address: 110E995 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110D084 second address: 110D090 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 110D090 second address: 110D094 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 111034A second address: 11103AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FB75D0E6D88h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D3101h] 0x0000002a push 00000000h 0x0000002c jmp 00007FB75D0E6D93h 0x00000031 push 00000000h 0x00000033 sub ebx, dword ptr [ebp+122D29AAh] 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FB75D0E6D92h 0x00000041 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1111362 second address: 1111367 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11104C1 second address: 11104CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FB75D0E6D86h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1112195 second address: 1112199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 111314C second address: 111317B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FB75D0E6D96h 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FB75D0E6D8Eh 0x00000015 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11142A3 second address: 1114314 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007FB75C865F98h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 or ebx, dword ptr [ebp+122D2BFAh] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push edi 0x0000002f call 00007FB75C865F98h 0x00000034 pop edi 0x00000035 mov dword ptr [esp+04h], edi 0x00000039 add dword ptr [esp+04h], 0000001Bh 0x00000041 inc edi 0x00000042 push edi 0x00000043 ret 0x00000044 pop edi 0x00000045 ret 0x00000046 push 00000000h 0x00000048 jmp 00007FB75C865FA1h 0x0000004d push eax 0x0000004e pushad 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11154AC second address: 11154B3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 111639A second address: 11163A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FB75C865F96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11182F4 second address: 11182F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 11182F8 second address: 1118311 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 jbe 00007FB75C865F9Ch 0x0000000f jnc 00007FB75C865F96h 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1118311 second address: 1118369 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FB75D0E6D86h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007FB75D0E6D88h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 00000015h 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 pushad 0x00000027 mov dx, bx 0x0000002a cmc 0x0000002b popad 0x0000002c sub dword ptr [ebp+122D2FF1h], eax 0x00000032 push 00000000h 0x00000034 mov edi, dword ptr [ebp+122D2E0Ah] 0x0000003a push 00000000h 0x0000003c xchg eax, esi 0x0000003d jnl 00007FB75D0E6D91h 0x00000043 push eax 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 pushad 0x00000049 popad 0x0000004a rdtsc
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRDTSC instruction interceptor: First address: 1118369 second address: 111837F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FB75C865FA2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeSpecial instruction interceptor: First address: 93A2F8 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: 79A2F8 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: 114A2F8 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,0_2_00673A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,6_2_004D3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,7_2_004D3A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,8_2_00E83A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: GetCursorPos,GetCursorPos,GetCursorPos,Sleep,Sleep,GetCursorPos,10_2_00E83A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeWindow / User API: threadDelayed 875Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeWindow / User API: threadDelayed 877Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeWindow / User API: threadDelayed 2321Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1013Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 437Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 1069Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 420Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1426Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1221Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1251Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 360Thread sleep time: -50025s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 2892Thread sleep count: 875 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 2892Thread sleep time: -1750875s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 3144Thread sleep count: 284 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 4524Thread sleep count: 251 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5680Thread sleep count: 877 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5680Thread sleep time: -1754877s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5532Thread sleep count: 2321 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exe TID: 5532Thread sleep time: -4644321s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5508Thread sleep count: 105 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5508Thread sleep time: -210105s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5780Thread sleep count: 122 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5780Thread sleep time: -244122s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4112Thread sleep count: 1013 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4112Thread sleep time: -102313s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1272Thread sleep count: 437 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1272Thread sleep count: 159 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2408Thread sleep count: 100 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2408Thread sleep time: -200100s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4080Thread sleep count: 83 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4080Thread sleep time: -166083s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3436Thread sleep count: 75 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3436Thread sleep time: -150075s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2508Thread sleep count: 1069 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2508Thread sleep time: -107969s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1784Thread sleep count: 420 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1784Thread sleep count: 159 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5732Thread sleep count: 74 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5732Thread sleep time: -148074s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6020Thread sleep count: 31 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 6020Thread sleep time: -62031s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1900Thread sleep count: 1426 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 1900Thread sleep time: -2853426s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 3924Thread sleep count: 297 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7220Thread sleep count: 257 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7468Thread sleep count: 38 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7468Thread sleep time: -76038s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7460Thread sleep count: 1221 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7460Thread sleep time: -2443221s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7428Thread sleep count: 280 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7552Thread sleep count: 226 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7452Thread sleep count: 1251 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7452Thread sleep time: -2503251s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeLast function: Thread delayed
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeLast function: Thread delayed
            Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}e
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000117E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&0000
            Source: RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000007.00000002.3320411319.0000000000EFD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}&
            Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}j4h-
            Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prosb
            Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&+
            Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B12000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: RageMP131.exe, 00000008.00000002.3320468771.000000000176E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_52766DF3
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_52766DF3
            Source: RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: RageMP131.exe, 00000008.00000003.2213925700.000000000176E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmp, RageMP131.exe, 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&]9
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000117E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}U
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000s\user\AppData\Local\Temp\h
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.0000000001130000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000s
            Source: LisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: MPGPH131.exe, 00000006.00000002.3320441207.0000000000F0C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_52766DF37
            Source: RageMP131.exe, 0000000A.00000002.3319335738.0000000000B00000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_00629F50 LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,0_2_00629F50
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_00673A40 mov eax, dword ptr fs:[00000030h]0_2_00673A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_00673A40 mov eax, dword ptr fs:[00000030h]0_2_00673A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_00624100 mov eax, dword ptr fs:[00000030h]0_2_00624100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004D3A40 mov eax, dword ptr fs:[00000030h]6_2_004D3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_004D3A40 mov eax, dword ptr fs:[00000030h]6_2_004D3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00484100 mov eax, dword ptr fs:[00000030h]6_2_00484100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004D3A40 mov eax, dword ptr fs:[00000030h]7_2_004D3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_004D3A40 mov eax, dword ptr fs:[00000030h]7_2_004D3A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00484100 mov eax, dword ptr fs:[00000030h]7_2_00484100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E83A40 mov eax, dword ptr fs:[00000030h]8_2_00E83A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E83A40 mov eax, dword ptr fs:[00000030h]8_2_00E83A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00E34100 mov eax, dword ptr fs:[00000030h]8_2_00E34100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E83A40 mov eax, dword ptr fs:[00000030h]10_2_00E83A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E83A40 mov eax, dword ptr fs:[00000030h]10_2_00E83A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00E34100 mov eax, dword ptr fs:[00000030h]10_2_00E34100
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeCode function: 0_2_006EF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_006EF26A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_376.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_376.exe PID: 4320, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6284, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 4612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4676, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7424, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_376.exe PID: 4320, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 6284, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 4612, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 4676, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7424, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts3
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		1
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		12
            Virtualization/Sandbox Evasion            		LSASS Memory421
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts11
            Native API            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		1
            Process Injection            		Security Account Manager12
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS1
            Application Window Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets213
            System Information Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482303 Sample: LisectAVT_2403002A_376.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_376.exe 1 9 2->7         started        12 MPGPH131.exe 2 2->12         started        14 RageMP131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49704, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Found API chain indicative of sandbox detection 7->48 50 Uses schtasks.exe or at.exe to add and modify task schedules 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Machine Learning detection for dropped file 12->54 56 Tries to evade debugger and weak emulator (self modifying code) 12->56 58 Tries to detect virtualization through RDTSC time measurements 14->58 60 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->60 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002A_376.exe100%AviraTR/AD.Nekark.rxrem
            LisectAVT_2403002A_376.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%AviraTR/AD.Nekark.rxrem
            C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraTR/AD.Nekark.rxrem
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.winimage.com/zLibDll0%URL Reputationsafe
            https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTWj0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllLisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.winimage.com/zLibDllLisectAVT_2403002A_376.exe, 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_376.exe, 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, MPGPH131.exe, 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://t.me/RiseProSUPPORTLisectAVT_2403002A_376.exe, 00000000.00000002.3320586655.000000000113E000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3320619593.000000000127A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3320468771.000000000172E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3319335738.0000000000AD8000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://t.me/RiseProSUPPORTWjMPGPH131.exe, 00000006.00000002.3320441207.0000000000ECD000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.233.132.74
            		unknownRussian Federation
            		2895FREE-NET-ASFREEnetEUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1482303
            Start date and time:2024-07-25 21:00:53 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 6m 56s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:LisectAVT_2403002A_376.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@11/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: LisectAVT_2403002A_376.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            15:02:16API Interceptor2246693x Sleep call for process: LisectAVT_2403002A_376.exe modified
            15:02:18API Interceptor4715x Sleep call for process: MPGPH131.exe modified
            15:02:30API Interceptor1863722x Sleep call for process: RageMP131.exe modified
            21:01:47Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
            21:01:47Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
            21:01:51AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            21:01:59AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            193.233.132.74LisectAVT_2403002B_242.exeGet hashmaliciousRisePro StealerBrowse
              LisectAVT_2403002A_224.exeGet hashmaliciousRisePro StealerBrowse
                80OrFCsz0u.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                  SecuriteInfo.com.Win64.Evo-gen.28136.30716.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                    file.exeGet hashmaliciousRisePro StealerBrowse
                      vGDqFBB1Jz.exeGet hashmaliciousRisePro StealerBrowse
                        iKV7MCWDJF.exeGet hashmaliciousRisePro StealerBrowse
                          8TFD6H44Pz.exeGet hashmaliciousRisePro StealerBrowse
                            uRLTbkeYF7.exeGet hashmaliciousRisePro StealerBrowse
                              7mIgg1hm7Q.exeGet hashmaliciousRisePro StealerBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                FREE-NET-ASFREEnetEULisectAVT_2403002A_389.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002A_419.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.67
                                LisectAVT_2403002A_419.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.67
                                LisectAVT_2403002A_464.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.109
                                LisectAVT_2403002A_464.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.109
                                LisectAVT_2403002A_79.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002B_242.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.74
                                LisectAVT_2403002B_433.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                Lisect_AVT_24003_G1B_108.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.62
                                Lisect_AVT_24003_G1A_89.exeGet hashmaliciousBdaejec, RisePro StealerBrowse
                                • 193.233.132.62

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2038792
                                Entropy (8bit):7.945230933175329
                                Encrypted:false
                                SSDEEP:49152:giBIW7AlKGoEcd/sQmgKkQCsGwJdK9paQNX+x:giyWMlKGoEWsHvNGII7
                                MD5:45D835BEAAF607E4CE243297CD053469
                                SHA1:F96C5D84A6D93983B106CDD5A3DAF5900270285D
                                SHA-256:E35B5F6AA2E9FFC815083030E2C09A5E55DF2A02528DB2FC24D6F480910F0036
                                SHA-512:FCAC66D6D78B23E879C9CF993BD79C27EDB5E5251C0A347967047C0B7D4D384A5350C45A601E50C70B505631269F53D93CF51B5BADE2E3FCE669ABC31A2202E0
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L....b.e...............".....0....... O...........@..........................PO.....,q....@.........................$.O.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+.......,..................@....idata .............B..............@... ..%..........D..............@...sryzlqip.....`9......F..............@...dhhlsvvc......O.....................@....taggant.0... O.."..................@...................................................................................................................................................................................

                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2038792
                                Entropy (8bit):7.945230933175329
                                Encrypted:false
                                SSDEEP:49152:giBIW7AlKGoEcd/sQmgKkQCsGwJdK9paQNX+x:giyWMlKGoEWsHvNGII7
                                MD5:45D835BEAAF607E4CE243297CD053469
                                SHA1:F96C5D84A6D93983B106CDD5A3DAF5900270285D
                                SHA-256:E35B5F6AA2E9FFC815083030E2C09A5E55DF2A02528DB2FC24D6F480910F0036
                                SHA-512:FCAC66D6D78B23E879C9CF993BD79C27EDB5E5251C0A347967047C0B7D4D384A5350C45A601E50C70B505631269F53D93CF51B5BADE2E3FCE669ABC31A2202E0
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L....b.e...............".....0....... O...........@..........................PO.....,q....@.........................$.O.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+.......,..................@....idata .............B..............@... ..%..........D..............@...sryzlqip.....`9......F..............@...dhhlsvvc......O.....................@....taggant.0... O.."..................@...................................................................................................................................................................................

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
                                File Type:ASCII text, with no line terminators
                                Category:modified
                                Size (bytes):13
                                Entropy (8bit):3.085055102756477
                                Encrypted:false
                                SSDEEP:3:LEtc1:b
                                MD5:39493A7B7A0E39B64089776ABB9C6016
                                SHA1:C9C88320AEC613944361A072D457F9C71162D100
                                SHA-256:AC0BEF624CAB47942600C9B67612C7BAF3EEF4951E1493C1D46B9419873B54B8
                                SHA-512:606AE9D6CDB3C0206532DD5B75AD0434FC8A829A34C675C7F0F4830CA462C5D3EBC6E56ABB1E5345866A2E8D74AA20EEFADFF708BA4367D050D09F60D412F4D3
                                Malicious:false
                                Reputation:low
                                Preview:1721940529336

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.945230933175329
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:LisectAVT_2403002A_376.exe
                                File size:2'038'792 bytes
                                MD5:45d835beaaf607e4ce243297cd053469
                                SHA1:f96c5d84a6d93983b106cdd5a3daf5900270285d
                                SHA256:e35b5f6aa2e9ffc815083030e2c09a5e55df2a02528db2fc24d6f480910f0036
                                SHA512:fcac66d6d78b23e879c9cf993bd79c27edb5e5251c0a347967047c0b7d4d384a5350c45a601e50c70b505631269f53d93cf51b5bade2e3fce669abc31a2202e0
                                SSDEEP:49152:giBIW7AlKGoEcd/sQmgKkQCsGwJdK9paQNX+x:giyWMlKGoEWsHvNGII7
                                TLSH:439533550E66973AEDD4A7B200A3C7ABAFC07E200672337950956CFBB73F4A81712971
                                File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

                                File Icon

                                Icon Hash:c769eccc64f6e2bb

                                Static PE Info

                                General

                                Entrypoint:0x8f2000
                                Entrypoint Section:.taggant
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x65FD62AE [Fri Mar 22 10:51:26 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                jmp 00007FB75C6AB62Ah
                                psubd mm3, qword ptr [esi]
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add cl, ch
                                add byte ptr [eax], ah
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [edx+04h], ch
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [eax+00000000h], eax
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add dword ptr [eax+00000000h], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add bh, bl
                                add dword ptr [eax], eax
                                add byte ptr [esi], cl
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [ecx], al
                                add byte ptr [eax], 00000000h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                jnle 00007FB75C6AB5A2h
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al
                                add byte ptr [eax], al

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x4f0f240x4csryzlqip
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x13b0550x69.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x2b58.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x13b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x1370000x906002f75480034760f340c257fb5748e85abFalse0.9931361607142857data7.9345365893427315IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x1380000x2b580x2c00b606861556e06d174e42b11831f5e5dbFalse0.22487571022727273data3.9665421773066165IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x13b0000x10000x200745dea56938759dccaf9e183aa01b020False0.146484375data0.998472215956371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x13c0000x25a0000x200a2f941d88d17dd610b77ee1fa39c8c4aunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                sryzlqip0x3960000x15b0000x15b000cba0fcb5db96c6ccd9120b45c7808805False0.9946141311689481data7.95317001843216IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                dhhlsvvc0x4f10000x10000x4001c6cd4ed6c4700f65c7f37736a35a312False0.69921875data5.645539648822601IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .taggant0x4f20000x30000x220096b6ea8681cebabbf3bec9ceed5be3b9False0.06904871323529412DOS executable (COM)0.7825328856348389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x1384180x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RussianRussia0.1892116182572614
                                RT_GROUP_ICON0x13a9c00x14dataRussianRussia1.15
                                RT_VERSION0x1381300x2e4dataRussianRussia0.4689189189189189
                                RT_MANIFEST0x13a9d80x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Exports

                                NameOrdinalAddress
                                Start10x466e80

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                RussianRussia
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                2024-07-25T21:01:48.505627+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970458709192.168.2.5193.233.132.74
                                2024-07-25T21:01:50.747098+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970558709192.168.2.5193.233.132.74
                                2024-07-25T21:02:44.930427+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971640.127.169.103192.168.2.5
                                2024-07-25T21:01:50.746738+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970658709192.168.2.5193.233.132.74
                                2024-07-25T21:02:13.893192+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4971558709192.168.2.5193.233.132.74
                                2024-07-25T21:01:53.721499+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970658709192.168.2.5193.233.132.74
                                2024-07-25T21:02:06.675891+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970840.127.169.103192.168.2.5
                                2024-07-25T21:01:53.690409+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970558709192.168.2.5193.233.132.74
                                2024-07-25T21:01:51.487117+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970458709192.168.2.5193.233.132.74
                                2024-07-25T21:02:05.596394+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970758709192.168.2.5193.233.132.74

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 25, 2024 21:01:48.476885080 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:48.485491991 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:48.485595942 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:48.505626917 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:48.510518074 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:50.698812008 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:50.703902006 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:50.703977108 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:50.707576990 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:50.713259935 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:50.713434935 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:50.746737957 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:50.747097969 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:50.752547979 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:50.752624989 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:51.487117052 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:51.492244005 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:53.690408945 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:53.695713043 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 21:01:53.721498966 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:01:53.728646994 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:02.586004972 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:02.591368914 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:02.591644049 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:02.606394053 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:02.611345053 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:05.596394062 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:05.605756998 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:09.892503023 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:09.892610073 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:10.881210089 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:10.886512041 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:10.886595964 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:10.909859896 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:10.914855003 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:12.077375889 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:12.077533007 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:12.082139969 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:12.082227945 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:13.893192053 CEST4971558709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:13.898690939 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:23.957034111 CEST5870949707193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:23.957154989 CEST4970758709192.168.2.5193.233.132.74
                                Jul 25, 2024 21:02:32.253662109 CEST5870949715193.233.132.74192.168.2.5
                                Jul 25, 2024 21:02:32.253779888 CEST4971558709192.168.2.5193.233.132.74

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:15:01:45
                                Start date:25/07/2024
                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_376.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_376.exe"
                                Imagebase:0x610000
                                File size:2'038'792 bytes
                                MD5 hash:45D835BEAAF607E4CE243297CD053469
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2056094300.0000000004A60000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:15:01:47
                                Start date:25/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Imagebase:0xd90000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:15:01:47
                                Start date:25/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:15:01:47
                                Start date:25/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Imagebase:0xd90000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:15:01:47
                                Start date:25/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:15:01:47
                                Start date:25/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0x470000
                                File size:2'038'792 bytes
                                MD5 hash:45D835BEAAF607E4CE243297CD053469
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.2082082490.0000000004860000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:7
                                Start time:15:01:47
                                Start date:25/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0x470000
                                File size:2'038'792 bytes
                                MD5 hash:45D835BEAAF607E4CE243297CD053469
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2082671106.0000000004980000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:8
                                Start time:15:01:59
                                Start date:25/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0xe20000
                                File size:2'038'792 bytes
                                MD5 hash:45D835BEAAF607E4CE243297CD053469
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.2202132987.0000000005210000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:10
                                Start time:15:02:07
                                Start date:25/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0xe20000
                                File size:2'038'792 bytes
                                MD5 hash:45D835BEAAF607E4CE243297CD053469
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2283677130.0000000004A40000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:3.2%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:2.3%
                                  Total number of Nodes:608
                                  Total number of Limit Nodes:61
                                  execution_graph 17145 62e0a0 WSAStartup 17146 62e0d8 17145->17146 17147 62e1a7 17145->17147 17146->17147 17148 62e175 socket 17146->17148 17148->17147 17149 62e18b connect 17148->17149 17149->17147 17150 62e19d closesocket 17149->17150 17150->17147 17150->17148 17151 673a40 GetCursorPos 17152 673a55 GetCursorPos 17151->17152 17153 673b28 GetPEB 17152->17153 17156 673a67 17152->17156 17153->17156 17154 673a73 GetPEB 17154->17156 17155 673b9d Sleep 17155->17152 17156->17153 17156->17154 17156->17155 17156->17156 17157 673ae8 Sleep 17156->17157 17158 673bc7 17156->17158 17157->17156 16420 61a210 16453 6ef290 16420->16453 16422 61a248 16458 612ae0 16422->16458 16424 61a28b 16474 6f5362 16424->16474 16427 61a377 16431 61a34e 16431->16427 16503 6f47b0 16431->16503 16434 6f9136 4 API calls 16435 61a2fc 16434->16435 16440 61a318 16435->16440 16489 67cf60 16435->16489 16494 6fdbdf 16440->16494 16455 6121d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 16453->16455 16454 6ef2af 16454->16422 16455->16454 16506 6f0651 16455->16506 16459 612ba5 16458->16459 16465 612af6 16458->16465 16724 612270 16459->16724 16460 612b02 std::locale::_Init 16460->16424 16462 612baa 16734 6121d0 16462->16734 16463 612b2a 16469 6ef290 std::_Facet_Register RtlAllocateHeap 16463->16469 16465->16460 16465->16463 16467 612b65 16465->16467 16468 612b6e 16465->16468 16466 612b3d 16470 6f47b0 RtlAllocateHeap 16466->16470 16473 612b46 std::locale::_Init 16466->16473 16467->16462 16467->16463 16472 6ef290 std::_Facet_Register RtlAllocateHeap 16468->16472 16468->16473 16469->16466 16471 612bb4 16470->16471 16472->16473 16473->16424 16747 6f52a0 16474->16747 16476 61a2d7 16476->16431 16477 6f9136 16476->16477 16478 6f9149 __fread_nolock 16477->16478 16771 6f8e8d 16478->16771 16480 6f915e 16481 6f44dc __fread_nolock RtlAllocateHeap 16480->16481 16482 61a2ea 16481->16482 16483 6f4eeb 16482->16483 16484 6f4efe __fread_nolock 16483->16484 16904 6f4801 16484->16904 16486 6f4f0a 16487 6f44dc __fread_nolock RtlAllocateHeap 16486->16487 16488 61a2f0 16487->16488 16488->16434 16490 67cfa7 16489->16490 16492 67cf78 __fread_nolock 16489->16492 16952 680560 16490->16952 16492->16440 16493 67cfba 16493->16440 16967 6fdbfc 16494->16967 16496 61a348 16497 6f8be8 16496->16497 16498 6f8bfb __fread_nolock 16497->16498 17091 6f8ac3 16498->17091 16500 6f8c07 16501 6f44dc __fread_nolock RtlAllocateHeap 16500->16501 16502 6f8c13 16501->16502 16502->16431 16504 6f46ec __fread_nolock RtlAllocateHeap 16503->16504 16505 6f47bf __Getctype 16504->16505 16507 612213 16506->16507 16509 6f065e ___std_exception_copy 16506->16509 16507->16422 16508 6f068b 16521 6fd7d6 16508->16521 16509->16507 16509->16508 16512 7056b8 16509->16512 16513 7056c6 16512->16513 16514 7056d4 16512->16514 16513->16514 16518 7056ec 16513->16518 16524 6fd23f 16514->16524 16516 7056e6 16516->16508 16518->16516 16519 6fd23f __dosmaperr RtlAllocateHeap 16518->16519 16520 7056dc 16519->16520 16527 6f47a0 16520->16527 16522 706db3 __freea RtlAllocateHeap 16521->16522 16523 6fd7ee 16522->16523 16523->16507 16530 705d2c 16524->16530 16635 6f46ec 16527->16635 16531 705d36 __Getctype 16530->16531 16538 6fd244 16531->16538 16541 7063f3 16531->16541 16533 705d79 __Getctype 16534 705d81 __Getctype 16533->16534 16535 705db9 16533->16535 16545 706db3 16534->16545 16549 705a09 16535->16549 16538->16520 16540 706db3 __freea RtlAllocateHeap 16540->16538 16544 706400 __Getctype std::_Facet_Register 16541->16544 16542 70642b RtlAllocateHeap 16543 70643e __dosmaperr 16542->16543 16542->16544 16543->16533 16544->16542 16544->16543 16546 706de8 16545->16546 16547 706dbe __dosmaperr 16545->16547 16546->16538 16547->16546 16548 6fd23f __dosmaperr RtlAllocateHeap 16547->16548 16548->16546 16550 705a77 __Getctype 16549->16550 16553 7059af 16550->16553 16552 705aa0 16552->16540 16554 7059bb __fread_nolock std::_Lockit::_Lockit 16553->16554 16557 705b90 16554->16557 16556 7059dd __Getctype 16556->16552 16558 705bc6 __Getctype 16557->16558 16559 705b9f __Getctype 16557->16559 16558->16556 16559->16558 16561 70f2a7 16559->16561 16562 70f327 16561->16562 16566 70f2bd 16561->16566 16564 706db3 __freea RtlAllocateHeap 16562->16564 16588 70f375 16562->16588 16567 70f349 16564->16567 16565 70f383 16573 70f3e3 16565->16573 16586 706db3 RtlAllocateHeap __freea 16565->16586 16566->16562 16569 706db3 __freea RtlAllocateHeap 16566->16569 16570 70f2f0 16566->16570 16568 706db3 __freea RtlAllocateHeap 16567->16568 16571 70f35c 16568->16571 16574 70f2e5 16569->16574 16575 706db3 __freea RtlAllocateHeap 16570->16575 16587 70f312 16570->16587 16576 706db3 __freea RtlAllocateHeap 16571->16576 16572 706db3 __freea RtlAllocateHeap 16577 70f31c 16572->16577 16579 706db3 __freea RtlAllocateHeap 16573->16579 16589 70e5ab 16574->16589 16581 70f307 16575->16581 16582 70f36a 16576->16582 16578 706db3 __freea RtlAllocateHeap 16577->16578 16578->16562 16583 70f3e9 16579->16583 16617 70ea0a 16581->16617 16585 706db3 __freea RtlAllocateHeap 16582->16585 16583->16558 16585->16588 16586->16565 16587->16572 16629 70f418 16588->16629 16590 70e6a5 16589->16590 16591 70e5bc 16589->16591 16590->16570 16592 70e5cd 16591->16592 16593 706db3 __freea RtlAllocateHeap 16591->16593 16594 70e5df 16592->16594 16596 706db3 __freea RtlAllocateHeap 16592->16596 16593->16592 16595 70e5f1 16594->16595 16597 706db3 __freea RtlAllocateHeap 16594->16597 16598 70e603 16595->16598 16599 706db3 __freea RtlAllocateHeap 16595->16599 16596->16594 16597->16595 16600 70e615 16598->16600 16601 706db3 __freea RtlAllocateHeap 16598->16601 16599->16598 16602 70e627 16600->16602 16604 706db3 __freea RtlAllocateHeap 16600->16604 16601->16600 16603 70e639 16602->16603 16605 706db3 __freea RtlAllocateHeap 16602->16605 16606 70e64b 16603->16606 16607 706db3 __freea RtlAllocateHeap 16603->16607 16604->16602 16605->16603 16608 70e65d 16606->16608 16609 706db3 __freea RtlAllocateHeap 16606->16609 16607->16606 16610 70e66f 16608->16610 16612 706db3 __freea RtlAllocateHeap 16608->16612 16609->16608 16611 70e681 16610->16611 16613 706db3 __freea RtlAllocateHeap 16610->16613 16614 70e693 16611->16614 16615 706db3 __freea RtlAllocateHeap 16611->16615 16612->16610 16613->16611 16614->16590 16616 706db3 __freea RtlAllocateHeap 16614->16616 16615->16614 16616->16590 16618 70ea17 16617->16618 16628 70ea6f 16617->16628 16619 70ea27 16618->16619 16620 706db3 __freea RtlAllocateHeap 16618->16620 16621 70ea39 16619->16621 16622 706db3 __freea RtlAllocateHeap 16619->16622 16620->16619 16623 70ea4b 16621->16623 16624 706db3 __freea RtlAllocateHeap 16621->16624 16622->16621 16625 706db3 __freea RtlAllocateHeap 16623->16625 16627 70ea5d 16623->16627 16624->16623 16625->16627 16626 706db3 __freea RtlAllocateHeap 16626->16628 16627->16626 16627->16628 16628->16587 16630 70f425 16629->16630 16634 70f444 16629->16634 16631 70ef31 __Getctype RtlAllocateHeap 16630->16631 16630->16634 16632 70f43e 16631->16632 16633 706db3 __freea RtlAllocateHeap 16632->16633 16633->16634 16634->16565 16636 6f46fe __fread_nolock 16635->16636 16641 6f4723 16636->16641 16638 6f4716 16648 6f44dc 16638->16648 16642 6f4733 16641->16642 16645 6f473a __fread_nolock __Getctype 16641->16645 16654 6f4541 16642->16654 16644 6f4748 16644->16638 16645->16644 16646 6f46ec __fread_nolock RtlAllocateHeap 16645->16646 16647 6f47ac 16646->16647 16647->16638 16649 6f44e8 16648->16649 16651 6f44ff 16649->16651 16669 6f4587 16649->16669 16652 6f4512 16651->16652 16653 6f4587 __fread_nolock RtlAllocateHeap 16651->16653 16652->16516 16653->16652 16655 6f4551 16654->16655 16658 705ddd 16655->16658 16659 705df0 __Getctype 16658->16659 16660 6f4572 16659->16660 16661 7063f3 __Getctype RtlAllocateHeap 16659->16661 16660->16645 16662 705e20 __Getctype 16661->16662 16663 705e5c 16662->16663 16664 705e28 __Getctype 16662->16664 16665 705a09 __Getctype RtlAllocateHeap 16663->16665 16666 706db3 __freea RtlAllocateHeap 16664->16666 16667 705e67 16665->16667 16666->16660 16668 706db3 __freea RtlAllocateHeap 16667->16668 16668->16660 16670 6f459a 16669->16670 16671 6f4591 16669->16671 16670->16651 16672 6f4541 __fread_nolock RtlAllocateHeap 16671->16672 16673 6f4596 16672->16673 16673->16670 16676 700259 16673->16676 16677 70025e std::locale::_Setgloballocale 16676->16677 16681 700269 std::locale::_Setgloballocale 16677->16681 16682 70c7c6 16677->16682 16703 6ff224 16681->16703 16685 70c7d2 __fread_nolock 16682->16685 16683 705d2c __dosmaperr RtlAllocateHeap 16689 70c803 std::locale::_Setgloballocale 16683->16689 16684 70c822 16686 6fd23f __dosmaperr RtlAllocateHeap 16684->16686 16685->16683 16685->16684 16685->16689 16690 70c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 16685->16690 16687 70c827 16686->16687 16688 6f47a0 __fread_nolock RtlAllocateHeap 16687->16688 16702 70c80c 16688->16702 16689->16684 16689->16690 16689->16702 16691 70c9a4 std::_Lockit::~_Lockit 16690->16691 16692 70c8a7 16690->16692 16693 70c8d5 std::locale::_Setgloballocale 16690->16693 16694 6ff224 std::locale::_Setgloballocale RtlAllocateHeap 16691->16694 16692->16693 16706 705bdb 16692->16706 16697 705bdb __Getctype RtlAllocateHeap 16693->16697 16700 70c92a 16693->16700 16693->16702 16696 70c9b7 16694->16696 16697->16700 16699 705bdb __Getctype RtlAllocateHeap 16699->16693 16701 705bdb __Getctype RtlAllocateHeap 16700->16701 16700->16702 16701->16702 16702->16681 16720 6ff094 16703->16720 16705 6ff235 16707 705be5 __Getctype 16706->16707 16708 7063f3 __Getctype RtlAllocateHeap 16707->16708 16709 705bfb 16707->16709 16711 705c28 __Getctype 16708->16711 16710 705c8b 16709->16710 16712 700259 __Getctype RtlAllocateHeap 16709->16712 16710->16699 16714 705c30 __Getctype 16711->16714 16715 705c68 16711->16715 16713 705c95 16712->16713 16716 706db3 __freea RtlAllocateHeap 16714->16716 16717 705a09 __Getctype RtlAllocateHeap 16715->16717 16716->16709 16718 705c73 16717->16718 16719 706db3 __freea RtlAllocateHeap 16718->16719 16719->16709 16721 6ff0c1 std::locale::_Setgloballocale 16720->16721 16722 6fef23 std::locale::_Setgloballocale RtlAllocateHeap 16721->16722 16723 6ff10a std::locale::_Setgloballocale 16722->16723 16723->16705 16738 6ed6e9 16724->16738 16735 6121de Concurrency::cancel_current_task 16734->16735 16736 6f0651 ___std_exception_copy RtlAllocateHeap 16735->16736 16737 612213 16736->16737 16737->16466 16741 6ed4af 16738->16741 16740 6ed6fa Concurrency::cancel_current_task 16744 613010 16741->16744 16745 6f0651 ___std_exception_copy RtlAllocateHeap 16744->16745 16746 61303d 16745->16746 16746->16740 16749 6f52ac __fread_nolock 16747->16749 16748 6f52b3 16750 6fd23f __dosmaperr RtlAllocateHeap 16748->16750 16749->16748 16751 6f52d3 16749->16751 16752 6f52b8 16750->16752 16753 6f52d8 16751->16753 16754 6f52e5 16751->16754 16755 6f47a0 __fread_nolock RtlAllocateHeap 16752->16755 16756 6fd23f __dosmaperr RtlAllocateHeap 16753->16756 16761 706688 16754->16761 16760 6f52c3 16755->16760 16756->16760 16758 6f52ee 16759 6fd23f __dosmaperr RtlAllocateHeap 16758->16759 16758->16760 16759->16760 16760->16476 16762 706694 __fread_nolock std::_Lockit::_Lockit 16761->16762 16765 70672c 16762->16765 16764 7066af 16764->16758 16769 70674f __fread_nolock 16765->16769 16766 7063f3 __Getctype RtlAllocateHeap 16767 7067b0 16766->16767 16768 706db3 __freea RtlAllocateHeap 16767->16768 16770 706795 __fread_nolock 16768->16770 16769->16766 16769->16769 16769->16770 16770->16764 16773 6f8e99 __fread_nolock 16771->16773 16772 6f8e9f 16774 6f4723 __fread_nolock RtlAllocateHeap 16772->16774 16773->16772 16775 6f8ee2 __fread_nolock 16773->16775 16777 6f8eba 16774->16777 16778 6f9010 16775->16778 16777->16480 16779 6f9036 16778->16779 16780 6f9023 16778->16780 16787 6f8f37 16779->16787 16780->16777 16782 6f90e7 16782->16777 16783 6f9059 16783->16782 16791 6f55d3 16783->16791 16788 6f8f48 16787->16788 16790 6f8fa0 16787->16790 16788->16790 16800 6fe13d 16788->16800 16790->16783 16792 6f55ec 16791->16792 16796 6f5613 16791->16796 16792->16796 16827 705f82 16792->16827 16794 6f5608 16834 70538b 16794->16834 16797 6fe17d 16796->16797 16798 6fe05c __fread_nolock 2 API calls 16797->16798 16799 6fe196 16798->16799 16799->16782 16801 6fe151 __fread_nolock 16800->16801 16806 6fe05c 16801->16806 16803 6fe166 16804 6f44dc __fread_nolock RtlAllocateHeap 16803->16804 16805 6fe175 16804->16805 16805->16790 16811 70a6de 16806->16811 16808 6fe06e 16809 6fe08a SetFilePointerEx 16808->16809 16810 6fe076 __fread_nolock 16808->16810 16809->16810 16810->16803 16812 70a700 16811->16812 16813 70a6eb 16811->16813 16816 6fd22c __dosmaperr RtlAllocateHeap 16812->16816 16818 70a725 16812->16818 16824 6fd22c 16813->16824 16819 70a730 16816->16819 16817 6fd23f __dosmaperr RtlAllocateHeap 16820 70a6f8 16817->16820 16818->16808 16821 6fd23f __dosmaperr RtlAllocateHeap 16819->16821 16820->16808 16822 70a738 16821->16822 16823 6f47a0 __fread_nolock RtlAllocateHeap 16822->16823 16823->16820 16825 705d2c __dosmaperr RtlAllocateHeap 16824->16825 16826 6fd231 16825->16826 16826->16817 16828 705fa3 16827->16828 16829 705f8e 16827->16829 16828->16794 16830 6fd23f __dosmaperr RtlAllocateHeap 16829->16830 16831 705f93 16830->16831 16832 6f47a0 __fread_nolock RtlAllocateHeap 16831->16832 16833 705f9e 16832->16833 16833->16794 16836 705397 __fread_nolock 16834->16836 16835 70539f 16835->16796 16836->16835 16837 7053d8 16836->16837 16839 70541e 16836->16839 16838 6f4723 __fread_nolock RtlAllocateHeap 16837->16838 16838->16835 16839->16835 16841 70549c 16839->16841 16842 7054c4 16841->16842 16854 7054e7 __fread_nolock 16841->16854 16843 7054c8 16842->16843 16845 705523 16842->16845 16844 6f4723 __fread_nolock RtlAllocateHeap 16843->16844 16844->16854 16846 705541 16845->16846 16847 6fe17d 2 API calls 16845->16847 16855 704fe1 16846->16855 16847->16846 16850 7055a0 16852 705609 WriteFile 16850->16852 16850->16854 16851 705559 16851->16854 16860 704bb2 16851->16860 16852->16854 16854->16835 16866 710d44 16855->16866 16857 704ff3 16859 705021 16857->16859 16875 6f9d10 16857->16875 16859->16850 16859->16851 16861 704c1b 16860->16861 16862 6f9d10 std::_Locinfo::_Locinfo_dtor 2 API calls 16861->16862 16865 704c2b std::locale::_Init std::_Locinfo::_Locinfo_dtor 16861->16865 16862->16865 16863 7084be RtlAllocateHeap RtlAllocateHeap 16863->16865 16864 704ee1 _ValidateLocalCookies 16864->16854 16865->16863 16865->16864 16867 710d51 16866->16867 16868 710d5e 16866->16868 16869 6fd23f __dosmaperr RtlAllocateHeap 16867->16869 16870 710d6a 16868->16870 16871 6fd23f __dosmaperr RtlAllocateHeap 16868->16871 16872 710d56 16869->16872 16870->16857 16873 710d8b 16871->16873 16872->16857 16874 6f47a0 __fread_nolock RtlAllocateHeap 16873->16874 16874->16872 16876 6f4587 __fread_nolock RtlAllocateHeap 16875->16876 16877 6f9d20 16876->16877 16882 705ef3 16877->16882 16883 6f9d3d 16882->16883 16884 705f0a 16882->16884 16886 705f51 16883->16886 16884->16883 16890 70f4f3 16884->16890 16887 705f68 16886->16887 16889 6f9d4a 16886->16889 16887->16889 16899 70d81e 16887->16899 16889->16859 16891 70f4ff __fread_nolock 16890->16891 16892 705bdb __Getctype RtlAllocateHeap 16891->16892 16894 70f508 std::_Lockit::_Lockit 16892->16894 16893 70f54e 16893->16883 16894->16893 16895 70f574 __Getctype RtlAllocateHeap 16894->16895 16896 70f537 __Getctype 16895->16896 16896->16893 16897 700259 __Getctype RtlAllocateHeap 16896->16897 16898 70f573 16897->16898 16900 705bdb __Getctype RtlAllocateHeap 16899->16900 16901 70d823 16900->16901 16902 70d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16901->16902 16903 70d82e 16902->16903 16903->16889 16905 6f480d __fread_nolock 16904->16905 16906 6f4835 __fread_nolock 16905->16906 16907 6f4814 16905->16907 16911 6f4910 16906->16911 16908 6f4723 __fread_nolock RtlAllocateHeap 16907->16908 16910 6f482d 16908->16910 16910->16486 16914 6f4942 16911->16914 16913 6f4922 16913->16910 16915 6f4979 16914->16915 16916 6f4951 16914->16916 16918 705f82 __fread_nolock RtlAllocateHeap 16915->16918 16917 6f4723 __fread_nolock RtlAllocateHeap 16916->16917 16919 6f496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16917->16919 16920 6f4982 16918->16920 16919->16913 16927 6fe11f 16920->16927 16923 6f4a2c 16930 6f4cae 16923->16930 16924 6f4a43 16924->16919 16938 6f4ae3 16924->16938 16945 6fdf37 16927->16945 16929 6f49a0 16929->16919 16929->16923 16929->16924 16931 6f4cbd 16930->16931 16932 705f82 __fread_nolock RtlAllocateHeap 16931->16932 16933 6f4cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16932->16933 16934 6fe11f 2 API calls 16933->16934 16937 6f4ce5 _ValidateLocalCookies 16933->16937 16935 6f4d39 16934->16935 16936 6fe11f 2 API calls 16935->16936 16935->16937 16936->16937 16937->16919 16939 705f82 __fread_nolock RtlAllocateHeap 16938->16939 16940 6f4af6 16939->16940 16941 6fe11f 2 API calls 16940->16941 16944 6f4b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16940->16944 16942 6f4b9d 16941->16942 16943 6fe11f 2 API calls 16942->16943 16942->16944 16943->16944 16944->16919 16947 6fdf43 __fread_nolock 16945->16947 16946 6fdf4b 16946->16929 16947->16946 16948 6fdf86 16947->16948 16950 6fdfcc 16947->16950 16949 6f4723 __fread_nolock RtlAllocateHeap 16948->16949 16949->16946 16950->16946 16951 6fe05c __fread_nolock 2 API calls 16950->16951 16951->16946 16953 6806a9 16952->16953 16957 680585 16952->16957 16954 612270 RtlAllocateHeap 16953->16954 16955 6806ae 16954->16955 16956 6121d0 Concurrency::cancel_current_task RtlAllocateHeap 16955->16956 16965 6805aa __fread_nolock std::locale::_Init 16956->16965 16959 6805f0 16957->16959 16960 6805e3 16957->16960 16962 68059a 16957->16962 16958 6ef290 std::_Facet_Register RtlAllocateHeap 16958->16965 16964 6ef290 std::_Facet_Register RtlAllocateHeap 16959->16964 16959->16965 16960->16955 16960->16962 16961 6f47b0 RtlAllocateHeap 16963 6806b8 16961->16963 16962->16958 16964->16965 16965->16961 16966 680667 __fread_nolock std::locale::_Init 16965->16966 16966->16493 16968 6fdc08 __fread_nolock 16967->16968 16969 6fdc1b __fread_nolock 16968->16969 16970 6fdc52 __fread_nolock 16968->16970 16975 6fdc40 __fread_nolock 16968->16975 16971 6fd23f __dosmaperr RtlAllocateHeap 16969->16971 16976 6fda06 16970->16976 16973 6fdc35 16971->16973 16974 6f47a0 __fread_nolock RtlAllocateHeap 16973->16974 16974->16975 16975->16496 16979 6fda18 __fread_nolock 16976->16979 16983 6fda35 16976->16983 16977 6fda25 16978 6fd23f __dosmaperr RtlAllocateHeap 16977->16978 16987 6fda2a 16978->16987 16979->16977 16981 6fda76 __fread_nolock 16979->16981 16979->16983 16980 6f47a0 __fread_nolock RtlAllocateHeap 16980->16983 16982 6fdba1 __fread_nolock 16981->16982 16981->16983 16985 705f82 __fread_nolock RtlAllocateHeap 16981->16985 16989 704623 16981->16989 17048 6f8a2b 16981->17048 16986 6fd23f __dosmaperr RtlAllocateHeap 16982->16986 16983->16975 16985->16981 16986->16987 16987->16980 16990 704635 16989->16990 16991 70464d 16989->16991 16992 6fd22c __dosmaperr RtlAllocateHeap 16990->16992 16993 70498f 16991->16993 16998 704690 16991->16998 16994 70463a 16992->16994 16995 6fd22c __dosmaperr RtlAllocateHeap 16993->16995 16997 6fd23f __dosmaperr RtlAllocateHeap 16994->16997 16996 704994 16995->16996 16999 6fd23f __dosmaperr RtlAllocateHeap 16996->16999 17002 704642 16997->17002 17000 70469b 16998->17000 16998->17002 17007 7046cb 16998->17007 17001 7046a8 16999->17001 17003 6fd22c __dosmaperr RtlAllocateHeap 17000->17003 17006 6f47a0 __fread_nolock RtlAllocateHeap 17001->17006 17002->16981 17004 7046a0 17003->17004 17005 6fd23f __dosmaperr RtlAllocateHeap 17004->17005 17005->17001 17006->17002 17008 7046e4 17007->17008 17009 7046f1 17007->17009 17010 70471f 17007->17010 17008->17009 17014 70470d 17008->17014 17011 6fd22c __dosmaperr RtlAllocateHeap 17009->17011 17062 706e2d 17010->17062 17013 7046f6 17011->17013 17016 6fd23f __dosmaperr RtlAllocateHeap 17013->17016 17017 710d44 __fread_nolock RtlAllocateHeap 17014->17017 17019 7046fd 17016->17019 17031 70486b 17017->17031 17018 706db3 __freea RtlAllocateHeap 17020 704739 17018->17020 17021 6f47a0 __fread_nolock RtlAllocateHeap 17019->17021 17023 706db3 __freea RtlAllocateHeap 17020->17023 17047 704708 __fread_nolock 17021->17047 17022 7048e3 ReadFile 17024 704957 17022->17024 17025 7048fb 17022->17025 17026 704740 17023->17026 17035 704964 17024->17035 17036 7048b5 17024->17036 17025->17024 17027 7048d4 17025->17027 17028 704765 17026->17028 17029 70474a 17026->17029 17039 704920 17027->17039 17040 704937 17027->17040 17027->17047 17030 6fe13d __fread_nolock 2 API calls 17028->17030 17032 6fd23f __dosmaperr RtlAllocateHeap 17029->17032 17030->17014 17031->17022 17034 70489b 17031->17034 17037 70474f 17032->17037 17033 706db3 __freea RtlAllocateHeap 17033->17002 17034->17027 17034->17036 17038 6fd23f __dosmaperr RtlAllocateHeap 17035->17038 17036->17047 17068 6fd1e5 17036->17068 17041 6fd22c __dosmaperr RtlAllocateHeap 17037->17041 17042 704969 17038->17042 17073 704335 17039->17073 17040->17047 17083 70417b 17040->17083 17041->17047 17046 6fd22c __dosmaperr RtlAllocateHeap 17042->17046 17046->17047 17047->17033 17049 6f8a3c 17048->17049 17052 6f8a38 std::locale::_Init 17048->17052 17050 6f8a43 17049->17050 17054 6f8a56 __fread_nolock 17049->17054 17051 6fd23f __dosmaperr RtlAllocateHeap 17050->17051 17053 6f8a48 17051->17053 17052->16981 17055 6f47a0 __fread_nolock RtlAllocateHeap 17053->17055 17054->17052 17056 6f8a8d 17054->17056 17057 6f8a84 17054->17057 17055->17052 17056->17052 17059 6fd23f __dosmaperr RtlAllocateHeap 17056->17059 17058 6fd23f __dosmaperr RtlAllocateHeap 17057->17058 17060 6f8a89 17058->17060 17059->17060 17061 6f47a0 __fread_nolock RtlAllocateHeap 17060->17061 17061->17052 17063 706e6b 17062->17063 17067 706e3b __Getctype std::_Facet_Register 17062->17067 17065 6fd23f __dosmaperr RtlAllocateHeap 17063->17065 17064 706e56 RtlAllocateHeap 17066 704730 17064->17066 17064->17067 17065->17066 17066->17018 17067->17063 17067->17064 17069 6fd22c __dosmaperr RtlAllocateHeap 17068->17069 17070 6fd1f0 __dosmaperr 17069->17070 17071 6fd23f __dosmaperr RtlAllocateHeap 17070->17071 17072 6fd203 17071->17072 17072->17047 17087 70402e 17073->17087 17076 7043c7 17077 6fd23f __dosmaperr RtlAllocateHeap 17076->17077 17079 70437d 17077->17079 17078 7043d7 17080 6fe13d __fread_nolock 2 API calls 17078->17080 17081 704391 __fread_nolock 17078->17081 17079->17047 17080->17081 17081->17079 17082 6fd1e5 __dosmaperr RtlAllocateHeap 17081->17082 17082->17079 17085 7041b5 17083->17085 17084 704246 17084->17047 17085->17084 17086 6fe13d __fread_nolock 2 API calls 17085->17086 17086->17084 17088 704062 17087->17088 17089 7040ce 17088->17089 17090 6fe13d __fread_nolock 2 API calls 17088->17090 17089->17076 17089->17078 17089->17079 17089->17081 17090->17089 17092 6f8acf __fread_nolock 17091->17092 17093 6f8ad9 17092->17093 17095 6f8afc __fread_nolock 17092->17095 17094 6f4723 __fread_nolock RtlAllocateHeap 17093->17094 17096 6f8af4 17094->17096 17095->17096 17098 6f8b5a 17095->17098 17096->16500 17099 6f8b8a 17098->17099 17100 6f8b67 17098->17100 17102 6f55d3 4 API calls 17099->17102 17110 6f8b82 17099->17110 17101 6f4723 __fread_nolock RtlAllocateHeap 17100->17101 17101->17110 17103 6f8ba2 17102->17103 17112 706ded 17103->17112 17106 705f82 __fread_nolock RtlAllocateHeap 17107 6f8bb6 17106->17107 17116 704a3f 17107->17116 17110->17096 17111 706db3 __freea RtlAllocateHeap 17111->17110 17113 706e04 17112->17113 17114 6f8baa 17112->17114 17113->17114 17115 706db3 __freea RtlAllocateHeap 17113->17115 17114->17106 17115->17114 17119 6f8bbd 17116->17119 17120 704a68 17116->17120 17117 704ab7 17118 6f4723 __fread_nolock RtlAllocateHeap 17117->17118 17118->17119 17119->17110 17119->17111 17120->17117 17121 704a8f 17120->17121 17123 7049ae 17121->17123 17124 7049ba __fread_nolock 17123->17124 17126 7049f9 17124->17126 17127 704b12 17124->17127 17126->17119 17128 70a6de __fread_nolock RtlAllocateHeap 17127->17128 17131 704b22 17128->17131 17129 704b28 17139 70a64d 17129->17139 17131->17129 17132 704b5a 17131->17132 17133 70a6de __fread_nolock RtlAllocateHeap 17131->17133 17132->17129 17134 70a6de __fread_nolock RtlAllocateHeap 17132->17134 17135 704b51 17133->17135 17136 704b66 FindCloseChangeNotification 17134->17136 17137 70a6de __fread_nolock RtlAllocateHeap 17135->17137 17136->17129 17137->17132 17138 704b80 __fread_nolock 17138->17126 17142 70a65c 17139->17142 17140 6fd23f __dosmaperr RtlAllocateHeap 17141 70a6c8 17140->17141 17143 6fd22c __dosmaperr RtlAllocateHeap 17141->17143 17142->17140 17144 70a686 17142->17144 17143->17144 17144->17138

                                  Executed Functions

                                  Function 00673A40 Relevance: 6.2, APIs: 4, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 673a40-673a53 GetCursorPos 1 673a55-673a61 GetCursorPos 0->1 2 673a67-673a6d 1->2 3 673b28-673b31 GetPEB 1->3 2->3 5 673a73-673a7f GetPEB 2->5 4 673b34-673b48 3->4 6 673b4a-673b4f 4->6 7 673b99-673b9b 4->7 8 673a80-673a94 5->8 6->7 9 673b51-673b59 6->9 7->4 10 673a96-673a9b 8->10 11 673ae4-673ae6 8->11 12 673b60-673b73 9->12 10->11 13 673a9d-673aa3 10->13 11->8 14 673b75-673b88 12->14 15 673b92-673b97 12->15 16 673aa5-673ab8 13->16 14->14 17 673b8a-673b90 14->17 15->7 15->12 18 673add-673ae2 16->18 19 673aba 16->19 17->15 20 673b9d-673bc2 Sleep 17->20 18->11 18->16 21 673ac0-673ad3 19->21 20->1 21->21 22 673ad5-673adb 21->22 22->18 23 673ae8-673b0e Sleep 22->23 24 673b14-673b1a 23->24 24->3 25 673b1c-673b22 24->25 25->3 26 673bc7-673bd8 call 616bd0 25->26 29 673bde 26->29 30 673bda-673bdc 26->30 31 673be0-673bfd call 616bd0 29->31 30->31
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 00673A53
                                  • GetCursorPos.USER32(?), ref: 00673A59
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00673DB6), ref: 00673B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00673DB6), ref: 00673BBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CursorSleep
                                  • String ID:
                                  • API String ID: 4211308429-0
                                  • Opcode ID: 1a6c66d1f91b64bbbdbf2df32c91999887f9e42ad697f3bda6fb30372ddc29c8
                                  • Instruction ID: fa5d62b1121d82edbf2bd534d88a2bbf9c87efa4ef183b09cb100396b2e5f199
                                  • Opcode Fuzzy Hash: 1a6c66d1f91b64bbbdbf2df32c91999887f9e42ad697f3bda6fb30372ddc29c8
                                  • Instruction Fuzzy Hash: 6451BA35A04229CFCB14CF58C8D1EAAB3B2EF54B04B29859AD4499F351D731EE05DB80
                                  Function 0062E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 34 62e0a0-62e0d2 WSAStartup 35 62e1b7-62e1c0 34->35 36 62e0d8-62e102 call 616bd0 * 2 34->36 41 62e104-62e108 36->41 42 62e10e-62e165 36->42 41->35 41->42 44 62e1b1 42->44 45 62e167-62e16d 42->45 44->35 46 62e1c5-62e1cf 45->46 47 62e16f 45->47 46->44 51 62e1d1-62e1d9 46->51 48 62e175-62e189 socket 47->48 48->44 50 62e18b-62e19b connect 48->50 52 62e1c1 50->52 53 62e19d-62e1a5 closesocket 50->53 52->46 53->48 54 62e1a7-62e1ab 53->54 54->44
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 0ccef1acc478b5bed8063c03673029e0c2f31180099cea1248d3798682adcd6c
                                  • Instruction ID: f35e13b18c0c8e7fb5ca36850d11f2aef7e887fb5a2c61788880153eb54bb5b8
                                  • Opcode Fuzzy Hash: 0ccef1acc478b5bed8063c03673029e0c2f31180099cea1248d3798682adcd6c
                                  • Instruction Fuzzy Hash: 9731E4716047116FD7209F24DC89B6BB7E5EB85338F015F2DF9A8963E0D33298148B92
                                  Function 006EF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 55 6ef290-6ef293 56 6ef2a2-6ef2a5 call 6fdf2c 55->56 58 6ef2aa-6ef2ad 56->58 59 6ef2af-6ef2b0 58->59 60 6ef295-6ef2a0 call 7017d8 58->60 60->56 63 6ef2b1-6ef2b5 60->63 64 6121d0-612220 call 6121b0 call 6f0efb call 6f0651 63->64 65 6ef2bb 63->65 65->65
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0061220E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a
                                  • API String ID: 2659868963-2950016145
                                  • Opcode ID: f1364c98bf1024390b41e834fd73481cedb719d3e7c816810c62d8f3936c0c84
                                  • Instruction ID: 10c2a0084bb832a8a033c887293b96a7c7965a603d361288eb2e8dc991dcd90c
                                  • Opcode Fuzzy Hash: f1364c98bf1024390b41e834fd73481cedb719d3e7c816810c62d8f3936c0c84
                                  • Instruction Fuzzy Hash: D6012B7540030DABCB14EFA9E8068E977EE9A00320B448439FB18DB691EB30E9908795
                                  Function 006F4942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 72 6f4942-6f494f 73 6f4979-6f498d call 705f82 72->73 74 6f4951-6f4974 call 6f4723 72->74 80 6f498f 73->80 81 6f4992-6f499b call 6fe11f 73->81 79 6f4ae0-6f4ae2 74->79 80->81 83 6f49a0-6f49af 81->83 84 6f49bf-6f49c8 83->84 85 6f49b1 83->85 88 6f49dc-6f4a10 84->88 89 6f49ca-6f49d7 84->89 86 6f4a89-6f4a8e 85->86 87 6f49b7-6f49b9 85->87 90 6f4ade-6f4adf 86->90 87->84 87->86 92 6f4a6d-6f4a79 88->92 93 6f4a12-6f4a1c 88->93 91 6f4adc 89->91 90->79 91->90 94 6f4a7b-6f4a82 92->94 95 6f4a90-6f4a93 92->95 96 6f4a1e-6f4a2a 93->96 97 6f4a43-6f4a4f 93->97 94->86 98 6f4a96-6f4a9e 95->98 96->97 99 6f4a2c-6f4a3e call 6f4cae 96->99 97->95 100 6f4a51-6f4a6b call 6f4e59 97->100 101 6f4ada 98->101 102 6f4aa0-6f4aa6 98->102 99->90 100->98 101->91 106 6f4abe-6f4ac2 102->106 107 6f4aa8-6f4abc call 6f4ae3 102->107 110 6f4ad5-6f4ad7 106->110 111 6f4ac4-6f4ad2 call 714a10 106->111 107->90 110->101 111->110
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Oo
                                  • API String ID: 0-1480225735
                                  • Opcode ID: ccd0d4c27a2b258e28fb89644e39586041ab14c8e1aa3a09db835466aa095f96
                                  • Instruction ID: 7f43d7ecdf5556cde8d6a00a133b6f6c59ad04af4e779adc276e92dddb292f8f
                                  • Opcode Fuzzy Hash: ccd0d4c27a2b258e28fb89644e39586041ab14c8e1aa3a09db835466aa095f96
                                  • Instruction Fuzzy Hash: C451E370A0010CAFDB14CF58C881ABBBBB2EF49364F248158F9499B756D772AE41CB94
                                  Function 00704623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 115 704623-704633 116 704635-704648 call 6fd22c call 6fd23f 115->116 117 70464d-70464f 115->117 134 7049a7 116->134 119 704655-70465b 117->119 120 70498f-70499c call 6fd22c call 6fd23f 117->120 119->120 122 704661-70468a 119->122 137 7049a2 call 6f47a0 120->137 122->120 126 704690-704699 122->126 129 7046b3-7046b5 126->129 130 70469b-7046ae call 6fd22c call 6fd23f 126->130 132 70498b-70498d 129->132 133 7046bb-7046bf 129->133 130->137 139 7049aa-7049ad 132->139 133->132 138 7046c5-7046c9 133->138 134->139 137->134 138->130 142 7046cb-7046e2 138->142 144 7046e4-7046e7 142->144 145 704717-70471d 142->145 148 7046e9-7046ef 144->148 149 70470d-704715 144->149 146 7046f1-704708 call 6fd22c call 6fd23f call 6f47a0 145->146 147 70471f-704726 145->147 176 7048c2 146->176 151 704728 147->151 152 70472a-70472b call 706e2d 147->152 148->146 148->149 150 70478a-7047a9 149->150 154 704865-70486e call 710d44 150->154 155 7047af-7047bb 150->155 151->152 159 704730-704748 call 706db3 * 2 152->159 166 704870-704882 154->166 167 7048df 154->167 155->154 158 7047c1-7047c3 155->158 158->154 162 7047c9-7047ea 158->162 184 704765-704788 call 6fe13d 159->184 185 70474a-704760 call 6fd23f call 6fd22c 159->185 162->154 168 7047ec-704802 162->168 166->167 171 704884-704893 166->171 172 7048e3-7048f9 ReadFile 167->172 168->154 173 704804-704806 168->173 171->167 188 704895-704899 171->188 177 704957-704962 172->177 178 7048fb-704901 172->178 173->154 179 704808-70482b 173->179 186 7048c5-7048cf call 706db3 176->186 197 704964-704976 call 6fd23f call 6fd22c 177->197 198 70497b-70497e 177->198 178->177 182 704903 178->182 179->154 183 70482d-704843 179->183 190 704906-704918 182->190 183->154 191 704845-704847 183->191 184->150 185->176 186->139 188->172 196 70489b-7048b3 188->196 190->186 199 70491a-70491e 190->199 191->154 200 704849-704860 191->200 216 7048d4-7048dd 196->216 217 7048b5 196->217 197->176 205 704984-704986 198->205 206 7048bb-7048c1 call 6fd1e5 198->206 203 704920-704930 call 704335 199->203 204 704937-704944 199->204 200->154 224 704933-704935 203->224 212 704950-704955 call 70417b 204->212 213 704946 call 70448c 204->213 205->186 206->176 225 70494b-70494e 212->225 213->225 216->190 217->206 224->186 225->224
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bc428bf1f2cf1594aa54424dec068d3bf6b08b75b1ac6b25dd85ed2ce1e381b8
                                  • Instruction ID: e37efaa3ced52b8256df5faaa12cee5a01e54cca756fdecb75af6ad8ee35d2e5
                                  • Opcode Fuzzy Hash: bc428bf1f2cf1594aa54424dec068d3bf6b08b75b1ac6b25dd85ed2ce1e381b8
                                  • Instruction Fuzzy Hash: 8BB106B0A04249EFDB11DFA8D881BBE7BF2AF46304F148658E740972C1D778A941CBA5
                                  Function 0061A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 226 61a210-61a2ab call 6ef290 call 612ae0 231 61a2b0-61a2bb 226->231 231->231 232 61a2bd-61a2c8 231->232 233 61a2ca 232->233 234 61a2cd-61a2de call 6f5362 232->234 233->234 237 61a351-61a357 234->237 238 61a2e0-61a305 call 6f9136 call 6f4eeb call 6f9136 234->238 239 61a381-61a393 237->239 240 61a359-61a365 237->240 255 61a307 238->255 256 61a30c-61a316 238->256 243 61a377-61a37e call 6ef511 240->243 244 61a367-61a375 240->244 243->239 244->243 246 61a394-61a3ae call 6f47b0 244->246 254 61a3b0-61a3bb 246->254 254->254 257 61a3bd-61a3c8 254->257 255->256 258 61a328-61a32f call 67cf60 256->258 259 61a318-61a31c 256->259 260 61a3ca 257->260 261 61a3cd-61a3df call 6f5362 257->261 267 61a334-61a33a 258->267 263 61a320-61a326 259->263 264 61a31e 259->264 260->261 268 61a3e1-61a3f9 call 6f9136 call 6f4eeb call 6f8be8 261->268 269 61a3fc-61a403 261->269 263->267 264->263 270 61a33c 267->270 271 61a33e-61a349 call 6fdbdf call 6f8be8 267->271 268->269 273 61a405-61a411 269->273 274 61a42d-61a433 269->274 270->271 284 61a34e 271->284 278 61a423-61a42a call 6ef511 273->278 279 61a413-61a421 273->279 278->274 279->278 282 61a434-61a45e call 6f47b0 279->282 293 61a460-61a464 282->293 294 61a46f-61a474 282->294 284->237 293->294 295 61a466-61a46e 293->295
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: f5ca7058737cd4a74cb10bcdbb07855ec283289a2c5dd834be772ec48a9ea0ed
                                  • Instruction ID: 32e2797657fd3bff721036d3cb28ec1490138d9b334bbb4009215ad15df755fa
                                  • Opcode Fuzzy Hash: f5ca7058737cd4a74cb10bcdbb07855ec283289a2c5dd834be772ec48a9ea0ed
                                  • Instruction Fuzzy Hash: 7C715870901208AFDB14DFA8DC45BEFB7EAEF41300F14816DF918DB282D7B59A818792
                                  Function 0070549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 296 70549c-7054be 297 7056b1 296->297 298 7054c4-7054c6 296->298 301 7056b3-7056b7 297->301 299 7054f2-705515 298->299 300 7054c8-7054e7 call 6f4723 298->300 303 705517-705519 299->303 304 70551b-705521 299->304 307 7054ea-7054ed 300->307 303->304 306 705523-705534 303->306 304->300 304->306 308 705536-705544 call 6fe17d 306->308 309 705547-705557 call 704fe1 306->309 307->301 308->309 314 7055a0-7055b2 309->314 315 705559-70555f 309->315 316 7055b4-7055ba 314->316 317 705609-705629 WriteFile 314->317 318 705561-705564 315->318 319 705588-70559e call 704bb2 315->319 325 7055f5-705607 call 70505e 316->325 326 7055bc-7055bf 316->326 322 705634 317->322 323 70562b-705631 317->323 320 705566-705569 318->320 321 70556f-70557e call 704f79 318->321 338 705581-705583 319->338 320->321 327 705649-70564c 320->327 321->338 331 705637-705642 322->331 323->322 344 7055dc-7055df 325->344 332 7055e1-7055f3 call 705222 326->332 333 7055c1-7055c4 326->333 342 70564f-705651 327->342 339 705644-705647 331->339 340 7056ac-7056af 331->340 332->344 341 7055ca-7055d7 call 705139 333->341 333->342 338->331 339->327 340->301 341->344 346 705653-705658 342->346 347 70567f-70568b 342->347 344->338 350 705671-70567a call 6fd208 346->350 351 70565a-70566c 346->351 348 705695-7056a7 347->348 349 70568d-705693 347->349 348->307 349->297 349->348 350->307 351->307
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,006F9087,?,00000000,00000000,00000000,?,00000000,?,0061A3EB,006F9087,00000000,0061A3EB,?,?), ref: 00705622
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: b5c943fdd9fed001374c8abdcc4c1787279e9af277cd0f5ac2ad8bf7b05409fb
                                  • Instruction ID: f0a894bd11c60ae4755404657222e98d8f495e4b8b9c543cee303613c9e617cf
                                  • Opcode Fuzzy Hash: b5c943fdd9fed001374c8abdcc4c1787279e9af277cd0f5ac2ad8bf7b05409fb
                                  • Instruction Fuzzy Hash: 5B6191B1904519EFDF11DFA8C884AEFBBFAAF09304F140249E904A7295D37AD951CFA0
                                  Function 00680560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 354 680560-68057f 355 6806a9 call 612270 354->355 356 680585-680598 354->356 361 6806ae call 6121d0 355->361 357 68059a 356->357 358 6805c0-6805c8 356->358 360 68059c-6805a1 357->360 362 6805ca-6805cf 358->362 363 6805d1-6805d5 358->363 364 6805a4-6805a5 call 6ef290 360->364 369 6806b3-6806b8 call 6f47b0 361->369 362->360 366 6805d9-6805e1 363->366 367 6805d7 363->367 372 6805aa-6805af 364->372 370 6805f0-6805f2 366->370 371 6805e3-6805e8 366->371 367->366 375 680601 370->375 376 6805f4-6805ff call 6ef290 370->376 371->361 374 6805ee 371->374 372->369 378 6805b5-6805be 372->378 374->364 377 680603-680629 375->377 376->377 382 68062b-680655 call 6f0f70 call 6f14f0 377->382 383 680680-6806a6 call 6f0f70 call 6f14f0 377->383 378->377 392 680669-68067d call 6ef511 382->392 393 680657-680665 382->393 393->369 394 680667 393->394 394->392
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 006806AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 2fd6d8195ccf0a4ecc9ce930314de95d601755ec1b29172e5eab2bd1191b67fd
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: EB412772A001189FDB45EF68DD805AE7BA7AF85340F1406A9FC05EB302E730DE648BE5
                                  Function 00704B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 397 704b12-704b26 call 70a6de 400 704b28-704b2a 397->400 401 704b2c-704b34 397->401 402 704b7a-704b9a call 70a64d 400->402 403 704b36-704b3d 401->403 404 704b3f-704b42 401->404 412 704bac 402->412 413 704b9c-704baa call 6fd208 402->413 403->404 406 704b4a-704b5e call 70a6de * 2 403->406 407 704b60-704b70 call 70a6de FindCloseChangeNotification 404->407 408 704b44-704b48 404->408 406->400 406->407 407->400 419 704b72-704b78 407->419 408->406 408->407 417 704bae-704bb1 412->417 413->417 419->402
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,007049F9,00000000,CF830579,00741140,0000000C,00704AB5,006F8BBD,?), ref: 00704B69
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 148b28cdeda08621171fdf856ed42d9691d1f84b6593a6718f935262a93f4a1d
                                  • Instruction ID: 7c8668310b72909ef3975bc24f54b0f216b9fa86795e425af11b2f25fa9b2b70
                                  • Opcode Fuzzy Hash: 148b28cdeda08621171fdf856ed42d9691d1f84b6593a6718f935262a93f4a1d
                                  • Instruction Fuzzy Hash: 6F1148B3A44264E6C7256234A945B7E77DA8B837B4F290709FA048F0C2EF6EE8415195
                                  Function 006FE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 423 6fe05c-6fe074 call 70a6de 426 6fe08a-6fe0a0 SetFilePointerEx 423->426 427 6fe076-6fe07d 423->427 429 6fe0b5-6fe0bf 426->429 430 6fe0a2-6fe0b3 call 6fd208 426->430 428 6fe084-6fe088 427->428 431 6fe0db-6fe0de 428->431 429->428 432 6fe0c1-6fe0d6 429->432 430->428 432->431
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00740DF8,0061A3EB,00000002,0061A3EB,00000000,?,?,?,006FE166,00000000,?,0061A3EB,00000002,00740DF8), ref: 006FE099
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: e37926a81bdd21529b2abab843b40432898de7f5058721369356c74b6a121806
                                  • Instruction ID: 156a3563355b68792aef6ef27d2aefc6b47ef8e51204f0093e576454ed1eb507
                                  • Opcode Fuzzy Hash: e37926a81bdd21529b2abab843b40432898de7f5058721369356c74b6a121806
                                  • Instruction Fuzzy Hash: DF012B3261411DABCF05CF18CC45CAE3F2ADB86334F240248F9509B291FA72E9518BD0
                                  Function 007063F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 436 7063f3-7063fe 437 706400-70640a 436->437 438 70640c-706412 436->438 437->438 439 706440-70644b call 6fd23f 437->439 440 706414-706415 438->440 441 70642b-70643c RtlAllocateHeap 438->441 446 70644d-70644f 439->446 440->441 442 706417-70641e call 703f93 441->442 443 70643e 441->443 442->439 449 706420-706429 call 7017d8 442->449 443->446 449->439 449->441
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,006F91F7,00000000,?,00705D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,006FD244,006F89C3,006F91F7,00000000), ref: 00706435
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: a5613ae9b2ef08fce4082612bd87980eb6fd0916f81166bad8d6b5fc5ccf4a92
                                  • Instruction ID: 0e44b87bf9687aafac9a1fafab33556d069abc2b9029903437b67f80a803b4c7
                                  • Opcode Fuzzy Hash: a5613ae9b2ef08fce4082612bd87980eb6fd0916f81166bad8d6b5fc5ccf4a92
                                  • Instruction Fuzzy Hash: 19F0E931501165E6DB216B62DC26B6B3BC9DF41760F258312FD04961C0CB78EA3042F1
                                  Function 00706E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 706e2d-706e39 453 706e6b-706e76 call 6fd23f 452->453 454 706e3b-706e3d 452->454 461 706e78-706e7a 453->461 455 706e56-706e67 RtlAllocateHeap 454->455 456 706e3f-706e40 454->456 459 706e42-706e49 call 703f93 455->459 460 706e69 455->460 456->455 459->453 464 706e4b-706e54 call 7017d8 459->464 460->461 464->453 464->455
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0070D635,4D88C033,?,0070D635,00000220,?,007057EF,4D88C033), ref: 00706E60
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 5a14fda28295d16836cc2fd18007d12cf7e007d0a3c8e3f9a0293257e01ffa9e
                                  • Instruction ID: 6b7c116df67b63f1d35e92882f3e00c712b87bfc7fa372c7baa774604345bb15
                                  • Opcode Fuzzy Hash: 5a14fda28295d16836cc2fd18007d12cf7e007d0a3c8e3f9a0293257e01ffa9e
                                  • Instruction Fuzzy Hash: 0DE0ED39101726EADB302265CD25B6B76CDAB823E0F450321FD04920D0CB28D92081E8

                                  Non-executed Functions

                                  Function 00629F50 Relevance: 32.1, APIs: 2, Strings: 15, Instructions: 2331injectionCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000218,00000000), ref: 0062A1BC
                                  • WriteProcessMemory.KERNEL32(?,00000218,00629E30,00000110,00000000), ref: 0062A1DB
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: MemoryProcessWrite
                                  • String ID: $$%s|%s$,$,$.$.$131$:$arqt$er$irvl$type must be boolean, but is $v|$|Nt$|Nt
                                  • API String ID: 3559483778-4098214756
                                  • Opcode ID: 9a4f1503f810c4e76020804e40dd4439fe9852e628aea9cd553807e1f97e9482
                                  • Instruction ID: 8dd9c5b605c01edd0afa6740988dcb6b4d68f29da5595c476c71a9597218c324
                                  • Opcode Fuzzy Hash: 9a4f1503f810c4e76020804e40dd4439fe9852e628aea9cd553807e1f97e9482
                                  • Instruction Fuzzy Hash: 6523DD70D002688FDB64DFA8D858BEDBBB2EF05300F14819DE449AB392DB759A85CF51
                                  Function 00618D70 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 327libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,?), ref: 00618E0E
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00618E1B
                                  • GetModuleHandleA.KERNEL32(?), ref: 00618E85
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00618E8C
                                  • CloseHandle.KERNEL32(?), ref: 00619092
                                  • CloseHandle.KERNEL32(?), ref: 006190F4
                                  • CloseHandle.KERNEL32(00000000), ref: 00619121
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Handle$Close$AddressModuleProc
                                  • String ID: File$bkg`$eHlW$l$lwcf$p$t
                                  • API String ID: 4110381430-3184506882
                                  • Opcode ID: 980ffea9b0d86130c63b95cb9d1c26636e5b8e82e8e63cc8961d5ed3b60470d1
                                  • Instruction ID: 69c952dbac37682729eec341a0087861d46b201d04a2a88b37ebcd2ffd765150
                                  • Opcode Fuzzy Hash: 980ffea9b0d86130c63b95cb9d1c26636e5b8e82e8e63cc8961d5ed3b60470d1
                                  • Instruction Fuzzy Hash: D1C1AE70D00259ABEF20CFA4CC95BEEBBBAEF05304F14446DE504AB281DB71A985CB65
                                  Function 006955B0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 006955FC
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 0069563E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00695686
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 006956C7
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00695708
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00695746
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 0069578E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 006957D6
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00695817
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 0069585D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: Fhnf$eIcm$yNrw
                                  • API String ID: 190572456-2794250838
                                  • Opcode ID: cc1b92fb83cfd9d2eba76f637669e992031e342bb7508b95d11d355c7687c298
                                  • Instruction ID: 5ab02f13958028b2d673b048749998c225e8651e77635798805834b5494a0d8d
                                  • Opcode Fuzzy Hash: cc1b92fb83cfd9d2eba76f637669e992031e342bb7508b95d11d355c7687c298
                                  • Instruction Fuzzy Hash: 54816EB0C1834CAEDF09CFA4C9456EEBBB9EF46300F50809ED841AB651D3794309CBA5
                                  Function 006191A0 Relevance: 9.9, APIs: 2, Strings: 3, Instructions: 1146COMMON
                                  Download Yara Rule
                                  APIs
                                  • Process32Next.KERNEL32(00000000,?), ref: 006192B0
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: NextProcess32
                                  • String ID: /$/\/$\
                                  • API String ID: 1850201408-1523196992
                                  • Opcode ID: a9684c0b79aa8be1dfa5fccc264561247d97b42fa1f4e09e42d0dc442a232cba
                                  • Instruction ID: 0380aa0d1a26930a455ec833e3b967968ed394f2f689566c53cb9858c3bea315
                                  • Opcode Fuzzy Hash: a9684c0b79aa8be1dfa5fccc264561247d97b42fa1f4e09e42d0dc442a232cba
                                  • Instruction Fuzzy Hash: DF92E571D002498FDF19CFA8C8A46EEFBB7AF45314F1842ADD445A7381E7315A86CBA1
                                  Function 006873F0 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 897COMMON
                                  Download Yara Rule
                                  Strings
                                  • unordered_map/set too long, xrefs: 006878C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: unordered_map/set too long
                                  • API String ID: 0-306623848
                                  • Opcode ID: f5e83e82ab866aaf896b5aecc9f2510040d4ea2f7c5472b63c06232874b9f1ed
                                  • Instruction ID: 0f10fa7d28e249df8eccebe9a3e87feee8fa10c82ce84aad0ebdb87377bebee7
                                  • Opcode Fuzzy Hash: f5e83e82ab866aaf896b5aecc9f2510040d4ea2f7c5472b63c06232874b9f1ed
                                  • Instruction Fuzzy Hash: 6A6252B5E046099FCB14DF5DC88069DFBB6FF48310F248669E819AB395E730E951CB90
                                  Function 006F84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 7d66f33b0a0f35218b4392936faf11a567083fd4a5c8e033234c70605f176e6e
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: 85021C71E012199FDF14CFA9C8806EEFBB2FF48314F2482A9D615E7381DB31A9418B94
                                  Function 006850B0 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
                                  • API String ID: 0-1144537432
                                  • Opcode ID: e64c9402b1c65142fa15b23e57eca0f69f9c9eb675bff3c905ad8b009b2bc7f5
                                  • Instruction ID: e95ac3110a608121644531c6c79464c34aa92de507e52775e02e79b21d1776eb
                                  • Opcode Fuzzy Hash: e64c9402b1c65142fa15b23e57eca0f69f9c9eb675bff3c905ad8b009b2bc7f5
                                  • Instruction Fuzzy Hash: 76911771E006089FCB08DF6CD8557DDB7AAEB48310F14826EE81AD7391EB759E45CB84
                                  Function 006124F0 Relevance: 2.7, Strings: 2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: Lt$Lt
                                  • API String ID: 0-3389236196
                                  • Opcode ID: 91e3a1db4e71e5e10073fb7e0bece2af96cee4d3681a0fcde250511906edf46e
                                  • Instruction ID: 182111e95044c21ebbdd3156a29b2b4e3e1ba8fa4407e007277fae8e3ec1dfaf
                                  • Opcode Fuzzy Hash: 91e3a1db4e71e5e10073fb7e0bece2af96cee4d3681a0fcde250511906edf46e
                                  • Instruction Fuzzy Hash: 4D7104B4E001478FDB14CF68D8F17FEBBB6EB1A300F080169D85597382C7289996D7A4
                                  Function 006FBEAF Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: f59973421acec0401f60baae4ff95d8dffc18c2ec8935f19df41d739d6144e87
                                  • Instruction ID: 15752cfa0dfd80659947a274824a8d884aae97067e6dd2604a8cf944c663e183
                                  • Opcode Fuzzy Hash: f59973421acec0401f60baae4ff95d8dffc18c2ec8935f19df41d739d6144e87
                                  • Instruction Fuzzy Hash: DCB1DF7490064ECFDB28CF68CA90ABAB7B3AF45320F14461DD69697392C731AD46CF51
                                  Function 006EF26A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,006EEC78,?,?,?,?,006240EB,?,00673C2E), ref: 006EF283
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$FilePreciseSystem
                                  • String ID:
                                  • API String ID: 1802150274-0
                                  • Opcode ID: 4ab0699eaa22abc8f7f4b345cca613462131a1c13eb5ede7bbe1551415ace10c
                                  • Instruction ID: f6056513073b0e9c639c321269754008fb535b288633e6fa3820b08f8c748575
                                  • Opcode Fuzzy Hash: 4ab0699eaa22abc8f7f4b345cca613462131a1c13eb5ede7bbe1551415ace10c
                                  • Instruction Fuzzy Hash: 02D022366023BC5B8A012FD5AC008ADBB19DA0ABD03008036EA0847214CB112E114BC9
                                  Function 00699880 Relevance: .7, Instructions: 748COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 79dd3f20e16991c15d1267149b7d153a0cd8f80b80f67dee2f78a6fbb2c20c66
                                  • Instruction ID: 490225665cf96448911b3d4bd793a20d3912e3689d48c856defc566809157fb9
                                  • Opcode Fuzzy Hash: 79dd3f20e16991c15d1267149b7d153a0cd8f80b80f67dee2f78a6fbb2c20c66
                                  • Instruction Fuzzy Hash: D7625FB0E002159BDF14CF9DC5846ADBBF6AF88308F2881ADD804AB756D735D946CB91
                                  Function 0070F771 Relevance: .3, Instructions: 327COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f4caeb42d6e3ca6b97ade45ed590790097d377850a4ef7fc359fe3da07204474
                                  • Instruction ID: 3a57aa204e9bcbb2ad35e9d14f48da149560d77495609b72be920f4de815d9a0
                                  • Opcode Fuzzy Hash: f4caeb42d6e3ca6b97ade45ed590790097d377850a4ef7fc359fe3da07204474
                                  • Instruction Fuzzy Hash: 26B1C575600745DBDB389B24CC92BB7B3E9EB45308F14863DE946C69C0EB79B985CB10
                                  Function 00709824 Relevance: .3, Instructions: 270COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3b6a5086b1900c1d5daa96ed89da9641b9abe26cbe81264f5dbb23adc8cfb83e
                                  • Instruction ID: bca37213a3932e650bb07ecb692ed22880529b3b7ae5b96dd73cf140bfe576b8
                                  • Opcode Fuzzy Hash: 3b6a5086b1900c1d5daa96ed89da9641b9abe26cbe81264f5dbb23adc8cfb83e
                                  • Instruction Fuzzy Hash: C3B10771620609DFD715CF28C48AB657BE0FF45364F298658EA99CF2E2C339E991CB40
                                  Function 00696550 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ba4c367d3561a128af2175b357766f99b7406bfb9e26fe2074cce3ab5bed38c7
                                  • Instruction ID: 4ea219070c4199a322093710a7bbfe4828fa70e05f025f3755c24dad56520d0f
                                  • Opcode Fuzzy Hash: ba4c367d3561a128af2175b357766f99b7406bfb9e26fe2074cce3ab5bed38c7
                                  • Instruction Fuzzy Hash: 7F610F716101658BD728CF5EECC04663352A79A301386861EEAC1DB3A6C73DF927DBA4
                                  Function 00624100 Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b6f8d91b258ddd366aa127feaa82e056cdafcf91b599d92903cb28a9ff09b4d
                                  • Instruction ID: b4558189d96283d10e1c2ed566ea64e467b6890010d49629dceaf4aeb78555b8
                                  • Opcode Fuzzy Hash: 8b6f8d91b258ddd366aa127feaa82e056cdafcf91b599d92903cb28a9ff09b4d
                                  • Instruction Fuzzy Hash: 2551B171E016299FCB14DF98D885AEEBBB6FF48310F14456DE415A7340DB319A44CFA4
                                  Function 006F646A Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction ID: 5d70da5b4fc8b9d8b89316e1cc3b8cb928f49fb33a214e1a0c792a47a223e989
                                  • Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction Fuzzy Hash: 23516C72D00219EFDF14CF98C941AEEBBB6FF88314F198469E915AB341D734AA50DB90
                                  Function 006F2CE0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: ece7320d628382092acfe88d7ac4c5936d32b2fff10cfb40f05a4a0b022c6e9f
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: 9C113AB724108B43E6148A7DD8B46F7A397FFCA32072C437AD3828B758D222ED459E00
                                  Function 0067F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0067F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0067F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0067F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0067F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0067F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0067F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0067F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0067FA08
                                  • std::_Facet_Register.LIBCPMT ref: 0067FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"s
                                  • API String ID: 3375549084-604839468
                                  • Opcode ID: 338c329a5bc349a56c39bf84e326abfe73db452155e6677f678be87274f20396
                                  • Instruction ID: c0a508141fa9e65212525170eaadcaacac9c8aad03f981879389293afb6b5d04
                                  • Opcode Fuzzy Hash: 338c329a5bc349a56c39bf84e326abfe73db452155e6677f678be87274f20396
                                  • Instruction Fuzzy Hash: BF619FB1D003489FEF10DFA4D845BDEBBB6AF05310F148469E909AB341EB75E905CB96
                                  Function 00613D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00613E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3a$@3a$G>a$G>a$`!a$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-527727151
                                  • Opcode ID: d9fba3af672d89c2a6776905a383dbbe5fa038a8d9542d0597eb35bb8330b0e3
                                  • Instruction ID: 225a63e647def3f9941bbc60f09c5979456d5dc87bd85b92b244f56d45e7c04b
                                  • Opcode Fuzzy Hash: d9fba3af672d89c2a6776905a383dbbe5fa038a8d9542d0597eb35bb8330b0e3
                                  • Instruction Fuzzy Hash: 0141B7B6900208AFC704DF68D845BEEB7F9EF49310F18852EF919D7741E774AA418BA4
                                  Function 006F2E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 006F2E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 006F2E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 006F2ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 006F2F03
                                  • _ValidateLocalCookies.LIBCMT ref: 006F2F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: it$csm
                                  • API String ID: 1170836740-3264412754
                                  • Opcode ID: 8736156fafcbef0299cdcfbbd07f350fe764fd22a6180758b8d5efc534791d65
                                  • Instruction ID: 9de664588bef6b4e3f8948067bb9506ea3f6714aa4b7939b3c0c1d849a66753c
                                  • Opcode Fuzzy Hash: 8736156fafcbef0299cdcfbbd07f350fe764fd22a6180758b8d5efc534791d65
                                  • Instruction Fuzzy Hash: 7B41E670A0020EABCF10DF68C895AEEBBB7AF44314F148159EA149B392D735EE55CF91
                                  Function 00613DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00613E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3a$@3a$`!a$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-2969703582
                                  • Opcode ID: f48c951cf8818892d9afb48e0a46600bec45ee106fb853a914306a69b68e9c92
                                  • Instruction ID: ce355c44fff13ecf1932621c745f5de2de64d06d2331a9da3d6c3c273bc8b061
                                  • Opcode Fuzzy Hash: f48c951cf8818892d9afb48e0a46600bec45ee106fb853a914306a69b68e9c92
                                  • Instruction Fuzzy Hash: 532105B29003156BC714DF58D801BD6B7EDAB04310F18883EFA69CB782E774EA558B95
                                  Function 00614C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00614F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00614FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 006150C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: @3a$`!a$recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-3323244774
                                  • Opcode ID: 8ed24b8f2d759d10d6cf0664cf88d20b5ca656af8b1bc86a47da826170ebc4e0
                                  • Instruction ID: f49576336a6b2270542f94e8f29f7a7e4a826725d814c4635a455442063ea4bb
                                  • Opcode Fuzzy Hash: 8ed24b8f2d759d10d6cf0664cf88d20b5ca656af8b1bc86a47da826170ebc4e0
                                  • Instruction Fuzzy Hash: A8E106B19006049FDB18DF68D845BAEF7FAFF44300F148A2DE45693781DB74A944CBA5
                                  Function 00617820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0061799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00617B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a$out_of_range$type_error
                                  • API String ID: 2659868963-2932849461
                                  • Opcode ID: 884423ed977d23769f0438695abc4b1e9d907763bf88919e0cab3b5aa6c85ab7
                                  • Instruction ID: 8a508275156c77be0f89056ea029d4fa6be501922bd991d7f2fb37e4d41c1578
                                  • Opcode Fuzzy Hash: 884423ed977d23769f0438695abc4b1e9d907763bf88919e0cab3b5aa6c85ab7
                                  • Instruction Fuzzy Hash: 30C159B19042488FDB58CFA8D88479DBBF6FF48310F14866DE419EB782E774A984CB54
                                  Function 00613190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 006132C6
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00613350
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: +4a$@3a$`!a$`!a
                                  • API String ID: 2970364248-2866485508
                                  • Opcode ID: f145c6ad978ab518fd571b1c3c2b9d0474699c698534927ca1b0bd49f692599e
                                  • Instruction ID: e44043c3e0ab9d3d75962f9797dcc0a680733bb55b1093d0cfacac44eddbd370
                                  • Opcode Fuzzy Hash: f145c6ad978ab518fd571b1c3c2b9d0474699c698534927ca1b0bd49f692599e
                                  • Instruction Fuzzy Hash: CC5190719002589FDB08DF98D885BDEBBF6FF48310F14812DE815A7391D7749A85CB94
                                  Function 006139F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00613A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00613AA4
                                  • __Getctype.LIBCPMT ref: 00613ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00613AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00613B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: d03b691699653f84564e9d1d3cf68f16d630c6973f7999d2d156a437ba651611
                                  • Instruction ID: 87c156b5c43f2455967ef5b8aae992c0c0985d4faef21df3496067d1520c80f9
                                  • Opcode Fuzzy Hash: d03b691699653f84564e9d1d3cf68f16d630c6973f7999d2d156a437ba651611
                                  • Instruction Fuzzy Hash: 7651A3B1D003589FEF10DFA4D845BDEBBBAAF14310F184069E80AAB341E775EA44CB55
                                  Function 0067DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0067DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 0067DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0067DED6
                                  • std::_Facet_Register.LIBCPMT ref: 0067DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 0067DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0067DF7B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 1e0889e3bcbe921f94f16d2c04c36142f8f307979d70559e7513844dbde259d4
                                  • Instruction ID: 7a50dfa148f05645daab2e9572cab965cd48fb1a50b22c94f7305f6399f605c5
                                  • Opcode Fuzzy Hash: 1e0889e3bcbe921f94f16d2c04c36142f8f307979d70559e7513844dbde259d4
                                  • Instruction Fuzzy Hash: 2D4122719002599FCB14DF54D841AAEBBB6FF02720F148A6DE81A6B392D735AD00CBD5
                                  Function 00616F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00617340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a$parse error$parse_error
                                  • API String ID: 2659868963-518157307
                                  • Opcode ID: 0b38351919e88d80d53c3245a54333f215dc351a80c5bfdcc485ea16816008c6
                                  • Instruction ID: fd4282aee81379ba642bbf660b519deb2d4f09f91db1702688a9e3255d544a2d
                                  • Opcode Fuzzy Hash: 0b38351919e88d80d53c3245a54333f215dc351a80c5bfdcc485ea16816008c6
                                  • Instruction Fuzzy Hash: A3E160719042489FDB58CF68C88579DBBB2FF48300F2482ADE418EB792D774AA85CF55
                                  Function 006173B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 006175BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 006175CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column $`!a
                                  • API String ID: 4194217158-4061532102
                                  • Opcode ID: fac936b3dadb10fa525367be681f9442e85a384f8480138d553411cf73e1b2f5
                                  • Instruction ID: 6474454c34ea9d5d4748950f1e47fe732f13f4cb84c3b98c5ec7acc5a0989fba
                                  • Opcode Fuzzy Hash: fac936b3dadb10fa525367be681f9442e85a384f8480138d553411cf73e1b2f5
                                  • Instruction Fuzzy Hash: 3861E571A042449FDB08DF68DC84BADBBB7FF44300F24866CE415A7782D774AA85CB95
                                  Function 00613370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00613190: ___std_exception_copy.LIBVCRUNTIME ref: 006132C6
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0061345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4a$@3a$@3a$`!a
                                  • API String ID: 2659868963-729318152
                                  • Opcode ID: 5d52550c5cfb9c09c8be2772ce6ad9e2af489f0bd4a1364bc5bc475ab947eb6a
                                  • Instruction ID: a795d330ea3ed3ebc014253bc1cc80fcbcf3aa6d11de0337fa6a530aa877856d
                                  • Opcode Fuzzy Hash: 5d52550c5cfb9c09c8be2772ce6ad9e2af489f0bd4a1364bc5bc475ab947eb6a
                                  • Instruction Fuzzy Hash: 3B3165B5900209AFCB18DFA8D841AEDFBF9FB08310F14452AE515D7741E774AA90CBA5
                                  Function 00613410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0061345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4a$@3a$@3a$`!a
                                  • API String ID: 2659868963-729318152
                                  • Opcode ID: e2796519b44458ba33d7c2ede9e207a3778f8b21074329a406267bfbe8570812
                                  • Instruction ID: 1c4bb9fab6f24ef6ec70d90399ddf6efce9662bb49fa8b85aabffb986181e5ab
                                  • Opcode Fuzzy Hash: e2796519b44458ba33d7c2ede9e207a3778f8b21074329a406267bfbe8570812
                                  • Instruction Fuzzy Hash: 9301FFB6500609AF8704DFA9D445C96FBFDBF44310704843AE62987651E7B4E564CBA4
                                  Function 00616C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00616F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00616F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.$`!a
                                  • API String ID: 4194217158-4140099681
                                  • Opcode ID: 92714117c6c7d830026bf179bc54a5fa14520a958e0683c124f2acaf32348c74
                                  • Instruction ID: 79557fa2316915cb5276b363b918c199adf2f4ab16a818f48250d609eba9ae73
                                  • Opcode Fuzzy Hash: 92714117c6c7d830026bf179bc54a5fa14520a958e0683c124f2acaf32348c74
                                  • Instruction Fuzzy Hash: 9191C274A002089FDB18CF68D884BDEBBF6EF45300F24866CF415AB792D775A985CB90
                                  Function 00612270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00612275
                                    • Part of subcall function 006ED6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 006ED6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$Lt$Lt
                                  • API String ID: 1997705970-2690579142
                                  • Opcode ID: e1367337e72a3654317d53a53353d9f7070d28b766d47b46050b4a9892611573
                                  • Instruction ID: 8deb64e3bb234c8146c45d913012e5f92180ff21536f733a6fa5d0aa67348669
                                  • Opcode Fuzzy Hash: e1367337e72a3654317d53a53353d9f7070d28b766d47b46050b4a9892611573
                                  • Instruction Fuzzy Hash: CD81F375A042869FDB05CF68C4A17EDBFF2EF5A300F1841AEC89497742C3798595CBA0
                                  Function 00617620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 006177B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a$invalid_iterator
                                  • API String ID: 2659868963-3237503699
                                  • Opcode ID: 11f8d1eeddd601b00f409e306ac83064df6aaa92451a87d43612bf6deef0454a
                                  • Instruction ID: ea9ca5d7b9f33d6d998e1fdb7713af002e13ac65612d80bd0ed542e07428a795
                                  • Opcode Fuzzy Hash: 11f8d1eeddd601b00f409e306ac83064df6aaa92451a87d43612bf6deef0454a
                                  • Instruction Fuzzy Hash: 32514CB49002489FDB58CFA8D88479DFBF2FB48310F14866DE419EB792E774A980CB54
                                  Function 00617BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00617D67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a$other_error
                                  • API String ID: 2659868963-2956210967
                                  • Opcode ID: bdea8a00d3216ffdc99e80c19f2004326f861809700b199995d20276ead4eeff
                                  • Instruction ID: 28df2186c7ebb224a20863398a0030cea5bea2e3cf665f8df192d4b06b27557b
                                  • Opcode Fuzzy Hash: bdea8a00d3216ffdc99e80c19f2004326f861809700b199995d20276ead4eeff
                                  • Instruction Fuzzy Hash: 1C514AB0D042488FDB48CFA8E8847DDBBF2BF48300F148669E459EB792D774A984CB55
                                  Function 0067D050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0067D06F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0067D096
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a
                                  • API String ID: 2659868963-2950016145
                                  • Opcode ID: 7fc8f6e7b5caad27095f023d575f6b83fa16a16d898d90fd65a25be53f7d1770
                                  • Instruction ID: fc6705a75d7eb4a5cd1f120d5c4da8df22a9418e8d339ab610109cc272735738
                                  • Opcode Fuzzy Hash: 7fc8f6e7b5caad27095f023d575f6b83fa16a16d898d90fd65a25be53f7d1770
                                  • Instruction Fuzzy Hash: 9101A4B650060AAF9704DF59D405892FBF9FB48710701853FE529CBB11E7B4E568CFA4
                                  Function 0068B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0068B3DF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0068B406
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a
                                  • API String ID: 2659868963-2950016145
                                  • Opcode ID: d2c42db6790996b948ea0e3629afee07429951a929504ba9eac4dac7aeaba6cb
                                  • Instruction ID: 2ad8a0dac1ed10ab9413a387feaba99b608e6c0b84de971438b02f3445dc83a0
                                  • Opcode Fuzzy Hash: d2c42db6790996b948ea0e3629afee07429951a929504ba9eac4dac7aeaba6cb
                                  • Instruction Fuzzy Hash: 1FF0C4B650060AAF8708DF58D405896BBE9FB48710301853FE52ACBB02E7B4E568CFA4
                                  Function 0068B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 0068B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Pxh$invalid hash bucket count
                                  • API String ID: 909987262-1744656201
                                  • Opcode ID: ccaf16c674c6138a76b4165122e7fb0dc3fcb254c6061b8da2e7a043fc4d6136
                                  • Instruction ID: 78883b0a48c40bddc078fbfb384fa7658b3e8ae9a440f10f45c582f08baa179e
                                  • Opcode Fuzzy Hash: ccaf16c674c6138a76b4165122e7fb0dc3fcb254c6061b8da2e7a043fc4d6136
                                  • Instruction Fuzzy Hash: B471F1B5A00605DFCB14DF49C18086AFBF6FF89310724C6AAD8599B356D771EA42CF90
                                  Function 0068E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 0068E491
                                  Strings
                                  • type must be boolean, but is , xrefs: 0068E582
                                  • type must be string, but is , xrefs: 0068E4F8
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: a68be40628d99d1458a421483f23cb6b44ee77ced1bc248a5541c8ae08079dd4
                                  • Instruction ID: cedaccc09c038b6dd72189f5571ed5c5477d54305a3b96dcf2ad6c83ea201573
                                  • Opcode Fuzzy Hash: a68be40628d99d1458a421483f23cb6b44ee77ced1bc248a5541c8ae08079dd4
                                  • Instruction Fuzzy Hash: 70413DB59002489FD714FBA4D802BDE77AADB00310F14867CF519D7782EB36E944C796
                                  Function 00613050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00613078
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3319167481.0000000000611000.00000040.00000001.01000000.00000003.sdmp, Offset: 00610000, based on PE: true
                                  • Associated: 00000000.00000002.3319079187.0000000000610000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319167481.0000000000743000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319487653.0000000000748000.00000008.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.000000000074C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000008CF000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000961000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000990000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.0000000000997000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3319543415.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320092164.00000000009A7000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320291056.0000000000B01000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3320330323.0000000000B02000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_610000_LisectAVT_2403002A_376.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!a$`!a
                                  • API String ID: 2659868963-2950016145
                                  • Opcode ID: 7eb3a86287353dc55b1317e325ceed5a2d7e526aacdef3094f2a39781f1bd2a8
                                  • Instruction ID: e9342a2ceff3dd3d0c920b6bdbbc43443496ba9f0c73f0ea91b615df7cce7e38
                                  • Opcode Fuzzy Hash: 7eb3a86287353dc55b1317e325ceed5a2d7e526aacdef3094f2a39781f1bd2a8
                                  • Instruction Fuzzy Hash: ACE012B69013089BC710DFACD8059CAFFF9AB19711F0086BAE948D7301F6B0D5A48BD5

                                  Execution Graph

                                  Execution Coverage:3.3%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:608
                                  Total number of Limit Nodes:61
                                  execution_graph 16596 4d3a40 GetCursorPos 16597 4d3a55 GetCursorPos 16596->16597 16598 4d3b28 GetPEB 16597->16598 16600 4d3a67 16597->16600 16598->16600 16599 4d3a73 GetPEB 16599->16600 16600->16598 16600->16599 16600->16600 16601 4d3b9d Sleep 16600->16601 16602 4d3ae8 Sleep 16600->16602 16603 4d3bc7 16600->16603 16601->16597 16602->16600 15865 47a210 15898 54f290 15865->15898 15867 47a248 15903 472ae0 15867->15903 15869 47a28b 15919 555362 15869->15919 15872 47a377 15874 47a34e 15874->15872 15948 5547b0 15874->15948 15879 559136 4 API calls 15880 47a2fc 15879->15880 15885 47a318 15880->15885 15934 4dcf60 15880->15934 15939 55dbdf 15885->15939 15900 4721d0 Concurrency::cancel_current_task std::_Xinvalid_argument ___std_exception_copy std::_Facet_Register 15898->15900 15899 54f2af 15899->15867 15900->15899 15951 550651 15900->15951 15904 472ba5 15903->15904 15910 472af6 15903->15910 16169 472270 15904->16169 15906 472b02 std::locale::_Locimp::_Locimp 15906->15869 15907 472b2a 15911 54f290 std::_Facet_Register RtlAllocateHeap 15907->15911 15908 472baa 16179 4721d0 15908->16179 15910->15906 15910->15907 15913 472b65 15910->15913 15914 472b6e 15910->15914 15912 472b3d 15911->15912 15915 5547b0 RtlAllocateHeap 15912->15915 15918 472b46 std::locale::_Locimp::_Locimp 15912->15918 15913->15907 15913->15908 15917 54f290 std::_Facet_Register RtlAllocateHeap 15914->15917 15914->15918 15916 472bb4 15915->15916 15917->15918 15918->15869 16192 5552a0 15919->16192 15921 47a2d7 15921->15874 15922 559136 15921->15922 15923 559149 ___std_exception_copy 15922->15923 16216 558e8d 15923->16216 15925 55915e 15926 5544dc ___std_exception_copy RtlAllocateHeap 15925->15926 15927 47a2ea 15926->15927 15928 554eeb 15927->15928 15929 554efe ___std_exception_copy 15928->15929 16349 554801 15929->16349 15931 554f0a 15932 5544dc ___std_exception_copy RtlAllocateHeap 15931->15932 15933 47a2f0 15932->15933 15933->15879 15935 4dcfa7 15934->15935 15938 4dcf78 __fread_nolock 15934->15938 16397 4e0560 15935->16397 15937 4dcfba 15937->15885 15938->15885 16412 55dbfc 15939->16412 15941 47a348 15942 558be8 15941->15942 15943 558bfb ___std_exception_copy 15942->15943 16536 558ac3 15943->16536 15945 558c07 15946 5544dc ___std_exception_copy RtlAllocateHeap 15945->15946 15947 558c13 15946->15947 15947->15874 15949 5546ec ___std_exception_copy RtlAllocateHeap 15948->15949 15950 5547bf __Getctype 15949->15950 15952 55065e ___std_exception_copy 15951->15952 15956 472213 15951->15956 15953 55068b 15952->15953 15952->15956 15957 5656b8 15952->15957 15966 55d7d6 15953->15966 15956->15867 15958 5656c6 15957->15958 15959 5656d4 15957->15959 15958->15959 15963 5656ec 15958->15963 15969 55d23f 15959->15969 15962 5656e6 15962->15953 15963->15962 15964 55d23f __dosmaperr RtlAllocateHeap 15963->15964 15965 5656dc 15964->15965 15972 5547a0 15965->15972 15967 566db3 ___std_exception_copy RtlAllocateHeap 15966->15967 15968 55d7ee 15967->15968 15968->15956 15975 565d2c 15969->15975 16080 5546ec 15972->16080 15976 565d36 __Getctype 15975->15976 15983 55d244 15976->15983 15986 5663f3 15976->15986 15978 565d79 __Getctype 15979 565db9 15978->15979 15980 565d81 __Getctype 15978->15980 15994 565a09 15979->15994 15990 566db3 15980->15990 15983->15965 15985 566db3 ___std_exception_copy RtlAllocateHeap 15985->15983 15989 566400 __Getctype std::_Facet_Register 15986->15989 15987 56642b RtlAllocateHeap 15988 56643e __dosmaperr 15987->15988 15987->15989 15988->15978 15989->15987 15989->15988 15991 566dbe __dosmaperr 15990->15991 15993 566de8 15990->15993 15992 55d23f __dosmaperr RtlAllocateHeap 15991->15992 15991->15993 15992->15993 15993->15983 15995 565a77 __Getctype 15994->15995 15998 5659af 15995->15998 15997 565aa0 15997->15985 15999 5659bb __fread_nolock std::_Lockit::_Lockit 15998->15999 16002 565b90 15999->16002 16001 5659dd __Getctype 16001->15997 16003 565bc6 __Getctype 16002->16003 16004 565b9f __Getctype 16002->16004 16003->16001 16004->16003 16006 56f2a7 16004->16006 16007 56f327 16006->16007 16011 56f2bd 16006->16011 16008 56f375 16007->16008 16010 566db3 ___std_exception_copy RtlAllocateHeap 16007->16010 16074 56f418 16008->16074 16013 56f349 16010->16013 16011->16007 16012 56f2f0 16011->16012 16016 566db3 ___std_exception_copy RtlAllocateHeap 16011->16016 16014 56f312 16012->16014 16021 566db3 ___std_exception_copy RtlAllocateHeap 16012->16021 16015 566db3 ___std_exception_copy RtlAllocateHeap 16013->16015 16018 566db3 ___std_exception_copy RtlAllocateHeap 16014->16018 16017 56f35c 16015->16017 16020 56f2e5 16016->16020 16022 566db3 ___std_exception_copy RtlAllocateHeap 16017->16022 16023 56f31c 16018->16023 16019 56f3e3 16025 566db3 ___std_exception_copy RtlAllocateHeap 16019->16025 16034 56e5ab 16020->16034 16027 56f307 16021->16027 16028 56f36a 16022->16028 16024 566db3 ___std_exception_copy RtlAllocateHeap 16023->16024 16024->16007 16029 56f3e9 16025->16029 16062 56ea0a 16027->16062 16032 566db3 ___std_exception_copy RtlAllocateHeap 16028->16032 16029->16003 16030 56f383 16030->16019 16033 566db3 RtlAllocateHeap ___std_exception_copy 16030->16033 16032->16008 16033->16030 16035 56e5bc 16034->16035 16061 56e6a5 16034->16061 16036 56e5cd 16035->16036 16037 566db3 ___std_exception_copy RtlAllocateHeap 16035->16037 16038 56e5df 16036->16038 16039 566db3 ___std_exception_copy RtlAllocateHeap 16036->16039 16037->16036 16040 56e5f1 16038->16040 16042 566db3 ___std_exception_copy RtlAllocateHeap 16038->16042 16039->16038 16041 56e603 16040->16041 16043 566db3 ___std_exception_copy RtlAllocateHeap 16040->16043 16044 56e615 16041->16044 16045 566db3 ___std_exception_copy RtlAllocateHeap 16041->16045 16042->16040 16043->16041 16046 56e627 16044->16046 16047 566db3 ___std_exception_copy RtlAllocateHeap 16044->16047 16045->16044 16048 56e639 16046->16048 16050 566db3 ___std_exception_copy RtlAllocateHeap 16046->16050 16047->16046 16049 56e64b 16048->16049 16051 566db3 ___std_exception_copy RtlAllocateHeap 16048->16051 16052 56e65d 16049->16052 16053 566db3 ___std_exception_copy RtlAllocateHeap 16049->16053 16050->16048 16051->16049 16054 56e66f 16052->16054 16055 566db3 ___std_exception_copy RtlAllocateHeap 16052->16055 16053->16052 16056 56e681 16054->16056 16057 566db3 ___std_exception_copy RtlAllocateHeap 16054->16057 16055->16054 16058 566db3 ___std_exception_copy RtlAllocateHeap 16056->16058 16059 56e693 16056->16059 16057->16056 16058->16059 16060 566db3 ___std_exception_copy RtlAllocateHeap 16059->16060 16059->16061 16060->16061 16061->16012 16063 56ea17 16062->16063 16073 56ea6f 16062->16073 16064 56ea27 16063->16064 16065 566db3 ___std_exception_copy RtlAllocateHeap 16063->16065 16066 56ea39 16064->16066 16068 566db3 ___std_exception_copy RtlAllocateHeap 16064->16068 16065->16064 16067 56ea4b 16066->16067 16069 566db3 ___std_exception_copy RtlAllocateHeap 16066->16069 16070 56ea5d 16067->16070 16071 566db3 ___std_exception_copy RtlAllocateHeap 16067->16071 16068->16066 16069->16067 16072 566db3 ___std_exception_copy RtlAllocateHeap 16070->16072 16070->16073 16071->16070 16072->16073 16073->16014 16075 56f444 16074->16075 16076 56f425 16074->16076 16075->16030 16076->16075 16077 56ef31 __Getctype RtlAllocateHeap 16076->16077 16078 56f43e 16077->16078 16079 566db3 ___std_exception_copy RtlAllocateHeap 16078->16079 16079->16075 16081 5546fe ___std_exception_copy 16080->16081 16086 554723 16081->16086 16083 554716 16093 5544dc 16083->16093 16087 554733 16086->16087 16090 55473a ___std_exception_copy __Getctype 16086->16090 16099 554541 16087->16099 16089 554748 16089->16083 16090->16089 16091 5546ec ___std_exception_copy RtlAllocateHeap 16090->16091 16092 5547ac 16091->16092 16092->16083 16094 5544e8 16093->16094 16095 5544ff 16094->16095 16114 554587 16094->16114 16097 554512 16095->16097 16098 554587 ___std_exception_copy RtlAllocateHeap 16095->16098 16097->15962 16098->16097 16100 554551 16099->16100 16103 565ddd 16100->16103 16104 565df0 __Getctype 16103->16104 16105 554572 16104->16105 16106 5663f3 __Getctype RtlAllocateHeap 16104->16106 16105->16090 16107 565e20 __Getctype 16106->16107 16108 565e5c 16107->16108 16109 565e28 __Getctype 16107->16109 16111 565a09 __Getctype RtlAllocateHeap 16108->16111 16110 566db3 ___std_exception_copy RtlAllocateHeap 16109->16110 16110->16105 16112 565e67 16111->16112 16113 566db3 ___std_exception_copy RtlAllocateHeap 16112->16113 16113->16105 16115 554591 16114->16115 16116 55459a 16114->16116 16117 554541 ___std_exception_copy RtlAllocateHeap 16115->16117 16116->16095 16118 554596 16117->16118 16118->16116 16121 560259 16118->16121 16122 56025e std::locale::_Setgloballocale 16121->16122 16126 560269 std::locale::_Setgloballocale 16122->16126 16127 56c7c6 16122->16127 16148 55f224 16126->16148 16128 56c7d2 __fread_nolock 16127->16128 16129 565d2c __dosmaperr RtlAllocateHeap 16128->16129 16130 56c822 16128->16130 16133 56c803 std::locale::_Setgloballocale 16128->16133 16135 56c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 16128->16135 16129->16133 16131 55d23f __dosmaperr RtlAllocateHeap 16130->16131 16132 56c827 16131->16132 16134 5547a0 ___std_exception_copy RtlAllocateHeap 16132->16134 16133->16130 16133->16135 16147 56c80c 16133->16147 16134->16147 16136 56c8a7 16135->16136 16137 56c9a4 std::_Lockit::~_Lockit 16135->16137 16138 56c8d5 std::locale::_Setgloballocale 16135->16138 16136->16138 16151 565bdb 16136->16151 16139 55f224 std::locale::_Setgloballocale RtlAllocateHeap 16137->16139 16142 565bdb __Getctype RtlAllocateHeap 16138->16142 16145 56c92a 16138->16145 16138->16147 16141 56c9b7 16139->16141 16142->16145 16144 565bdb __Getctype RtlAllocateHeap 16144->16138 16146 565bdb __Getctype RtlAllocateHeap 16145->16146 16145->16147 16146->16147 16147->16126 16165 55f094 16148->16165 16150 55f235 16152 565be5 __Getctype 16151->16152 16153 5663f3 __Getctype RtlAllocateHeap 16152->16153 16154 565bfb 16152->16154 16157 565c28 __Getctype 16153->16157 16155 565c8b 16154->16155 16156 560259 __Getctype RtlAllocateHeap 16154->16156 16155->16144 16159 565c95 16156->16159 16158 565c68 16157->16158 16160 565c30 __Getctype 16157->16160 16162 565a09 __Getctype RtlAllocateHeap 16158->16162 16161 566db3 ___std_exception_copy RtlAllocateHeap 16160->16161 16161->16154 16163 565c73 16162->16163 16164 566db3 ___std_exception_copy RtlAllocateHeap 16163->16164 16164->16154 16167 55f0c1 std::locale::_Setgloballocale 16165->16167 16166 55ef23 std::locale::_Setgloballocale RtlAllocateHeap 16168 55f10a std::locale::_Setgloballocale 16166->16168 16167->16166 16168->16150 16183 54d6e9 16169->16183 16180 4721de Concurrency::cancel_current_task std::_Xinvalid_argument 16179->16180 16181 550651 ___std_exception_copy RtlAllocateHeap 16180->16181 16182 472213 16181->16182 16182->15912 16186 54d4af 16183->16186 16185 54d6fa std::_Xinvalid_argument 16189 473010 16186->16189 16190 550651 ___std_exception_copy RtlAllocateHeap 16189->16190 16191 47303d 16190->16191 16191->16185 16193 5552ac __fread_nolock 16192->16193 16194 5552b3 16193->16194 16197 5552d3 16193->16197 16195 55d23f __dosmaperr RtlAllocateHeap 16194->16195 16196 5552b8 16195->16196 16198 5547a0 ___std_exception_copy RtlAllocateHeap 16196->16198 16199 5552e5 16197->16199 16200 5552d8 16197->16200 16205 5552c3 16198->16205 16206 566688 16199->16206 16201 55d23f __dosmaperr RtlAllocateHeap 16200->16201 16201->16205 16203 5552ee 16204 55d23f __dosmaperr RtlAllocateHeap 16203->16204 16203->16205 16204->16205 16205->15921 16207 566694 __fread_nolock std::_Lockit::_Lockit 16206->16207 16210 56672c 16207->16210 16209 5666af 16209->16203 16212 56674f __fread_nolock 16210->16212 16211 5663f3 __Getctype RtlAllocateHeap 16213 5667b0 16211->16213 16212->16211 16215 566795 __fread_nolock 16212->16215 16214 566db3 ___std_exception_copy RtlAllocateHeap 16213->16214 16214->16215 16215->16209 16218 558e99 __fread_nolock 16216->16218 16217 558e9f 16219 554723 ___std_exception_copy RtlAllocateHeap 16217->16219 16218->16217 16220 558ee2 __fread_nolock 16218->16220 16222 558eba 16219->16222 16223 559010 16220->16223 16222->15925 16224 559036 16223->16224 16225 559023 16223->16225 16232 558f37 16224->16232 16225->16222 16227 5590e7 16227->16222 16228 559059 16228->16227 16236 5555d3 16228->16236 16233 558fa0 16232->16233 16234 558f48 16232->16234 16233->16228 16234->16233 16245 55e13d 16234->16245 16237 5555ec 16236->16237 16241 555613 16236->16241 16237->16241 16272 565f82 16237->16272 16239 555608 16279 56538b 16239->16279 16242 55e17d 16241->16242 16243 55e05c __fread_nolock 2 API calls 16242->16243 16244 55e196 16243->16244 16244->16227 16246 55e151 ___std_exception_copy 16245->16246 16251 55e05c 16246->16251 16248 55e166 16249 5544dc ___std_exception_copy RtlAllocateHeap 16248->16249 16250 55e175 16249->16250 16250->16233 16256 56a6de 16251->16256 16253 55e06e 16254 55e08a SetFilePointerEx 16253->16254 16255 55e076 __fread_nolock 16253->16255 16254->16255 16255->16248 16257 56a6eb 16256->16257 16261 56a700 16256->16261 16269 55d22c 16257->16269 16259 55d22c __dosmaperr RtlAllocateHeap 16263 56a730 16259->16263 16261->16259 16262 56a725 16261->16262 16262->16253 16265 55d23f __dosmaperr RtlAllocateHeap 16263->16265 16264 55d23f __dosmaperr RtlAllocateHeap 16266 56a6f8 16264->16266 16267 56a738 16265->16267 16266->16253 16268 5547a0 ___std_exception_copy RtlAllocateHeap 16267->16268 16268->16266 16270 565d2c __dosmaperr RtlAllocateHeap 16269->16270 16271 55d231 16270->16271 16271->16264 16273 565fa3 16272->16273 16274 565f8e 16272->16274 16273->16239 16275 55d23f __dosmaperr RtlAllocateHeap 16274->16275 16276 565f93 16275->16276 16277 5547a0 ___std_exception_copy RtlAllocateHeap 16276->16277 16278 565f9e 16277->16278 16278->16239 16280 565397 __fread_nolock 16279->16280 16281 5653d8 16280->16281 16283 56541e 16280->16283 16285 56539f 16280->16285 16282 554723 ___std_exception_copy RtlAllocateHeap 16281->16282 16282->16285 16283->16285 16286 56549c 16283->16286 16285->16241 16287 5654c4 16286->16287 16299 5654e7 __fread_nolock 16286->16299 16288 5654c8 16287->16288 16290 565523 16287->16290 16289 554723 ___std_exception_copy RtlAllocateHeap 16288->16289 16289->16299 16291 565541 16290->16291 16292 55e17d 2 API calls 16290->16292 16300 564fe1 16291->16300 16292->16291 16295 5655a0 16297 565609 WriteFile 16295->16297 16295->16299 16296 565559 16296->16299 16305 564bb2 16296->16305 16297->16299 16299->16285 16311 570d44 16300->16311 16302 565021 16302->16295 16302->16296 16303 564ff3 16303->16302 16320 559d10 16303->16320 16306 564c1b 16305->16306 16307 559d10 std::_Locinfo::_Locinfo_dtor 2 API calls 16306->16307 16310 564c2b std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 16306->16310 16307->16310 16308 5684be RtlAllocateHeap RtlAllocateHeap 16308->16310 16309 564ee1 _ValidateLocalCookies 16309->16299 16309->16309 16310->16308 16310->16309 16312 570d51 16311->16312 16314 570d5e 16311->16314 16313 55d23f __dosmaperr RtlAllocateHeap 16312->16313 16315 570d56 16313->16315 16316 570d6a 16314->16316 16317 55d23f __dosmaperr RtlAllocateHeap 16314->16317 16315->16303 16316->16303 16318 570d8b 16317->16318 16319 5547a0 ___std_exception_copy RtlAllocateHeap 16318->16319 16319->16315 16321 554587 ___std_exception_copy RtlAllocateHeap 16320->16321 16322 559d20 16321->16322 16327 565ef3 16322->16327 16328 559d3d 16327->16328 16329 565f0a 16327->16329 16331 565f51 16328->16331 16329->16328 16335 56f4f3 16329->16335 16332 565f68 16331->16332 16334 559d4a 16331->16334 16332->16334 16344 56d81e 16332->16344 16334->16302 16336 56f4ff __fread_nolock 16335->16336 16337 565bdb __Getctype RtlAllocateHeap 16336->16337 16339 56f508 std::_Lockit::_Lockit 16337->16339 16338 56f54e 16338->16328 16339->16338 16340 56f574 __Getctype RtlAllocateHeap 16339->16340 16341 56f537 __Getctype 16340->16341 16341->16338 16342 560259 __Getctype RtlAllocateHeap 16341->16342 16343 56f573 16342->16343 16345 565bdb __Getctype RtlAllocateHeap 16344->16345 16346 56d823 16345->16346 16347 56d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 16346->16347 16348 56d82e 16347->16348 16348->16334 16350 55480d __fread_nolock 16349->16350 16351 554835 __fread_nolock 16350->16351 16352 554814 16350->16352 16356 554910 16351->16356 16353 554723 ___std_exception_copy RtlAllocateHeap 16352->16353 16355 55482d 16353->16355 16355->15931 16359 554942 16356->16359 16358 554922 16358->16355 16360 554951 16359->16360 16361 554979 16359->16361 16363 554723 ___std_exception_copy RtlAllocateHeap 16360->16363 16362 565f82 __fread_nolock RtlAllocateHeap 16361->16362 16364 554982 16362->16364 16371 55496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16363->16371 16372 55e11f 16364->16372 16367 554a2c 16375 554cae 16367->16375 16369 554a43 16369->16371 16383 554ae3 16369->16383 16371->16358 16390 55df37 16372->16390 16374 5549a0 16374->16367 16374->16369 16374->16371 16376 554cbd 16375->16376 16377 565f82 __fread_nolock RtlAllocateHeap 16376->16377 16378 554cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16377->16378 16379 55e11f 2 API calls 16378->16379 16382 554ce5 _ValidateLocalCookies 16378->16382 16380 554d39 16379->16380 16381 55e11f 2 API calls 16380->16381 16380->16382 16381->16382 16382->16371 16384 565f82 __fread_nolock RtlAllocateHeap 16383->16384 16385 554af6 16384->16385 16386 55e11f 2 API calls 16385->16386 16389 554b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16385->16389 16387 554b9d 16386->16387 16388 55e11f 2 API calls 16387->16388 16387->16389 16388->16389 16389->16371 16393 55df43 __fread_nolock 16390->16393 16391 55df4b 16391->16374 16392 55df86 16394 554723 ___std_exception_copy RtlAllocateHeap 16392->16394 16393->16391 16393->16392 16395 55dfcc 16393->16395 16394->16391 16395->16391 16396 55e05c __fread_nolock 2 API calls 16395->16396 16396->16391 16398 4e06a9 16397->16398 16399 4e0585 16397->16399 16401 472270 RtlAllocateHeap 16398->16401 16400 4e059a 16399->16400 16405 4e05e3 16399->16405 16406 4e05f0 16399->16406 16404 54f290 std::_Facet_Register RtlAllocateHeap 16400->16404 16402 4e06ae 16401->16402 16403 4721d0 Concurrency::cancel_current_task RtlAllocateHeap 16402->16403 16410 4e05aa __fread_nolock std::locale::_Locimp::_Locimp 16403->16410 16404->16410 16405->16400 16405->16402 16408 54f290 std::_Facet_Register RtlAllocateHeap 16406->16408 16406->16410 16407 5547b0 RtlAllocateHeap 16409 4e06b8 16407->16409 16408->16410 16410->16407 16411 4e0667 __fread_nolock std::locale::_Locimp::_Locimp 16410->16411 16411->15937 16414 55dc08 __fread_nolock 16412->16414 16413 55dc40 __fread_nolock 16413->15941 16414->16413 16415 55dc52 __fread_nolock 16414->16415 16418 55dc1b __fread_nolock 16414->16418 16421 55da06 16415->16421 16416 55d23f __dosmaperr RtlAllocateHeap 16419 55dc35 16416->16419 16418->16416 16420 5547a0 ___std_exception_copy RtlAllocateHeap 16419->16420 16420->16413 16425 55da18 __fread_nolock 16421->16425 16427 55da35 16421->16427 16422 55da25 16423 55d23f __dosmaperr RtlAllocateHeap 16422->16423 16424 55da2a 16423->16424 16426 5547a0 ___std_exception_copy RtlAllocateHeap 16424->16426 16425->16422 16425->16427 16429 55da76 __fread_nolock 16425->16429 16426->16427 16427->16413 16428 55dba1 __fread_nolock 16432 55d23f __dosmaperr RtlAllocateHeap 16428->16432 16429->16427 16429->16428 16431 565f82 __fread_nolock RtlAllocateHeap 16429->16431 16434 564623 16429->16434 16493 558a2b 16429->16493 16431->16429 16432->16424 16435 564635 16434->16435 16436 56464d 16434->16436 16437 55d22c __dosmaperr RtlAllocateHeap 16435->16437 16438 56498f 16436->16438 16441 564690 16436->16441 16440 56463a 16437->16440 16439 55d22c __dosmaperr RtlAllocateHeap 16438->16439 16442 564994 16439->16442 16443 55d23f __dosmaperr RtlAllocateHeap 16440->16443 16444 56469b 16441->16444 16448 564642 16441->16448 16452 5646cb 16441->16452 16445 55d23f __dosmaperr RtlAllocateHeap 16442->16445 16443->16448 16446 55d22c __dosmaperr RtlAllocateHeap 16444->16446 16447 5646a8 16445->16447 16449 5646a0 16446->16449 16451 5547a0 ___std_exception_copy RtlAllocateHeap 16447->16451 16448->16429 16450 55d23f __dosmaperr RtlAllocateHeap 16449->16450 16450->16447 16451->16448 16453 5646e4 16452->16453 16454 5646f1 16452->16454 16455 56471f 16452->16455 16453->16454 16460 56470d 16453->16460 16456 55d22c __dosmaperr RtlAllocateHeap 16454->16456 16507 566e2d 16455->16507 16458 5646f6 16456->16458 16462 55d23f __dosmaperr RtlAllocateHeap 16458->16462 16459 570d44 __fread_nolock RtlAllocateHeap 16477 56486b 16459->16477 16460->16459 16463 5646fd 16462->16463 16465 5547a0 ___std_exception_copy RtlAllocateHeap 16463->16465 16464 566db3 ___std_exception_copy RtlAllocateHeap 16466 564739 16464->16466 16492 564708 __fread_nolock 16465->16492 16468 566db3 ___std_exception_copy RtlAllocateHeap 16466->16468 16467 5648e3 ReadFile 16469 564957 16467->16469 16470 5648fb 16467->16470 16471 564740 16468->16471 16481 564964 16469->16481 16482 5648b5 16469->16482 16470->16469 16472 5648d4 16470->16472 16473 564765 16471->16473 16474 56474a 16471->16474 16485 564937 16472->16485 16486 564920 16472->16486 16472->16492 16476 55e13d __fread_nolock 2 API calls 16473->16476 16478 55d23f __dosmaperr RtlAllocateHeap 16474->16478 16475 566db3 ___std_exception_copy RtlAllocateHeap 16475->16448 16476->16460 16477->16467 16480 56489b 16477->16480 16479 56474f 16478->16479 16483 55d22c __dosmaperr RtlAllocateHeap 16479->16483 16480->16472 16480->16482 16484 55d23f __dosmaperr RtlAllocateHeap 16481->16484 16482->16492 16513 55d1e5 16482->16513 16483->16492 16487 564969 16484->16487 16485->16492 16528 56417b 16485->16528 16518 564335 16486->16518 16491 55d22c __dosmaperr RtlAllocateHeap 16487->16491 16491->16492 16492->16475 16494 558a3c 16493->16494 16503 558a38 std::locale::_Locimp::_Locimp 16493->16503 16495 558a56 __fread_nolock 16494->16495 16496 558a43 16494->16496 16500 558a84 16495->16500 16501 558a8d 16495->16501 16495->16503 16497 55d23f __dosmaperr RtlAllocateHeap 16496->16497 16498 558a48 16497->16498 16499 5547a0 ___std_exception_copy RtlAllocateHeap 16498->16499 16499->16503 16502 55d23f __dosmaperr RtlAllocateHeap 16500->16502 16501->16503 16505 55d23f __dosmaperr RtlAllocateHeap 16501->16505 16504 558a89 16502->16504 16503->16429 16506 5547a0 ___std_exception_copy RtlAllocateHeap 16504->16506 16505->16504 16506->16503 16508 566e6b 16507->16508 16512 566e3b __Getctype std::_Facet_Register 16507->16512 16509 55d23f __dosmaperr RtlAllocateHeap 16508->16509 16511 564730 16509->16511 16510 566e56 RtlAllocateHeap 16510->16511 16510->16512 16511->16464 16512->16508 16512->16510 16514 55d22c __dosmaperr RtlAllocateHeap 16513->16514 16515 55d1f0 __dosmaperr 16514->16515 16516 55d23f __dosmaperr RtlAllocateHeap 16515->16516 16517 55d203 16516->16517 16517->16492 16532 56402e 16518->16532 16521 5643d7 16525 564391 __fread_nolock 16521->16525 16526 55e13d __fread_nolock 2 API calls 16521->16526 16522 5643c7 16523 55d23f __dosmaperr RtlAllocateHeap 16522->16523 16524 56437d 16523->16524 16524->16492 16525->16524 16527 55d1e5 __dosmaperr RtlAllocateHeap 16525->16527 16526->16525 16527->16524 16530 5641b5 16528->16530 16529 564246 16529->16492 16530->16529 16531 55e13d __fread_nolock 2 API calls 16530->16531 16531->16529 16533 564062 16532->16533 16534 5640ce 16533->16534 16535 55e13d __fread_nolock 2 API calls 16533->16535 16534->16521 16534->16522 16534->16524 16534->16525 16535->16534 16537 558acf __fread_nolock 16536->16537 16538 558ad9 16537->16538 16541 558afc __fread_nolock 16537->16541 16539 554723 ___std_exception_copy RtlAllocateHeap 16538->16539 16540 558af4 16539->16540 16540->15945 16541->16540 16543 558b5a 16541->16543 16544 558b67 16543->16544 16545 558b8a 16543->16545 16546 554723 ___std_exception_copy RtlAllocateHeap 16544->16546 16547 5555d3 4 API calls 16545->16547 16548 558b82 16545->16548 16546->16548 16549 558ba2 16547->16549 16548->16540 16557 566ded 16549->16557 16552 565f82 __fread_nolock RtlAllocateHeap 16553 558bb6 16552->16553 16561 564a3f 16553->16561 16556 566db3 ___std_exception_copy RtlAllocateHeap 16556->16548 16558 566e04 16557->16558 16559 558baa 16557->16559 16558->16559 16560 566db3 ___std_exception_copy RtlAllocateHeap 16558->16560 16559->16552 16560->16559 16562 558bbd 16561->16562 16564 564a68 16561->16564 16562->16548 16562->16556 16563 564ab7 16565 554723 ___std_exception_copy RtlAllocateHeap 16563->16565 16564->16563 16566 564a8f 16564->16566 16565->16562 16568 5649ae 16566->16568 16569 5649ba __fread_nolock 16568->16569 16571 5649f9 16569->16571 16572 564b12 16569->16572 16571->16562 16573 56a6de __fread_nolock RtlAllocateHeap 16572->16573 16574 564b22 16573->16574 16575 564b28 16574->16575 16576 564b5a 16574->16576 16578 56a6de __fread_nolock RtlAllocateHeap 16574->16578 16584 56a64d 16575->16584 16576->16575 16579 56a6de __fread_nolock RtlAllocateHeap 16576->16579 16580 564b51 16578->16580 16581 564b66 FindCloseChangeNotification 16579->16581 16582 56a6de __fread_nolock RtlAllocateHeap 16580->16582 16581->16575 16582->16576 16583 564b80 __fread_nolock 16583->16571 16585 56a65c 16584->16585 16586 55d23f __dosmaperr RtlAllocateHeap 16585->16586 16589 56a686 16585->16589 16587 56a6c8 16586->16587 16588 55d22c __dosmaperr RtlAllocateHeap 16587->16588 16588->16589 16589->16583 16590 48e0a0 WSAStartup 16591 48e0d8 16590->16591 16595 48e1a7 16590->16595 16592 48e175 socket 16591->16592 16591->16595 16593 48e18b connect 16592->16593 16592->16595 16594 48e19d closesocket 16593->16594 16593->16595 16594->16592 16594->16595

                                  Executed Functions

                                  Function 004D3A40 Relevance: 6.2, APIs: 4, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 4d3a40-4d3a53 GetCursorPos 1 4d3a55-4d3a61 GetCursorPos 0->1 2 4d3b28-4d3b31 GetPEB 1->2 3 4d3a67-4d3a6d 1->3 4 4d3b34-4d3b48 2->4 3->2 5 4d3a73-4d3a7f GetPEB 3->5 6 4d3b99-4d3b9b 4->6 7 4d3b4a-4d3b4f 4->7 8 4d3a80-4d3a94 5->8 6->4 7->6 9 4d3b51-4d3b59 7->9 10 4d3ae4-4d3ae6 8->10 11 4d3a96-4d3a9b 8->11 12 4d3b60-4d3b73 9->12 10->8 11->10 13 4d3a9d-4d3aa3 11->13 14 4d3b75-4d3b88 12->14 15 4d3b92-4d3b97 12->15 16 4d3aa5-4d3ab8 13->16 14->14 17 4d3b8a-4d3b90 14->17 15->6 15->12 18 4d3add-4d3ae2 16->18 19 4d3aba 16->19 17->15 21 4d3b9d-4d3bc2 Sleep 17->21 18->10 18->16 20 4d3ac0-4d3ad3 19->20 20->20 22 4d3ad5-4d3adb 20->22 21->1 22->18 23 4d3ae8-4d3b0e Sleep 22->23 24 4d3b14-4d3b1a 23->24 24->2 25 4d3b1c-4d3b22 24->25 25->2 26 4d3bc7-4d3bd8 call 476bd0 25->26 29 4d3bde 26->29 30 4d3bda-4d3bdc 26->30 31 4d3be0-4d3bfd call 476bd0 29->31 30->31
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004D3A53
                                  • GetCursorPos.USER32(?), ref: 004D3A59
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,004D3DB6), ref: 004D3B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,004D3DB6), ref: 004D3BBA
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CursorSleep
                                  • String ID:
                                  • API String ID: 4211308429-0
                                  • Opcode ID: 272e416546be557eb93d1227ba28ac064895928067bbcbfb31781c068874adb5
                                  • Instruction ID: 0de6e657d77e4024e5898b878d92f7b56296577fcde8be37aa0d9ac107edadb7
                                  • Opcode Fuzzy Hash: 272e416546be557eb93d1227ba28ac064895928067bbcbfb31781c068874adb5
                                  • Instruction Fuzzy Hash: 4E51A635A042198FCB24CF48C8E0EAAB3B1EF49705B29859BD445AF312D735FE06CB81
                                  Function 0048E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 34 48e0a0-48e0d2 WSAStartup 35 48e0d8-48e102 call 476bd0 * 2 34->35 36 48e1b7-48e1c0 34->36 41 48e10e-48e165 35->41 42 48e104-48e108 35->42 44 48e1b1 41->44 45 48e167-48e16d 41->45 42->36 42->41 44->36 46 48e16f 45->46 47 48e1c5-48e1cf 45->47 48 48e175-48e189 socket 46->48 47->44 51 48e1d1-48e1d9 47->51 48->44 50 48e18b-48e19b connect 48->50 52 48e19d-48e1a5 closesocket 50->52 53 48e1c1 50->53 52->48 54 48e1a7-48e1ab 52->54 53->47 54->44
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 12279827b1743ee00079240155b449fcf416dcbc49fae234058b515c81fd4ef5
                                  • Instruction ID: 150e1a53596166d5c7dadf4aa246144e89e79688dc4927ffb3297b41a569938d
                                  • Opcode Fuzzy Hash: 12279827b1743ee00079240155b449fcf416dcbc49fae234058b515c81fd4ef5
                                  • Instruction Fuzzy Hash: 5631C4716043116FD720AF268C8972FB7E4EB85338F055F1EF9A8963E0D33598048B96
                                  Function 0054F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 55 54f290-54f293 56 54f2a2-54f2a5 call 55df2c 55->56 58 54f2aa-54f2ad 56->58 59 54f295-54f2a0 call 5617d8 58->59 60 54f2af-54f2b0 58->60 59->56 63 54f2b1-54f2b5 59->63 64 4721d0-472220 call 4721b0 call 550efb call 550651 63->64 65 54f2bb 63->65 65->65
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047220E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: a2d64584a69703c529089ed5d72c6a9d8f268314ba9ef04f55727482c384dd39
                                  • Instruction ID: ea9b829a6813ae5cb2a36d30b38be6e42d71b7d1f02cb08aa8abca3b16971e9c
                                  • Opcode Fuzzy Hash: a2d64584a69703c529089ed5d72c6a9d8f268314ba9ef04f55727482c384dd39
                                  • Instruction Fuzzy Hash: 7501F73950420EABCB14AF98EC068997FECFA00314B54843AFE1CDB591E770E9548794
                                  Function 00554942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 72 554942-55494f 73 554951-554974 call 554723 72->73 74 554979-55498d call 565f82 72->74 81 554ae0-554ae2 73->81 79 554992-55499b call 55e11f 74->79 80 55498f 74->80 83 5549a0-5549af 79->83 80->79 84 5549b1 83->84 85 5549bf-5549c8 83->85 86 5549b7-5549b9 84->86 87 554a89-554a8e 84->87 88 5549dc-554a10 85->88 89 5549ca-5549d7 85->89 86->85 86->87 90 554ade-554adf 87->90 92 554a12-554a1c 88->92 93 554a6d-554a79 88->93 91 554adc 89->91 90->81 91->90 96 554a43-554a4f 92->96 97 554a1e-554a2a 92->97 94 554a90-554a93 93->94 95 554a7b-554a82 93->95 99 554a96-554a9e 94->99 95->87 96->94 98 554a51-554a6b call 554e59 96->98 97->96 100 554a2c-554a3e call 554cae 97->100 98->99 102 554aa0-554aa6 99->102 103 554ada 99->103 100->90 106 554abe-554ac2 102->106 107 554aa8-554abc call 554ae3 102->107 103->91 110 554ad5-554ad7 106->110 111 554ac4-554ad2 call 574a10 106->111 107->90 110->103 111->110
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: OU
                                  • API String ID: 0-2654382709
                                  • Opcode ID: 56a5bcf26af79f9dd0356ef96a19cf4d7dfc845bd8d4193fde18e20232a3abae
                                  • Instruction ID: add63043ac34d7a46c6e2f7f28e60beb6d91446766a48b601665dc828cb9d66d
                                  • Opcode Fuzzy Hash: 56a5bcf26af79f9dd0356ef96a19cf4d7dfc845bd8d4193fde18e20232a3abae
                                  • Instruction Fuzzy Hash: 9251B670A00108AFDB54CF58C855AAEBFB6FF85369F24815AFC495B252D3319E85CF90
                                  Function 00564623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 115 564623-564633 116 564635-564648 call 55d22c call 55d23f 115->116 117 56464d-56464f 115->117 135 5649a7 116->135 119 564655-56465b 117->119 120 56498f-56499c call 55d22c call 55d23f 117->120 119->120 123 564661-56468a 119->123 138 5649a2 call 5547a0 120->138 123->120 124 564690-564699 123->124 127 5646b3-5646b5 124->127 128 56469b-5646ae call 55d22c call 55d23f 124->128 133 56498b-56498d 127->133 134 5646bb-5646bf 127->134 128->138 136 5649aa-5649ad 133->136 134->133 139 5646c5-5646c9 134->139 135->136 138->135 139->128 142 5646cb-5646e2 139->142 144 564717-56471d 142->144 145 5646e4-5646e7 142->145 146 5646f1-564708 call 55d22c call 55d23f call 5547a0 144->146 147 56471f-564726 144->147 148 56470d-564715 145->148 149 5646e9-5646ef 145->149 176 5648c2 146->176 151 56472a-56472b call 566e2d 147->151 152 564728 147->152 150 56478a-5647a9 148->150 149->146 149->148 154 564865-56486e call 570d44 150->154 155 5647af-5647bb 150->155 160 564730-564748 call 566db3 * 2 151->160 152->151 167 564870-564882 154->167 168 5648df 154->168 155->154 159 5647c1-5647c3 155->159 159->154 164 5647c9-5647ea 159->164 185 564765-564788 call 55e13d 160->185 186 56474a-564760 call 55d23f call 55d22c 160->186 164->154 169 5647ec-564802 164->169 167->168 172 564884-564893 167->172 173 5648e3-5648f9 ReadFile 168->173 169->154 174 564804-564806 169->174 172->168 189 564895-564899 172->189 177 564957-564962 173->177 178 5648fb-564901 173->178 174->154 179 564808-56482b 174->179 181 5648c5-5648cf call 566db3 176->181 198 564964-564976 call 55d23f call 55d22c 177->198 199 56497b-56497e 177->199 178->177 183 564903 178->183 179->154 184 56482d-564843 179->184 181->136 191 564906-564918 183->191 184->154 192 564845-564847 184->192 185->150 186->176 189->173 197 56489b-5648b3 189->197 191->181 200 56491a-56491e 191->200 192->154 201 564849-564860 192->201 217 5648d4-5648dd 197->217 218 5648b5 197->218 198->176 206 564984-564986 199->206 207 5648bb-5648c1 call 55d1e5 199->207 204 564937-564944 200->204 205 564920-564930 call 564335 200->205 201->154 208 564946 call 56448c 204->208 209 564950-564955 call 56417b 204->209 225 564933-564935 205->225 206->181 207->176 222 56494b-56494e 208->222 209->222 217->191 218->207 222->225 225->181
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df09affec0faeaae770c997c72fa4a3ac647c7ac5199ed70f23d5b8dc15444cd
                                  • Instruction ID: cb987b40ad037e426a4c0bcbc8f9c1f960165fee2d5183613dcaaf7bcd53e040
                                  • Opcode Fuzzy Hash: df09affec0faeaae770c997c72fa4a3ac647c7ac5199ed70f23d5b8dc15444cd
                                  • Instruction Fuzzy Hash: 15B12575A0424AAFDB11DFA8D890BBEBFB1FF8A314F144159E8549B282C7709D46CF60
                                  Function 0047A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 226 47a210-47a2ab call 54f290 call 472ae0 231 47a2b0-47a2bb 226->231 231->231 232 47a2bd-47a2c8 231->232 233 47a2cd-47a2de call 555362 232->233 234 47a2ca 232->234 237 47a351-47a357 233->237 238 47a2e0-47a305 call 559136 call 554eeb call 559136 233->238 234->233 239 47a381-47a393 237->239 240 47a359-47a365 237->240 255 47a307 238->255 256 47a30c-47a316 238->256 242 47a377-47a37e call 54f511 240->242 243 47a367-47a375 240->243 242->239 243->242 245 47a394-47a3ae call 5547b0 243->245 254 47a3b0-47a3bb 245->254 254->254 257 47a3bd-47a3c8 254->257 255->256 258 47a328-47a32f call 4dcf60 256->258 259 47a318-47a31c 256->259 260 47a3cd-47a3df call 555362 257->260 261 47a3ca 257->261 266 47a334-47a33a 258->266 262 47a320-47a326 259->262 263 47a31e 259->263 270 47a3e1-47a3f9 call 559136 call 554eeb call 558be8 260->270 271 47a3fc-47a403 260->271 261->260 262->266 263->262 268 47a33e-47a349 call 55dbdf call 558be8 266->268 269 47a33c 266->269 287 47a34e 268->287 269->268 270->271 273 47a405-47a411 271->273 274 47a42d-47a433 271->274 277 47a423-47a42a call 54f511 273->277 278 47a413-47a421 273->278 277->274 278->277 281 47a434-47a45e call 5547b0 278->281 293 47a460-47a464 281->293 294 47a46f-47a474 281->294 287->237 293->294 295 47a466-47a46e 293->295
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 07eed9a159fc66b2ba514cc8a44c6a2bba44b52673c12348f8450c7f256577f6
                                  • Instruction ID: f82f81f92c42d92669c2b0ec9a5c99ea3ab7bda3b872a70b15e0c44f920ec420
                                  • Opcode Fuzzy Hash: 07eed9a159fc66b2ba514cc8a44c6a2bba44b52673c12348f8450c7f256577f6
                                  • Instruction Fuzzy Hash: 6C712A71900205ABDB14DF68DD49BDFBBE8EF81304F10855EF8089B382E7B99945C796
                                  Function 0056549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 296 56549c-5654be 297 5654c4-5654c6 296->297 298 5656b1 296->298 300 5654f2-565515 297->300 301 5654c8-5654e7 call 554723 297->301 299 5656b3-5656b7 298->299 303 565517-565519 300->303 304 56551b-565521 300->304 309 5654ea-5654ed 301->309 303->304 305 565523-565534 303->305 304->301 304->305 307 565536-565544 call 55e17d 305->307 308 565547-565557 call 564fe1 305->308 307->308 314 5655a0-5655b2 308->314 315 565559-56555f 308->315 309->299 316 5655b4-5655ba 314->316 317 565609-565629 WriteFile 314->317 318 565561-565564 315->318 319 565588-56559e call 564bb2 315->319 323 5655f5-565607 call 56505e 316->323 324 5655bc-5655bf 316->324 320 565634 317->320 321 56562b-565631 317->321 325 565566-565569 318->325 326 56556f-56557e call 564f79 318->326 335 565581-565583 319->335 328 565637-565642 320->328 321->320 347 5655dc-5655df 323->347 329 5655e1-5655f3 call 565222 324->329 330 5655c1-5655c4 324->330 325->326 331 565649-56564c 325->331 326->335 336 565644-565647 328->336 337 5656ac-5656af 328->337 329->347 338 56564f-565651 330->338 339 5655ca-5655d7 call 565139 330->339 331->338 335->328 336->331 337->299 344 565653-565658 338->344 345 56567f-56568b 338->345 339->347 348 565671-56567a call 55d208 344->348 349 56565a-56566c 344->349 350 565695-5656a7 345->350 351 56568d-565693 345->351 347->335 348->309 349->309 350->309 351->298 351->350
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00559087,?,00000000,00000000,00000000,?,00000000,?,0047A3EB,00559087,00000000,0047A3EB,?,?), ref: 00565622
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 7545f1637d64250e1338682d5aad4b3841452b3dcf7b9383ab18719d1900c393
                                  • Instruction ID: 3c93ae1709f9fb722470ed2f912aeb4859218ef1a149646d326cf90d37a68504
                                  • Opcode Fuzzy Hash: 7545f1637d64250e1338682d5aad4b3841452b3dcf7b9383ab18719d1900c393
                                  • Instruction Fuzzy Hash: 4D61C172D4451AAFDF11DFA8C888EEEBFBABF59304F140589E801A7215E731D915CBA0
                                  Function 004E0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 354 4e0560-4e057f 355 4e06a9 call 472270 354->355 356 4e0585-4e0598 354->356 361 4e06ae call 4721d0 355->361 357 4e059a 356->357 358 4e05c0-4e05c8 356->358 360 4e059c-4e05a1 357->360 362 4e05ca-4e05cf 358->362 363 4e05d1-4e05d5 358->363 364 4e05a4-4e05a5 call 54f290 360->364 369 4e06b3-4e06b8 call 5547b0 361->369 362->360 366 4e05d9-4e05e1 363->366 367 4e05d7 363->367 372 4e05aa-4e05af 364->372 370 4e05e3-4e05e8 366->370 371 4e05f0-4e05f2 366->371 367->366 370->361 374 4e05ee 370->374 375 4e05f4-4e05ff call 54f290 371->375 376 4e0601 371->376 372->369 379 4e05b5-4e05be 372->379 374->364 378 4e0603-4e0629 375->378 376->378 382 4e062b-4e0655 call 550f70 call 5514f0 378->382 383 4e0680-4e06a6 call 550f70 call 5514f0 378->383 379->378 392 4e0669-4e067d call 54f511 382->392 393 4e0657-4e0665 382->393 393->369 394 4e0667 393->394 394->392
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004E06AE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: f618768c6266538dd77c15a6d8daef243134769be093fadf45a63ab83ffcd639
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 5C412472A00154ABCB15DF69DD806AE7BA5EF89302F1001ABFC15DB302D7B0DDA08BE5
                                  Function 00564B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 397 564b12-564b26 call 56a6de 400 564b2c-564b34 397->400 401 564b28-564b2a 397->401 402 564b36-564b3d 400->402 403 564b3f-564b42 400->403 404 564b7a-564b9a call 56a64d 401->404 402->403 405 564b4a-564b5e call 56a6de * 2 402->405 406 564b44-564b48 403->406 407 564b60-564b70 call 56a6de FindCloseChangeNotification 403->407 412 564bac 404->412 413 564b9c-564baa call 55d208 404->413 405->401 405->407 406->405 406->407 407->401 419 564b72-564b78 407->419 417 564bae-564bb1 412->417 413->417 419->404
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,005649F9,00000000,CF830579,005A1140,0000000C,00564AB5,00558BBD,?), ref: 00564B69
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 9347b99ea81f54fd447820527e9137325d7151829f76753a88647aa202aff755
                                  • Instruction ID: a9a268f30dc744d2c27efd438f81ddf9702a35d87f64ce09db50f61aa4e8e5ed
                                  • Opcode Fuzzy Hash: 9347b99ea81f54fd447820527e9137325d7151829f76753a88647aa202aff755
                                  • Instruction Fuzzy Hash: 4E116B33B0416417CF246234E855B7FBF4AEBC3774F290609F8149B0E2EE21DC815A55
                                  Function 0055E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 423 55e05c-55e074 call 56a6de 426 55e076-55e07d 423->426 427 55e08a-55e0a0 SetFilePointerEx 423->427 428 55e084-55e088 426->428 429 55e0b5-55e0bf 427->429 430 55e0a2-55e0b3 call 55d208 427->430 431 55e0db-55e0de 428->431 429->428 432 55e0c1-55e0d6 429->432 430->428 432->431
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,005A0DF8,0047A3EB,00000002,0047A3EB,00000000,?,?,?,0055E166,00000000,?,0047A3EB,00000002,005A0DF8), ref: 0055E099
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 4db73a2f5911e53e88013511818d0e6502e55c9e3909b94fb222e3d1a57e5908
                                  • Instruction ID: 4c9ef94dac46f682939e475c204705d672533eee2113522c041bc75af487a63a
                                  • Opcode Fuzzy Hash: 4db73a2f5911e53e88013511818d0e6502e55c9e3909b94fb222e3d1a57e5908
                                  • Instruction Fuzzy Hash: 61012632614119ABCF09DF18CC2AC9E3F29EB86335F240649FC519B1E1E6B1EE419BD0
                                  Function 005663F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 436 5663f3-5663fe 437 566400-56640a 436->437 438 56640c-566412 436->438 437->438 439 566440-56644b call 55d23f 437->439 440 566414-566415 438->440 441 56642b-56643c RtlAllocateHeap 438->441 445 56644d-56644f 439->445 440->441 442 566417-56641e call 563f93 441->442 443 56643e 441->443 442->439 449 566420-566429 call 5617d8 442->449 443->445 449->439 449->441
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,005591F7,00000000,?,00565D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0055D244,005589C3,005591F7,00000000), ref: 00566435
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 1c51e08a1af482999d875eb021a30c228d0427eb6f1f995526b01aebcb534ef8
                                  • Instruction ID: 7fa4d5591f0b0000b30e013cbd03d3aaccf6f31e8b697396419403a96014f7fe
                                  • Opcode Fuzzy Hash: 1c51e08a1af482999d875eb021a30c228d0427eb6f1f995526b01aebcb534ef8
                                  • Instruction Fuzzy Hash: B1F0E93150412566DF316B629C86B6B7F4CFF917A2F158511EC0897080EE30E81046F1
                                  Function 00566E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 566e2d-566e39 453 566e6b-566e76 call 55d23f 452->453 454 566e3b-566e3d 452->454 461 566e78-566e7a 453->461 456 566e56-566e67 RtlAllocateHeap 454->456 457 566e3f-566e40 454->457 458 566e42-566e49 call 563f93 456->458 459 566e69 456->459 457->456 458->453 464 566e4b-566e54 call 5617d8 458->464 459->461 464->453 464->456
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0056D635,4D88C033,?,0056D635,00000220,?,005657EF,4D88C033), ref: 00566E60
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 58f8284e770a78821ddc6c44c507d2df3f1ab1eb24d3611ac4aefc14bffa2b35
                                  • Instruction ID: 975f91dd20dea68610f05eff3444def97b3b877b771e5caeb075400635749a1b
                                  • Opcode Fuzzy Hash: 58f8284e770a78821ddc6c44c507d2df3f1ab1eb24d3611ac4aefc14bffa2b35
                                  • Instruction Fuzzy Hash: EBE0223A9006266ADB302266CD08B6B7F8CFF923B0F050521FC04D30D0DB22CC4082F8

                                  Non-executed Functions

                                  Function 00478D70 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 327libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,?), ref: 00478E0E
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00478E1B
                                  • GetModuleHandleA.KERNEL32(?), ref: 00478E85
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00478E8C
                                  • CloseHandle.KERNEL32(?), ref: 00479092
                                  • CloseHandle.KERNEL32(?), ref: 004790F4
                                  • CloseHandle.KERNEL32(00000000), ref: 00479121
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Handle$Close$AddressModuleProc
                                  • String ID: File$bkg`$eHlW$l$lwcf$p$t
                                  • API String ID: 4110381430-3184506882
                                  • Opcode ID: b74ec0f29035aa3a3a308ab28fcd2dad0d3a044eb3670960dc467d2a00721248
                                  • Instruction ID: 364cf3e49dce4f86d66f46625d63d85431607bb2214cecbc0495c45ece8b2751
                                  • Opcode Fuzzy Hash: b74ec0f29035aa3a3a308ab28fcd2dad0d3a044eb3670960dc467d2a00721248
                                  • Instruction Fuzzy Hash: 43C1C170D102599AEF20DFA4CC85BEEBBB9FF05300F10846EE508BB291DB759945CB69
                                  Function 004F55B0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F55FC
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F563E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 004F5686
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F56C7
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F5708
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 004F5746
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F578E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 004F57D6
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F5817
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F585D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: Fhnf$eIcm$yNrw
                                  • API String ID: 190572456-2794250838
                                  • Opcode ID: cdb6aa0b2b11038018ea66bd777482d024b75d1533eaaa1fb2f9dbc52c3f22a9
                                  • Instruction ID: d8ab32376093c22d7b34103e1964970333fc6507b1881b6f39c6a0090ad12990
                                  • Opcode Fuzzy Hash: cdb6aa0b2b11038018ea66bd777482d024b75d1533eaaa1fb2f9dbc52c3f22a9
                                  • Instruction Fuzzy Hash: DC816CB0C1834CAEDF04CFA4C9456EEBFB9EF56300F50809ED851AB251D379420ADBA5
                                  Function 005584A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 77daf1e02919214b38c828b06974f8b377adcd4eb335215fb80a36f6c106dec3
                                  • Instruction ID: fdeaaa3ebf0b10747bb9f0a00c45aa8294b30e96e2f7feb6652133174872ed00
                                  • Opcode Fuzzy Hash: 77daf1e02919214b38c828b06974f8b377adcd4eb335215fb80a36f6c106dec3
                                  • Instruction Fuzzy Hash: D3025B71E002199BDF14CFA8C8906AEFBF1FF48315F24826AD919F7381DB31A9458B90
                                  Function 004DF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DF833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DF855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DF875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DF89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DF90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004DF959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004DF973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DFA08
                                  • std::_Facet_Register.LIBCPMT ref: 004DFA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"Y
                                  • API String ID: 3375549084-4290172922
                                  • Opcode ID: 44b9caf6caef79627000c4dbf6a91b1358725d129a376d51520ff679fc1611d9
                                  • Instruction ID: 74a1e5712e4ba7e3d2811e03c27fc60b48c7f496728338e8fb9bbf40c6a835d6
                                  • Opcode Fuzzy Hash: 44b9caf6caef79627000c4dbf6a91b1358725d129a376d51520ff679fc1611d9
                                  • Instruction Fuzzy Hash: 6B61A0B1D002499BDF20EFA4D859B9EBFB4BF55314F14406AE805A7341D738E909CBA6
                                  Function 00473D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00473E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3G$@3G$G>G$G>G$`!G$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-563398080
                                  • Opcode ID: bce0b297a1f7d57a012639120c9477a19674d159c273f9915af8eb9c39165454
                                  • Instruction ID: e91d1a608da2b7727c3d7d5bce3acbd783f40bdf0b967d246c1488e4d85a8287
                                  • Opcode Fuzzy Hash: bce0b297a1f7d57a012639120c9477a19674d159c273f9915af8eb9c39165454
                                  • Instruction Fuzzy Hash: F941C1B2900208AFCB14DF68D845BDEBBE8FB49310F14C52FE919D7741E774AA018BA4
                                  Function 00552E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00552E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00552E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00552ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00552F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00552F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: iZ$csm
                                  • API String ID: 1170836740-778996790
                                  • Opcode ID: a5c1332197daa4c36e0807b9edec7e6013b89222bd6565aff3a42ed9301fa6d1
                                  • Instruction ID: 33566db12410dc95ad1d2354497647e3c84eba4e5185683615c2afa1aed334ad
                                  • Opcode Fuzzy Hash: a5c1332197daa4c36e0807b9edec7e6013b89222bd6565aff3a42ed9301fa6d1
                                  • Instruction Fuzzy Hash: 8A41C930A002099BCF10DF68D896AAEBFB5BF46315F148456ED189B392D731DE49CB91
                                  Function 00473DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00473E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3G$@3G$`!G$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-2384014072
                                  • Opcode ID: f9c2c221fee2b9c2c5423dd66de4cb946d6d44738dc94b5ac0f334e7a662fb80
                                  • Instruction ID: 2723b3050cea0ece6a5e53a1deebc0a498e0f2425cfda54d0ed9bda69b50234f
                                  • Opcode Fuzzy Hash: f9c2c221fee2b9c2c5423dd66de4cb946d6d44738dc94b5ac0f334e7a662fb80
                                  • Instruction Fuzzy Hash: 642105B29007056BC714DF58D806BD6BBDCBB44311F18C82BFA6C8B681E774EA149B95
                                  Function 00474C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00474F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004750C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: @3G$`!G$recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-2986438110
                                  • Opcode ID: e00df74d540a41ab65799de826fe7cc2ccf64af4ef066fe7dd9266144ec27ac6
                                  • Instruction ID: c0597bfa6a472b4b5ed250750946c58b26976e0e2b054e651030a0428a48acf5
                                  • Opcode Fuzzy Hash: e00df74d540a41ab65799de826fe7cc2ccf64af4ef066fe7dd9266144ec27ac6
                                  • Instruction Fuzzy Hash: 54E138719002059FCB28DF68D945BAEFBF9FF85300F10852EE45A97781E778A904CBA5
                                  Function 00477820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00477B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$out_of_range$type_error
                                  • API String ID: 2659868963-851137949
                                  • Opcode ID: b0b7fa2ff347624bbf5de9bc186952118a5cdac52a92cb535326f92b7f614a5f
                                  • Instruction ID: 6fe9b5689b8be54bdc56cc292593b840867bf9a17ba0e2d786b68bb86398bf90
                                  • Opcode Fuzzy Hash: b0b7fa2ff347624bbf5de9bc186952118a5cdac52a92cb535326f92b7f614a5f
                                  • Instruction Fuzzy Hash: DFC158B1D002089FDB08CFA8D98479DBBF5FF49304F14866AE419EB792E774A984CB54
                                  Function 00473190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004732C6
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00473350
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: +4G$@3G$`!G$`!G
                                  • API String ID: 2970364248-3559336284
                                  • Opcode ID: 3a7aa2bdca2219234ae42c56b794a60985d304c75aea1acfac25bd50af028015
                                  • Instruction ID: 667d16a6ab7ea3d8959fe79c5b13f4a0dfc5d5f2956904c045b1750ec808006d
                                  • Opcode Fuzzy Hash: 3a7aa2bdca2219234ae42c56b794a60985d304c75aea1acfac25bd50af028015
                                  • Instruction Fuzzy Hash: 8C51BD719002089FDB18CF98D889BDEBBF5FF49300F14812AE819A7382E7749A41CB94
                                  Function 004739F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00473A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00473AA4
                                  • __Getctype.LIBCPMT ref: 00473ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00473AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00473B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: efed89d3fe8b498b217300821948781b63d2b113f772384345a46754d2a26a93
                                  • Instruction ID: 70efdd35b9c9b0d9c028b1abfe49b4792fda1fb6aad441632d6e919cae533f72
                                  • Opcode Fuzzy Hash: efed89d3fe8b498b217300821948781b63d2b113f772384345a46754d2a26a93
                                  • Instruction Fuzzy Hash: 915155B1D002099BDF10DF94D845BDEBFB8BF54315F14806AE809AB342E779EA08CB65
                                  Function 004DDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DDE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DDEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DDED6
                                  • std::_Facet_Register.LIBCPMT ref: 004DDF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DDF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004DDF7B
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 668e7b1d4786d6d702c5465ded3c327bda0971fcc79fadb70a045dcdb5acfe43
                                  • Instruction ID: 2068c38516469a1e4d40cc816413e4b3b901670ab9840ff521b245c0e3745c58
                                  • Opcode Fuzzy Hash: 668e7b1d4786d6d702c5465ded3c327bda0971fcc79fadb70a045dcdb5acfe43
                                  • Instruction Fuzzy Hash: D6412071D0020ADFCB10DF54D885AAABBB4FB56324F14462FE8169B382D734AD05CBE5
                                  Function 00476F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00477340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$parse error$parse_error
                                  • API String ID: 2659868963-2190908755
                                  • Opcode ID: 6f3f3042948ca537abbee36cb7f2eca19dd65496e58836aab1686f2038104c84
                                  • Instruction ID: 5878e24ccd26e0ea6043a797032d0321f771fa604de04d2348ba9a0efe53c201
                                  • Opcode Fuzzy Hash: 6f3f3042948ca537abbee36cb7f2eca19dd65496e58836aab1686f2038104c84
                                  • Instruction Fuzzy Hash: FCE17F709042488FDB18CF68C984B9DBBB1FF49304F6482AAE418EB792D7749A81CF55
                                  Function 004773B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004775BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004775CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column $`!G
                                  • API String ID: 4194217158-538675771
                                  • Opcode ID: e314b7aef53c17d9a565b88a96f8e913db8f718a8fc5c7f8bc590d3aede9c481
                                  • Instruction ID: 3563161adefc5bda7352f905d98c89c665a5038a81d7deb37f29c3e09d35d8c7
                                  • Opcode Fuzzy Hash: e314b7aef53c17d9a565b88a96f8e913db8f718a8fc5c7f8bc590d3aede9c481
                                  • Instruction Fuzzy Hash: D6613A70A04205AFDB08DF68DD84BEDBBB1FF45300F20862DE419A7B81D778A944CB95
                                  Function 00473370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00473190: ___std_exception_copy.LIBVCRUNTIME ref: 004732C6
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4G$@3G$@3G$`!G
                                  • API String ID: 2659868963-1434760016
                                  • Opcode ID: f967517a841866efc0edea5b0f4eb6935eebd1e57f1e3aef7b5cb30a329de6a5
                                  • Instruction ID: 18c07e934f2c49bc0a53e750f943995a901f31c744afcf50c1d6c1f15f12cb21
                                  • Opcode Fuzzy Hash: f967517a841866efc0edea5b0f4eb6935eebd1e57f1e3aef7b5cb30a329de6a5
                                  • Instruction Fuzzy Hash: 1031A3729002099FCB18DFA8D845ADEFFF8FB08310F10852BE918D7641E774AA50DB95
                                  Function 00473410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4G$@3G$@3G$`!G
                                  • API String ID: 2659868963-1434760016
                                  • Opcode ID: 4ab2cdb75484263c2dd6a34df84a48335cbc32d2b11be930e4406d753440490d
                                  • Instruction ID: 441aacaf2fbf4067bd02fdc7a15be91b8a7639fafb8118caa63ba8a8f9e9952f
                                  • Opcode Fuzzy Hash: 4ab2cdb75484263c2dd6a34df84a48335cbc32d2b11be930e4406d753440490d
                                  • Instruction Fuzzy Hash: 34014F7650420AAF8704DFA9D84589AFBFCFF48300700C42AE91987611EBB0E514CB94
                                  Function 00476C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00476F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00476F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.$`!G
                                  • API String ID: 4194217158-617180572
                                  • Opcode ID: 85fe0bb9c0c1ac58b45817ab3e954ad9fb2413a4f6c5af9ce08e642efc208dc7
                                  • Instruction ID: 13dbcce3d8a8315c86f950cf5e129a5cc2a78c8e07e7f8b7915b2713019f9d47
                                  • Opcode Fuzzy Hash: 85fe0bb9c0c1ac58b45817ab3e954ad9fb2413a4f6c5af9ce08e642efc208dc7
                                  • Instruction Fuzzy Hash: 4B91F570A006049FDB18CF68D984BDEBBF6FF45300F20856DE419AB792D774AA41CB95
                                  Function 00472270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00472275
                                    • Part of subcall function 0054D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0054D6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$LZ$LZ
                                  • API String ID: 1997705970-3809129928
                                  • Opcode ID: b19265e232620218b2a069955f323dbd09523bed26001e58d0ac9760c6257493
                                  • Instruction ID: d84c34cf85c847d8c23c612a771a30f4f67220a8bbf8ef0e19c7a700a9a0df7f
                                  • Opcode Fuzzy Hash: b19265e232620218b2a069955f323dbd09523bed26001e58d0ac9760c6257493
                                  • Instruction Fuzzy Hash: 58812375A042859FDB01CFA8C5507EEBFF1EF5A300F18816EC898A7742C3B98545CBA5
                                  Function 00477620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004777B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$invalid_iterator
                                  • API String ID: 2659868963-1772924453
                                  • Opcode ID: 0e754a55f320b80e09edf9b3791d8589806ba4b2bc04ca2e1f80463f8ffac1f1
                                  • Instruction ID: 2d7402885feecea2b2b5ead667445c2483a5f34eae7b678b3c747594bb75b441
                                  • Opcode Fuzzy Hash: 0e754a55f320b80e09edf9b3791d8589806ba4b2bc04ca2e1f80463f8ffac1f1
                                  • Instruction Fuzzy Hash: 565159B09002099FDB08CF68D99479DFBF1FB49300F14866AE419EB792E774A984CB95
                                  Function 00477BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00477D67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$other_error
                                  • API String ID: 2659868963-708321997
                                  • Opcode ID: b1dad1ce256b1684a8175d856f874e6d727c14fefad776fbc74133d5c77e269f
                                  • Instruction ID: 0059f7ea0b8d7d0d65c4a78e40f0e4aafdcd3f574c447779c698194a06912c45
                                  • Opcode Fuzzy Hash: b1dad1ce256b1684a8175d856f874e6d727c14fefad776fbc74133d5c77e269f
                                  • Instruction Fuzzy Hash: 915147B09002489FDB18CFA8D9847EDBFF1BF49300F14866AE459EB792E7749984CB54
                                  Function 004DD050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004DD06F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004DD096
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: ffc60683d30c1fc0373124680826eb6edad203088708ffb1e629b638cf993db1
                                  • Instruction ID: 8e18b37ce29d110f99ca7a28c8c3b9f4d49a30332fe73968d718eb274a4bb29c
                                  • Opcode Fuzzy Hash: ffc60683d30c1fc0373124680826eb6edad203088708ffb1e629b638cf993db1
                                  • Instruction Fuzzy Hash: 9001B6B6500706AF8704DF59D449882FBF8FB48710704C52BE929CBB11E7B0E528CFA0
                                  Function 004EB3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004EB3DF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004EB406
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: 560c1bd13681fac5801e16c9e48f818d085bdb0ba9fbd0fc6d6104bcab60f0bb
                                  • Instruction ID: 5cf2fa362dbffaac2d6be0449ecf0d541c4a9b2f6fe90d9c37c8b6d4df1a8620
                                  • Opcode Fuzzy Hash: 560c1bd13681fac5801e16c9e48f818d085bdb0ba9fbd0fc6d6104bcab60f0bb
                                  • Instruction Fuzzy Hash: 99F0C4B6500606AF8708DF58D409886BBE8FA44710705852BE92ACBB01E7B0E528CBA0
                                  Function 004EB450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 004EB612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: PxN$invalid hash bucket count
                                  • API String ID: 909987262-1733123108
                                  • Opcode ID: 686853c08590834f98b4d53dc8c848f6fb3878168f741035d229321d22d8fdc8
                                  • Instruction ID: 89a5f42ad7e59ce31d8c25ed597cfa7b4da97e2e0051c6818ee6d7366520562e
                                  • Opcode Fuzzy Hash: 686853c08590834f98b4d53dc8c848f6fb3878168f741035d229321d22d8fdc8
                                  • Instruction Fuzzy Hash: CA7111B4A00605EFCB14CF4AC58086AFBF5FF89305724C5AAD8599B355D731EA42CF94
                                  Function 004EE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004EE491
                                  Strings
                                  • type must be string, but is , xrefs: 004EE4F8
                                  • type must be boolean, but is , xrefs: 004EE582
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 85f755cd5281175665b6242d1c0b5ceb5c41c05e4c23346af8f45d0c1d25a1d2
                                  • Instruction ID: 81dfc1ba44078b301363169bcf37febc4f1db22a60191b8dd76db3b29e99c359
                                  • Opcode Fuzzy Hash: 85f755cd5281175665b6242d1c0b5ceb5c41c05e4c23346af8f45d0c1d25a1d2
                                  • Instruction Fuzzy Hash: 04418FB5904248AFCB04EBE5D916B9E7BA8EB00304F14857BF419D77C1EB39E900C759
                                  Function 00473050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00473078
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3319156368.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000006.00000002.3319086036.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319156368.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319459077.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319492640.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3319991390.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320175939.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000006.00000002.3320203537.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: 99447c82e472c91620c5841f6879504ffad7e8dd6ed193e35288c35b8d1fa9aa
                                  • Instruction ID: 6fb6a8f85e173953e4c39241ac04ff95093df2c826d5703955637a110fd3ece0
                                  • Opcode Fuzzy Hash: 99447c82e472c91620c5841f6879504ffad7e8dd6ed193e35288c35b8d1fa9aa
                                  • Instruction Fuzzy Hash: 69E012B29053199BC710DFA8D8459CAFFF8AB59701F04C6BAE948D7300F6B0D5549BD1

                                  Execution Graph

                                  Execution Coverage:3.6%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:650
                                  Total number of Limit Nodes:68
                                  execution_graph 17151 4d3a40 GetCursorPos 17152 4d3a55 GetCursorPos 17151->17152 17153 4d3b28 GetPEB 17152->17153 17155 4d3a67 17152->17155 17153->17155 17154 4d3a73 GetPEB 17154->17155 17155->17153 17155->17154 17155->17155 17156 4d3b9d Sleep 17155->17156 17157 4d3ae8 Sleep 17155->17157 17158 4d3bc7 17155->17158 17156->17152 17157->17155 16420 47a210 16453 54f290 16420->16453 16422 47a248 16458 472ae0 16422->16458 16424 47a28b 16474 555362 16424->16474 16427 47a377 16429 47a34e 16429->16427 16503 5547b0 16429->16503 16434 559136 4 API calls 16435 47a2fc 16434->16435 16440 47a318 16435->16440 16489 4dcf60 16435->16489 16494 55dbdf 16440->16494 16455 4721d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 16453->16455 16454 54f2af 16454->16422 16455->16454 16506 550651 16455->16506 16459 472ba5 16458->16459 16465 472af6 16458->16465 16724 472270 16459->16724 16461 472b02 std::_Locinfo::_Locinfo_ctor 16461->16424 16462 472b2a 16466 54f290 std::_Facet_Register RtlAllocateHeap 16462->16466 16463 472baa 16734 4721d0 16463->16734 16465->16461 16465->16462 16468 472b65 16465->16468 16469 472b6e 16465->16469 16467 472b3d 16466->16467 16470 5547b0 RtlAllocateHeap 16467->16470 16473 472b46 std::_Locinfo::_Locinfo_ctor 16467->16473 16468->16462 16468->16463 16472 54f290 std::_Facet_Register RtlAllocateHeap 16469->16472 16469->16473 16471 472bb4 16470->16471 16472->16473 16473->16424 16747 5552a0 16474->16747 16476 47a2d7 16476->16429 16477 559136 16476->16477 16478 559149 ___std_exception_copy 16477->16478 16771 558e8d 16478->16771 16480 55915e 16481 5544dc ___std_exception_copy RtlAllocateHeap 16480->16481 16482 47a2ea 16481->16482 16483 554eeb 16482->16483 16484 554efe ___std_exception_copy 16483->16484 16904 554801 16484->16904 16486 554f0a 16487 5544dc ___std_exception_copy RtlAllocateHeap 16486->16487 16488 47a2f0 16487->16488 16488->16434 16490 4dcfa7 16489->16490 16493 4dcf78 __fread_nolock 16489->16493 16952 4e0560 16490->16952 16492 4dcfba 16492->16440 16493->16440 16967 55dbfc 16494->16967 16496 47a348 16497 558be8 16496->16497 16498 558bfb ___std_exception_copy 16497->16498 17091 558ac3 16498->17091 16500 558c07 16501 5544dc ___std_exception_copy RtlAllocateHeap 16500->16501 16502 558c13 16501->16502 16502->16429 16504 5546ec ___std_exception_copy RtlAllocateHeap 16503->16504 16505 5547bf __Getctype 16504->16505 16507 55065e ___std_exception_copy 16506->16507 16511 472213 16506->16511 16508 55068b 16507->16508 16507->16511 16512 5656b8 16507->16512 16521 55d7d6 16508->16521 16511->16422 16513 5656c6 16512->16513 16514 5656d4 16512->16514 16513->16514 16519 5656ec 16513->16519 16524 55d23f 16514->16524 16516 5656dc 16527 5547a0 16516->16527 16518 5656e6 16518->16508 16519->16518 16520 55d23f __dosmaperr RtlAllocateHeap 16519->16520 16520->16516 16522 566db3 ___std_exception_destroy RtlAllocateHeap 16521->16522 16523 55d7ee 16522->16523 16523->16511 16530 565d2c 16524->16530 16635 5546ec 16527->16635 16531 565d36 __dosmaperr 16530->16531 16538 55d244 16531->16538 16541 5663f3 16531->16541 16533 565d79 __dosmaperr 16534 565db9 16533->16534 16535 565d81 __dosmaperr 16533->16535 16549 565a09 16534->16549 16545 566db3 16535->16545 16538->16516 16540 566db3 ___std_exception_destroy RtlAllocateHeap 16540->16538 16544 566400 __dosmaperr std::_Facet_Register 16541->16544 16542 56642b RtlAllocateHeap 16543 56643e __dosmaperr 16542->16543 16542->16544 16543->16533 16544->16542 16544->16543 16546 566dbe __dosmaperr 16545->16546 16548 566de8 16545->16548 16547 55d23f __dosmaperr RtlAllocateHeap 16546->16547 16546->16548 16547->16548 16548->16538 16550 565a77 __dosmaperr 16549->16550 16553 5659af 16550->16553 16552 565aa0 16552->16540 16554 5659bb __fread_nolock std::_Lockit::_Lockit 16553->16554 16557 565b90 16554->16557 16556 5659dd __dosmaperr 16556->16552 16558 565bc6 __Getctype 16557->16558 16559 565b9f __Getctype 16557->16559 16558->16556 16559->16558 16561 56f2a7 16559->16561 16562 56f327 16561->16562 16566 56f2bd 16561->16566 16563 56f375 16562->16563 16565 566db3 ___std_exception_destroy RtlAllocateHeap 16562->16565 16629 56f418 16563->16629 16568 56f349 16565->16568 16566->16562 16567 56f2f0 16566->16567 16571 566db3 ___std_exception_destroy RtlAllocateHeap 16566->16571 16569 56f312 16567->16569 16576 566db3 ___std_exception_destroy RtlAllocateHeap 16567->16576 16570 566db3 ___std_exception_destroy RtlAllocateHeap 16568->16570 16573 566db3 ___std_exception_destroy RtlAllocateHeap 16569->16573 16572 56f35c 16570->16572 16575 56f2e5 16571->16575 16577 566db3 ___std_exception_destroy RtlAllocateHeap 16572->16577 16578 56f31c 16573->16578 16574 56f3e3 16580 566db3 ___std_exception_destroy RtlAllocateHeap 16574->16580 16589 56e5ab 16575->16589 16582 56f307 16576->16582 16583 56f36a 16577->16583 16579 566db3 ___std_exception_destroy RtlAllocateHeap 16578->16579 16579->16562 16584 56f3e9 16580->16584 16617 56ea0a 16582->16617 16587 566db3 ___std_exception_destroy RtlAllocateHeap 16583->16587 16584->16558 16585 56f383 16585->16574 16588 566db3 RtlAllocateHeap ___std_exception_destroy 16585->16588 16587->16563 16588->16585 16590 56e5bc 16589->16590 16616 56e6a5 16589->16616 16591 56e5cd 16590->16591 16592 566db3 ___std_exception_destroy RtlAllocateHeap 16590->16592 16593 56e5df 16591->16593 16594 566db3 ___std_exception_destroy RtlAllocateHeap 16591->16594 16592->16591 16595 56e5f1 16593->16595 16597 566db3 ___std_exception_destroy RtlAllocateHeap 16593->16597 16594->16593 16596 56e603 16595->16596 16598 566db3 ___std_exception_destroy RtlAllocateHeap 16595->16598 16599 56e615 16596->16599 16600 566db3 ___std_exception_destroy RtlAllocateHeap 16596->16600 16597->16595 16598->16596 16601 56e627 16599->16601 16602 566db3 ___std_exception_destroy RtlAllocateHeap 16599->16602 16600->16599 16603 56e639 16601->16603 16605 566db3 ___std_exception_destroy RtlAllocateHeap 16601->16605 16602->16601 16604 56e64b 16603->16604 16606 566db3 ___std_exception_destroy RtlAllocateHeap 16603->16606 16607 56e65d 16604->16607 16608 566db3 ___std_exception_destroy RtlAllocateHeap 16604->16608 16605->16603 16606->16604 16609 56e66f 16607->16609 16610 566db3 ___std_exception_destroy RtlAllocateHeap 16607->16610 16608->16607 16611 56e681 16609->16611 16612 566db3 ___std_exception_destroy RtlAllocateHeap 16609->16612 16610->16609 16613 566db3 ___std_exception_destroy RtlAllocateHeap 16611->16613 16614 56e693 16611->16614 16612->16611 16613->16614 16615 566db3 ___std_exception_destroy RtlAllocateHeap 16614->16615 16614->16616 16615->16616 16616->16567 16618 56ea17 16617->16618 16628 56ea6f 16617->16628 16619 56ea27 16618->16619 16620 566db3 ___std_exception_destroy RtlAllocateHeap 16618->16620 16621 56ea39 16619->16621 16623 566db3 ___std_exception_destroy RtlAllocateHeap 16619->16623 16620->16619 16622 56ea4b 16621->16622 16624 566db3 ___std_exception_destroy RtlAllocateHeap 16621->16624 16625 56ea5d 16622->16625 16626 566db3 ___std_exception_destroy RtlAllocateHeap 16622->16626 16623->16621 16624->16622 16627 566db3 ___std_exception_destroy RtlAllocateHeap 16625->16627 16625->16628 16626->16625 16627->16628 16628->16569 16630 56f444 16629->16630 16631 56f425 16629->16631 16630->16585 16631->16630 16632 56ef31 __Getctype RtlAllocateHeap 16631->16632 16633 56f43e 16632->16633 16634 566db3 ___std_exception_destroy RtlAllocateHeap 16633->16634 16634->16630 16636 5546fe ___std_exception_copy 16635->16636 16641 554723 16636->16641 16638 554716 16648 5544dc 16638->16648 16642 554733 16641->16642 16645 55473a ___std_exception_copy __Getctype 16641->16645 16654 554541 16642->16654 16644 554748 16644->16638 16645->16644 16646 5546ec ___std_exception_copy RtlAllocateHeap 16645->16646 16647 5547ac 16646->16647 16647->16638 16649 5544e8 16648->16649 16650 5544ff 16649->16650 16669 554587 16649->16669 16652 554512 16650->16652 16653 554587 ___std_exception_copy RtlAllocateHeap 16650->16653 16652->16518 16653->16652 16655 554551 16654->16655 16658 565ddd 16655->16658 16659 565df0 __dosmaperr 16658->16659 16660 554572 16659->16660 16661 5663f3 __dosmaperr RtlAllocateHeap 16659->16661 16660->16645 16662 565e20 __dosmaperr 16661->16662 16663 565e5c 16662->16663 16664 565e28 __dosmaperr 16662->16664 16666 565a09 __dosmaperr RtlAllocateHeap 16663->16666 16665 566db3 ___std_exception_destroy RtlAllocateHeap 16664->16665 16665->16660 16667 565e67 16666->16667 16668 566db3 ___std_exception_destroy RtlAllocateHeap 16667->16668 16668->16660 16670 554591 16669->16670 16671 55459a 16669->16671 16672 554541 ___std_exception_copy RtlAllocateHeap 16670->16672 16671->16650 16673 554596 16672->16673 16673->16671 16676 560259 16673->16676 16677 56025e std::locale::_Setgloballocale 16676->16677 16681 560269 std::locale::_Setgloballocale 16677->16681 16682 56c7c6 16677->16682 16703 55f224 16681->16703 16683 56c7d2 __fread_nolock 16682->16683 16684 565d2c __dosmaperr RtlAllocateHeap 16683->16684 16685 56c822 16683->16685 16689 56c803 std::locale::_Setgloballocale 16683->16689 16691 56c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 16683->16691 16684->16689 16687 55d23f __dosmaperr RtlAllocateHeap 16685->16687 16686 56c80c 16686->16681 16688 56c827 16687->16688 16690 5547a0 ___std_exception_copy RtlAllocateHeap 16688->16690 16689->16685 16689->16686 16689->16691 16690->16686 16692 56c8a7 16691->16692 16694 56c8d5 std::locale::_Setgloballocale 16691->16694 16696 56c9a4 std::_Lockit::~_Lockit 16691->16696 16692->16694 16706 565bdb 16692->16706 16693 55f224 std::locale::_Setgloballocale RtlAllocateHeap 16697 56c9b7 16693->16697 16694->16686 16698 565bdb __Getctype RtlAllocateHeap 16694->16698 16701 56c92a 16694->16701 16696->16693 16698->16701 16700 565bdb __Getctype RtlAllocateHeap 16700->16694 16701->16686 16702 565bdb __Getctype RtlAllocateHeap 16701->16702 16702->16686 16720 55f094 16703->16720 16705 55f235 16707 565be5 __dosmaperr 16706->16707 16708 5663f3 __dosmaperr RtlAllocateHeap 16707->16708 16709 565bfb 16707->16709 16712 565c28 __dosmaperr 16708->16712 16710 565c8b 16709->16710 16711 560259 __Getctype RtlAllocateHeap 16709->16711 16710->16700 16714 565c95 16711->16714 16713 565c68 16712->16713 16715 565c30 __dosmaperr 16712->16715 16717 565a09 __dosmaperr RtlAllocateHeap 16713->16717 16716 566db3 ___std_exception_destroy RtlAllocateHeap 16715->16716 16716->16709 16718 565c73 16717->16718 16719 566db3 ___std_exception_destroy RtlAllocateHeap 16718->16719 16719->16709 16722 55f0c1 std::locale::_Setgloballocale 16720->16722 16721 55ef23 std::locale::_Setgloballocale RtlAllocateHeap 16723 55f10a std::locale::_Setgloballocale 16721->16723 16722->16721 16723->16705 16738 54d6e9 16724->16738 16735 4721de Concurrency::cancel_current_task 16734->16735 16736 550651 ___std_exception_copy RtlAllocateHeap 16735->16736 16737 472213 16736->16737 16737->16467 16741 54d4af 16738->16741 16740 54d6fa Concurrency::cancel_current_task 16744 473010 16741->16744 16745 550651 ___std_exception_copy RtlAllocateHeap 16744->16745 16746 47303d 16745->16746 16746->16740 16748 5552ac __fread_nolock 16747->16748 16749 5552b3 16748->16749 16752 5552d3 16748->16752 16750 55d23f __dosmaperr RtlAllocateHeap 16749->16750 16751 5552b8 16750->16751 16753 5547a0 ___std_exception_copy RtlAllocateHeap 16751->16753 16754 5552e5 16752->16754 16755 5552d8 16752->16755 16760 5552c3 16753->16760 16761 566688 16754->16761 16756 55d23f __dosmaperr RtlAllocateHeap 16755->16756 16756->16760 16758 5552ee 16759 55d23f __dosmaperr RtlAllocateHeap 16758->16759 16758->16760 16759->16760 16760->16476 16762 566694 __fread_nolock std::_Lockit::_Lockit 16761->16762 16765 56672c 16762->16765 16764 5666af 16764->16758 16770 56674f __fread_nolock 16765->16770 16766 5663f3 __dosmaperr RtlAllocateHeap 16767 5667b0 16766->16767 16768 566db3 ___std_exception_destroy RtlAllocateHeap 16767->16768 16769 566795 __fread_nolock 16768->16769 16769->16764 16770->16766 16770->16769 16773 558e99 __fread_nolock 16771->16773 16772 558e9f 16774 554723 ___std_exception_copy RtlAllocateHeap 16772->16774 16773->16772 16775 558ee2 __fread_nolock 16773->16775 16777 558eba 16774->16777 16778 559010 16775->16778 16777->16480 16779 559036 16778->16779 16780 559023 16778->16780 16787 558f37 16779->16787 16780->16777 16782 5590e7 16782->16777 16783 559059 16783->16782 16791 5555d3 16783->16791 16788 558f48 16787->16788 16790 558fa0 16787->16790 16788->16790 16800 55e13d 16788->16800 16790->16783 16792 5555ec 16791->16792 16796 555613 16791->16796 16792->16796 16827 565f82 16792->16827 16794 555608 16834 56538b 16794->16834 16797 55e17d 16796->16797 16798 55e05c __fread_nolock 2 API calls 16797->16798 16799 55e196 16798->16799 16799->16782 16801 55e151 ___std_exception_copy 16800->16801 16806 55e05c 16801->16806 16803 55e166 16804 5544dc ___std_exception_copy RtlAllocateHeap 16803->16804 16805 55e175 16804->16805 16805->16790 16811 56a6de 16806->16811 16808 55e06e 16809 55e08a SetFilePointerEx 16808->16809 16810 55e076 __fread_nolock 16808->16810 16809->16810 16810->16803 16812 56a700 16811->16812 16813 56a6eb 16811->16813 16815 55d22c __dosmaperr RtlAllocateHeap 16812->16815 16817 56a725 16812->16817 16824 55d22c 16813->16824 16818 56a730 16815->16818 16817->16808 16820 55d23f __dosmaperr RtlAllocateHeap 16818->16820 16819 55d23f __dosmaperr RtlAllocateHeap 16821 56a6f8 16819->16821 16822 56a738 16820->16822 16821->16808 16823 5547a0 ___std_exception_copy RtlAllocateHeap 16822->16823 16823->16821 16825 565d2c __dosmaperr RtlAllocateHeap 16824->16825 16826 55d231 16825->16826 16826->16819 16828 565fa3 16827->16828 16829 565f8e 16827->16829 16828->16794 16830 55d23f __dosmaperr RtlAllocateHeap 16829->16830 16831 565f93 16830->16831 16832 5547a0 ___std_exception_copy RtlAllocateHeap 16831->16832 16833 565f9e 16832->16833 16833->16794 16835 565397 __fread_nolock 16834->16835 16836 5653d8 16835->16836 16838 56541e 16835->16838 16840 56539f 16835->16840 16837 554723 ___std_exception_copy RtlAllocateHeap 16836->16837 16837->16840 16838->16840 16841 56549c 16838->16841 16840->16796 16842 5654c4 16841->16842 16854 5654e7 __fread_nolock 16841->16854 16843 5654c8 16842->16843 16845 565523 16842->16845 16844 554723 ___std_exception_copy RtlAllocateHeap 16843->16844 16844->16854 16846 565541 16845->16846 16847 55e17d 2 API calls 16845->16847 16855 564fe1 16846->16855 16847->16846 16850 5655a0 16852 565609 WriteFile 16850->16852 16850->16854 16851 565559 16851->16854 16860 564bb2 16851->16860 16852->16854 16854->16840 16866 570d44 16855->16866 16857 565021 16857->16850 16857->16851 16858 564ff3 16858->16857 16875 559d10 16858->16875 16861 564c1b 16860->16861 16862 559d10 std::_Locinfo::_Locinfo_ctor 2 API calls 16861->16862 16865 564c2b std::_Locinfo::_Locinfo_ctor 16861->16865 16862->16865 16863 5684be RtlAllocateHeap RtlAllocateHeap 16863->16865 16864 564ee1 _ValidateLocalCookies 16864->16854 16864->16864 16865->16863 16865->16864 16867 570d51 16866->16867 16869 570d5e 16866->16869 16868 55d23f __dosmaperr RtlAllocateHeap 16867->16868 16870 570d56 16868->16870 16871 570d6a 16869->16871 16872 55d23f __dosmaperr RtlAllocateHeap 16869->16872 16870->16858 16871->16858 16873 570d8b 16872->16873 16874 5547a0 ___std_exception_copy RtlAllocateHeap 16873->16874 16874->16870 16876 554587 ___std_exception_copy RtlAllocateHeap 16875->16876 16877 559d20 16876->16877 16882 565ef3 16877->16882 16883 559d3d 16882->16883 16884 565f0a 16882->16884 16886 565f51 16883->16886 16884->16883 16890 56f4f3 16884->16890 16887 559d4a 16886->16887 16888 565f68 16886->16888 16887->16857 16888->16887 16899 56d81e 16888->16899 16891 56f4ff __fread_nolock 16890->16891 16892 565bdb __Getctype RtlAllocateHeap 16891->16892 16894 56f508 std::_Lockit::_Lockit 16892->16894 16893 56f54e 16893->16883 16894->16893 16895 56f574 __Getctype RtlAllocateHeap 16894->16895 16896 56f537 __Getctype 16895->16896 16896->16893 16897 560259 __Getctype RtlAllocateHeap 16896->16897 16898 56f573 16897->16898 16900 565bdb __Getctype RtlAllocateHeap 16899->16900 16901 56d823 16900->16901 16902 56d736 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 16901->16902 16903 56d82e 16902->16903 16903->16887 16905 55480d __fread_nolock 16904->16905 16906 554835 __fread_nolock 16905->16906 16907 554814 16905->16907 16911 554910 16906->16911 16908 554723 ___std_exception_copy RtlAllocateHeap 16907->16908 16910 55482d 16908->16910 16910->16486 16914 554942 16911->16914 16913 554922 16913->16910 16915 554951 16914->16915 16916 554979 16914->16916 16918 554723 ___std_exception_copy RtlAllocateHeap 16915->16918 16917 565f82 __fread_nolock RtlAllocateHeap 16916->16917 16919 554982 16917->16919 16926 55496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16918->16926 16927 55e11f 16919->16927 16922 554a2c 16930 554cae 16922->16930 16924 554a43 16924->16926 16938 554ae3 16924->16938 16926->16913 16945 55df37 16927->16945 16929 5549a0 16929->16922 16929->16924 16929->16926 16931 554cbd 16930->16931 16932 565f82 __fread_nolock RtlAllocateHeap 16931->16932 16933 554cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16932->16933 16934 55e11f 2 API calls 16933->16934 16937 554ce5 _ValidateLocalCookies 16933->16937 16935 554d39 16934->16935 16936 55e11f 2 API calls 16935->16936 16935->16937 16936->16937 16937->16926 16939 565f82 __fread_nolock RtlAllocateHeap 16938->16939 16940 554af6 16939->16940 16941 55e11f 2 API calls 16940->16941 16944 554b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 16940->16944 16942 554b9d 16941->16942 16943 55e11f 2 API calls 16942->16943 16942->16944 16943->16944 16944->16926 16948 55df43 __fread_nolock 16945->16948 16946 55df4b 16946->16929 16947 55df86 16949 554723 ___std_exception_copy RtlAllocateHeap 16947->16949 16948->16946 16948->16947 16950 55dfcc 16948->16950 16949->16946 16950->16946 16951 55e05c __fread_nolock 2 API calls 16950->16951 16951->16946 16953 4e06a9 16952->16953 16954 4e0585 16952->16954 16956 472270 RtlAllocateHeap 16953->16956 16955 4e059a 16954->16955 16960 4e05e3 16954->16960 16961 4e05f0 16954->16961 16959 54f290 std::_Facet_Register RtlAllocateHeap 16955->16959 16957 4e06ae 16956->16957 16958 4721d0 Concurrency::cancel_current_task RtlAllocateHeap 16957->16958 16965 4e05aa __fread_nolock std::_Locinfo::_Locinfo_ctor 16958->16965 16959->16965 16960->16955 16960->16957 16963 54f290 std::_Facet_Register RtlAllocateHeap 16961->16963 16961->16965 16962 5547b0 RtlAllocateHeap 16964 4e06b8 16962->16964 16963->16965 16965->16962 16966 4e0667 __fread_nolock std::_Locinfo::_Locinfo_ctor 16965->16966 16966->16492 16969 55dc08 __fread_nolock 16967->16969 16968 55dc40 __fread_nolock 16968->16496 16969->16968 16970 55dc52 __fread_nolock 16969->16970 16973 55dc1b __fread_nolock 16969->16973 16976 55da06 16970->16976 16971 55d23f __dosmaperr RtlAllocateHeap 16974 55dc35 16971->16974 16973->16971 16975 5547a0 ___std_exception_copy RtlAllocateHeap 16974->16975 16975->16968 16980 55da18 __fread_nolock 16976->16980 16982 55da35 16976->16982 16977 55da25 16978 55d23f __dosmaperr RtlAllocateHeap 16977->16978 16979 55da2a 16978->16979 16981 5547a0 ___std_exception_copy RtlAllocateHeap 16979->16981 16980->16977 16980->16982 16984 55da76 __fread_nolock 16980->16984 16981->16982 16982->16968 16983 55dba1 __fread_nolock 16987 55d23f __dosmaperr RtlAllocateHeap 16983->16987 16984->16982 16984->16983 16986 565f82 __fread_nolock RtlAllocateHeap 16984->16986 16989 564623 16984->16989 17048 558a2b 16984->17048 16986->16984 16987->16979 16990 564635 16989->16990 16991 56464d 16989->16991 16992 55d22c __dosmaperr RtlAllocateHeap 16990->16992 16993 56498f 16991->16993 16996 564690 16991->16996 16995 56463a 16992->16995 16994 55d22c __dosmaperr RtlAllocateHeap 16993->16994 16997 564994 16994->16997 16998 55d23f __dosmaperr RtlAllocateHeap 16995->16998 16999 56469b 16996->16999 17001 564642 16996->17001 17007 5646cb 16996->17007 17000 55d23f __dosmaperr RtlAllocateHeap 16997->17000 16998->17001 17002 55d22c __dosmaperr RtlAllocateHeap 16999->17002 17003 5646a8 17000->17003 17001->16984 17004 5646a0 17002->17004 17006 5547a0 ___std_exception_copy RtlAllocateHeap 17003->17006 17005 55d23f __dosmaperr RtlAllocateHeap 17004->17005 17005->17003 17006->17001 17008 5646e4 17007->17008 17009 5646f1 17007->17009 17010 56471f 17007->17010 17008->17009 17034 56470d 17008->17034 17011 55d22c __dosmaperr RtlAllocateHeap 17009->17011 17062 566e2d 17010->17062 17013 5646f6 17011->17013 17014 55d23f __dosmaperr RtlAllocateHeap 17013->17014 17017 5646fd 17014->17017 17015 570d44 __fread_nolock RtlAllocateHeap 17018 56486b 17015->17018 17020 5547a0 ___std_exception_copy RtlAllocateHeap 17017->17020 17022 5648e3 ReadFile 17018->17022 17035 56489b 17018->17035 17019 566db3 ___std_exception_destroy RtlAllocateHeap 17021 564739 17019->17021 17047 564708 __fread_nolock 17020->17047 17023 566db3 ___std_exception_destroy RtlAllocateHeap 17021->17023 17024 5648fb 17022->17024 17032 564957 17022->17032 17025 564740 17023->17025 17026 5648d4 17024->17026 17024->17032 17027 564765 17025->17027 17028 56474a 17025->17028 17040 564937 17026->17040 17041 564920 17026->17041 17026->17047 17031 55e13d __fread_nolock 2 API calls 17027->17031 17029 55d23f __dosmaperr RtlAllocateHeap 17028->17029 17033 56474f 17029->17033 17030 566db3 ___std_exception_destroy RtlAllocateHeap 17030->17001 17031->17034 17036 564964 17032->17036 17037 5648b5 17032->17037 17038 55d22c __dosmaperr RtlAllocateHeap 17033->17038 17034->17015 17035->17026 17035->17037 17039 55d23f __dosmaperr RtlAllocateHeap 17036->17039 17037->17047 17068 55d1e5 17037->17068 17038->17047 17042 564969 17039->17042 17040->17047 17083 56417b 17040->17083 17073 564335 17041->17073 17046 55d22c __dosmaperr RtlAllocateHeap 17042->17046 17046->17047 17047->17030 17049 558a3c 17048->17049 17058 558a38 std::_Locinfo::_Locinfo_ctor 17048->17058 17050 558a56 __fread_nolock 17049->17050 17051 558a43 17049->17051 17055 558a84 17050->17055 17056 558a8d 17050->17056 17050->17058 17052 55d23f __dosmaperr RtlAllocateHeap 17051->17052 17053 558a48 17052->17053 17054 5547a0 ___std_exception_copy RtlAllocateHeap 17053->17054 17054->17058 17057 55d23f __dosmaperr RtlAllocateHeap 17055->17057 17056->17058 17060 55d23f __dosmaperr RtlAllocateHeap 17056->17060 17059 558a89 17057->17059 17058->16984 17061 5547a0 ___std_exception_copy RtlAllocateHeap 17059->17061 17060->17059 17061->17058 17063 566e6b 17062->17063 17064 566e3b __dosmaperr std::_Facet_Register 17062->17064 17065 55d23f __dosmaperr RtlAllocateHeap 17063->17065 17064->17063 17066 566e56 RtlAllocateHeap 17064->17066 17067 564730 17065->17067 17066->17064 17066->17067 17067->17019 17069 55d22c __dosmaperr RtlAllocateHeap 17068->17069 17070 55d1f0 __dosmaperr 17069->17070 17071 55d23f __dosmaperr RtlAllocateHeap 17070->17071 17072 55d203 17071->17072 17072->17047 17087 56402e 17073->17087 17076 5643d7 17080 564391 __fread_nolock 17076->17080 17081 55e13d __fread_nolock 2 API calls 17076->17081 17077 5643c7 17078 55d23f __dosmaperr RtlAllocateHeap 17077->17078 17079 56437d 17078->17079 17079->17047 17080->17079 17082 55d1e5 __dosmaperr RtlAllocateHeap 17080->17082 17081->17080 17082->17079 17085 5641b5 17083->17085 17084 564246 17084->17047 17085->17084 17086 55e13d __fread_nolock 2 API calls 17085->17086 17086->17084 17088 564062 17087->17088 17089 5640ce 17088->17089 17090 55e13d __fread_nolock 2 API calls 17088->17090 17089->17076 17089->17077 17089->17079 17089->17080 17090->17089 17092 558acf __fread_nolock 17091->17092 17093 558ad9 17092->17093 17096 558afc __fread_nolock 17092->17096 17094 554723 ___std_exception_copy RtlAllocateHeap 17093->17094 17095 558af4 17094->17095 17095->16500 17096->17095 17098 558b5a 17096->17098 17099 558b67 17098->17099 17100 558b8a 17098->17100 17101 554723 ___std_exception_copy RtlAllocateHeap 17099->17101 17102 5555d3 4 API calls 17100->17102 17103 558b82 17100->17103 17101->17103 17104 558ba2 17102->17104 17103->17095 17112 566ded 17104->17112 17107 565f82 __fread_nolock RtlAllocateHeap 17108 558bb6 17107->17108 17116 564a3f 17108->17116 17111 566db3 ___std_exception_destroy RtlAllocateHeap 17111->17103 17113 566e04 17112->17113 17114 558baa 17112->17114 17113->17114 17115 566db3 ___std_exception_destroy RtlAllocateHeap 17113->17115 17114->17107 17115->17114 17117 558bbd 17116->17117 17119 564a68 17116->17119 17117->17103 17117->17111 17118 564ab7 17120 554723 ___std_exception_copy RtlAllocateHeap 17118->17120 17119->17118 17121 564a8f 17119->17121 17120->17117 17123 5649ae 17121->17123 17124 5649ba __fread_nolock 17123->17124 17126 5649f9 17124->17126 17127 564b12 17124->17127 17126->17117 17128 56a6de __fread_nolock RtlAllocateHeap 17127->17128 17129 564b22 17128->17129 17130 564b28 17129->17130 17131 564b5a 17129->17131 17133 56a6de __fread_nolock RtlAllocateHeap 17129->17133 17139 56a64d 17130->17139 17131->17130 17134 56a6de __fread_nolock RtlAllocateHeap 17131->17134 17135 564b51 17133->17135 17136 564b66 FindCloseChangeNotification 17134->17136 17137 56a6de __fread_nolock RtlAllocateHeap 17135->17137 17136->17130 17137->17131 17138 564b80 __fread_nolock 17138->17126 17140 56a65c 17139->17140 17141 55d23f __dosmaperr RtlAllocateHeap 17140->17141 17144 56a686 17140->17144 17142 56a6c8 17141->17142 17143 55d22c __dosmaperr RtlAllocateHeap 17142->17143 17143->17144 17144->17138 17145 48e0a0 WSAStartup 17146 48e0d8 17145->17146 17150 48e1a7 17145->17150 17147 48e175 socket 17146->17147 17146->17150 17148 48e18b connect 17147->17148 17147->17150 17149 48e19d closesocket 17148->17149 17148->17150 17149->17147 17149->17150 17159 55d168 17160 55d17b ___std_exception_copy 17159->17160 17165 55cf4a 17160->17165 17162 55d190 17163 5544dc ___std_exception_copy RtlAllocateHeap 17162->17163 17164 55d19d 17163->17164 17166 55cf58 17165->17166 17172 55cf80 17165->17172 17167 55cf65 17166->17167 17168 55cf87 17166->17168 17166->17172 17170 554723 ___std_exception_copy RtlAllocateHeap 17167->17170 17173 55cea3 17168->17173 17170->17172 17171 55cfbf 17171->17162 17172->17162 17174 55ceaf __fread_nolock 17173->17174 17177 55cefe 17174->17177 17176 55ceca 17176->17171 17184 568644 17177->17184 17204 568606 17184->17204 17186 568655 17187 55cf16 17186->17187 17188 566e2d __fread_nolock 2 API calls 17186->17188 17191 55cfc1 17187->17191 17189 5686ae 17188->17189 17190 566db3 ___std_exception_destroy RtlAllocateHeap 17189->17190 17190->17187 17194 55cfd3 17191->17194 17195 55cf34 17191->17195 17192 55cfe1 17193 554723 ___std_exception_copy RtlAllocateHeap 17192->17193 17193->17195 17194->17192 17194->17195 17198 55d017 std::_Locinfo::_Locinfo_ctor 17194->17198 17200 5686ef 17195->17200 17196 5555d3 4 API calls 17196->17198 17197 565f82 __fread_nolock RtlAllocateHeap 17197->17198 17198->17195 17198->17196 17198->17197 17199 56538b 4 API calls 17198->17199 17199->17198 17201 55cf40 17200->17201 17202 5686fa 17200->17202 17201->17176 17202->17201 17203 5555d3 4 API calls 17202->17203 17203->17201 17205 568612 17204->17205 17206 56863c 17205->17206 17207 565f82 __fread_nolock RtlAllocateHeap 17205->17207 17206->17186 17208 56862d 17207->17208 17209 570d44 __fread_nolock RtlAllocateHeap 17208->17209 17210 568633 17209->17210 17210->17186

                                  Executed Functions

                                  Function 004D3A40 Relevance: 6.2, APIs: 4, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 4d3a40-4d3a53 GetCursorPos 1 4d3a55-4d3a61 GetCursorPos 0->1 2 4d3b28-4d3b31 GetPEB 1->2 3 4d3a67-4d3a6d 1->3 4 4d3b34-4d3b48 2->4 3->2 5 4d3a73-4d3a7f GetPEB 3->5 6 4d3b99-4d3b9b 4->6 7 4d3b4a-4d3b4f 4->7 8 4d3a80-4d3a94 5->8 6->4 7->6 9 4d3b51-4d3b59 7->9 10 4d3ae4-4d3ae6 8->10 11 4d3a96-4d3a9b 8->11 12 4d3b60-4d3b73 9->12 10->8 11->10 13 4d3a9d-4d3aa3 11->13 14 4d3b75-4d3b88 12->14 15 4d3b92-4d3b97 12->15 16 4d3aa5-4d3ab8 13->16 14->14 17 4d3b8a-4d3b90 14->17 15->6 15->12 18 4d3add-4d3ae2 16->18 19 4d3aba 16->19 17->15 21 4d3b9d-4d3bc2 Sleep 17->21 18->10 18->16 20 4d3ac0-4d3ad3 19->20 20->20 22 4d3ad5-4d3adb 20->22 21->1 22->18 23 4d3ae8-4d3b0e Sleep 22->23 24 4d3b14-4d3b1a 23->24 24->2 25 4d3b1c-4d3b22 24->25 25->2 26 4d3bc7-4d3bd8 call 476bd0 25->26 29 4d3bde 26->29 30 4d3bda-4d3bdc 26->30 31 4d3be0-4d3bfd call 476bd0 29->31 30->31
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 004D3A53
                                  • GetCursorPos.USER32(?), ref: 004D3A59
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,004D3DB6), ref: 004D3B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,004D3DB6), ref: 004D3BBA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CursorSleep
                                  • String ID:
                                  • API String ID: 4211308429-0
                                  • Opcode ID: 272e416546be557eb93d1227ba28ac064895928067bbcbfb31781c068874adb5
                                  • Instruction ID: 0de6e657d77e4024e5898b878d92f7b56296577fcde8be37aa0d9ac107edadb7
                                  • Opcode Fuzzy Hash: 272e416546be557eb93d1227ba28ac064895928067bbcbfb31781c068874adb5
                                  • Instruction Fuzzy Hash: 4E51A635A042198FCB24CF48C8E0EAAB3B1EF49705B29859BD445AF312D735FE06CB81
                                  Function 0048E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 34 48e0a0-48e0d2 WSAStartup 35 48e0d8-48e102 call 476bd0 * 2 34->35 36 48e1b7-48e1c0 34->36 41 48e10e-48e165 35->41 42 48e104-48e108 35->42 44 48e1b1 41->44 45 48e167-48e16d 41->45 42->36 42->41 44->36 46 48e16f 45->46 47 48e1c5-48e1cf 45->47 48 48e175-48e189 socket 46->48 47->44 51 48e1d1-48e1d9 47->51 48->44 50 48e18b-48e19b connect 48->50 52 48e19d-48e1a5 closesocket 50->52 53 48e1c1 50->53 52->48 54 48e1a7-48e1ab 52->54 53->47 54->44
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 12279827b1743ee00079240155b449fcf416dcbc49fae234058b515c81fd4ef5
                                  • Instruction ID: 150e1a53596166d5c7dadf4aa246144e89e79688dc4927ffb3297b41a569938d
                                  • Opcode Fuzzy Hash: 12279827b1743ee00079240155b449fcf416dcbc49fae234058b515c81fd4ef5
                                  • Instruction Fuzzy Hash: 5631C4716043116FD720AF268C8972FB7E4EB85338F055F1EF9A8963E0D33598048B96
                                  Function 0054F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 55 54f290-54f293 56 54f2a2-54f2a5 call 55df2c 55->56 58 54f2aa-54f2ad 56->58 59 54f295-54f2a0 call 5617d8 58->59 60 54f2af-54f2b0 58->60 59->56 63 54f2b1-54f2b5 59->63 64 4721d0-472220 call 4721b0 call 550efb call 550651 63->64 65 54f2bb 63->65 65->65
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047220E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: a2d64584a69703c529089ed5d72c6a9d8f268314ba9ef04f55727482c384dd39
                                  • Instruction ID: ea9b829a6813ae5cb2a36d30b38be6e42d71b7d1f02cb08aa8abca3b16971e9c
                                  • Opcode Fuzzy Hash: a2d64584a69703c529089ed5d72c6a9d8f268314ba9ef04f55727482c384dd39
                                  • Instruction Fuzzy Hash: 7501F73950420EABCB14AF98EC068997FECFA00314B54843AFE1CDB591E770E9548794
                                  Function 00554942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 72 554942-55494f 73 554951-554974 call 554723 72->73 74 554979-55498d call 565f82 72->74 81 554ae0-554ae2 73->81 79 554992-55499b call 55e11f 74->79 80 55498f 74->80 83 5549a0-5549af 79->83 80->79 84 5549b1 83->84 85 5549bf-5549c8 83->85 86 5549b7-5549b9 84->86 87 554a89-554a8e 84->87 88 5549dc-554a10 85->88 89 5549ca-5549d7 85->89 86->85 86->87 90 554ade-554adf 87->90 92 554a12-554a1c 88->92 93 554a6d-554a79 88->93 91 554adc 89->91 90->81 91->90 96 554a43-554a4f 92->96 97 554a1e-554a2a 92->97 94 554a90-554a93 93->94 95 554a7b-554a82 93->95 99 554a96-554a9e 94->99 95->87 96->94 98 554a51-554a6b call 554e59 96->98 97->96 100 554a2c-554a3e call 554cae 97->100 98->99 102 554aa0-554aa6 99->102 103 554ada 99->103 100->90 106 554abe-554ac2 102->106 107 554aa8-554abc call 554ae3 102->107 103->91 110 554ad5-554ad7 106->110 111 554ac4-554ad2 call 574a10 106->111 107->90 110->103 111->110
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: OU
                                  • API String ID: 0-2654382709
                                  • Opcode ID: 56a5bcf26af79f9dd0356ef96a19cf4d7dfc845bd8d4193fde18e20232a3abae
                                  • Instruction ID: add63043ac34d7a46c6e2f7f28e60beb6d91446766a48b601665dc828cb9d66d
                                  • Opcode Fuzzy Hash: 56a5bcf26af79f9dd0356ef96a19cf4d7dfc845bd8d4193fde18e20232a3abae
                                  • Instruction Fuzzy Hash: 9251B670A00108AFDB54CF58C855AAEBFB6FF85369F24815AFC495B252D3319E85CF90
                                  Function 00564623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 115 564623-564633 116 564635-564648 call 55d22c call 55d23f 115->116 117 56464d-56464f 115->117 135 5649a7 116->135 119 564655-56465b 117->119 120 56498f-56499c call 55d22c call 55d23f 117->120 119->120 121 564661-56468a 119->121 138 5649a2 call 5547a0 120->138 121->120 124 564690-564699 121->124 127 5646b3-5646b5 124->127 128 56469b-5646ae call 55d22c call 55d23f 124->128 133 56498b-56498d 127->133 134 5646bb-5646bf 127->134 128->138 136 5649aa-5649ad 133->136 134->133 139 5646c5-5646c9 134->139 135->136 138->135 139->128 142 5646cb-5646e2 139->142 144 564717-56471d 142->144 145 5646e4-5646e7 142->145 146 5646f1-564708 call 55d22c call 55d23f call 5547a0 144->146 147 56471f-564726 144->147 148 56470d-564715 145->148 149 5646e9-5646ef 145->149 176 5648c2 146->176 151 56472a-564748 call 566e2d call 566db3 * 2 147->151 152 564728 147->152 150 56478a-5647a9 148->150 149->146 149->148 154 564865-56486e call 570d44 150->154 155 5647af-5647bb 150->155 185 564765-564788 call 55e13d 151->185 186 56474a-564760 call 55d23f call 55d22c 151->186 152->151 167 564870-564882 154->167 168 5648df 154->168 155->154 160 5647c1-5647c3 155->160 160->154 164 5647c9-5647ea 160->164 164->154 169 5647ec-564802 164->169 167->168 172 564884-564893 167->172 173 5648e3-5648f9 ReadFile 168->173 169->154 174 564804-564806 169->174 172->168 190 564895-564899 172->190 177 564957-564962 173->177 178 5648fb-564901 173->178 174->154 179 564808-56482b 174->179 181 5648c5-5648cf call 566db3 176->181 199 564964-564976 call 55d23f call 55d22c 177->199 200 56497b-56497e 177->200 178->177 183 564903 178->183 179->154 184 56482d-564843 179->184 181->136 192 564906-564918 183->192 184->154 193 564845-564847 184->193 185->150 186->176 190->173 198 56489b-5648b3 190->198 192->181 201 56491a-56491e 192->201 193->154 194 564849-564860 193->194 194->154 218 5648d4-5648dd 198->218 219 5648b5 198->219 199->176 202 564984-564986 200->202 203 5648bb-5648c1 call 55d1e5 200->203 206 564937-564944 201->206 207 564920-564930 call 564335 201->207 202->181 203->176 208 564946 call 56448c 206->208 209 564950-564955 call 56417b 206->209 225 564933-564935 207->225 222 56494b-56494e 208->222 209->222 218->192 219->203 222->225 225->181
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df09affec0faeaae770c997c72fa4a3ac647c7ac5199ed70f23d5b8dc15444cd
                                  • Instruction ID: cb987b40ad037e426a4c0bcbc8f9c1f960165fee2d5183613dcaaf7bcd53e040
                                  • Opcode Fuzzy Hash: df09affec0faeaae770c997c72fa4a3ac647c7ac5199ed70f23d5b8dc15444cd
                                  • Instruction Fuzzy Hash: 15B12575A0424AAFDB11DFA8D890BBEBFB1FF8A314F144159E8549B282C7709D46CF60
                                  Function 0047A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 226 47a210-47a2ab call 54f290 call 472ae0 231 47a2b0-47a2bb 226->231 231->231 232 47a2bd-47a2c8 231->232 233 47a2cd-47a2de call 555362 232->233 234 47a2ca 232->234 237 47a351-47a357 233->237 238 47a2e0-47a305 call 559136 call 554eeb call 559136 233->238 234->233 239 47a381-47a393 237->239 240 47a359-47a365 237->240 255 47a307 238->255 256 47a30c-47a316 238->256 242 47a377-47a37e call 54f511 240->242 243 47a367-47a375 240->243 242->239 243->242 245 47a394-47a3ae call 5547b0 243->245 254 47a3b0-47a3bb 245->254 254->254 257 47a3bd-47a3c8 254->257 255->256 258 47a328-47a32f call 4dcf60 256->258 259 47a318-47a31c 256->259 260 47a3cd-47a3df call 555362 257->260 261 47a3ca 257->261 266 47a334-47a33a 258->266 262 47a320-47a326 259->262 263 47a31e 259->263 270 47a3e1-47a3f9 call 559136 call 554eeb call 558be8 260->270 271 47a3fc-47a403 260->271 261->260 262->266 263->262 268 47a33e-47a349 call 55dbdf call 558be8 266->268 269 47a33c 266->269 287 47a34e 268->287 269->268 270->271 273 47a405-47a411 271->273 274 47a42d-47a433 271->274 277 47a423-47a42a call 54f511 273->277 278 47a413-47a421 273->278 277->274 278->277 281 47a434-47a45e call 5547b0 278->281 293 47a460-47a464 281->293 294 47a46f-47a474 281->294 287->237 293->294 295 47a466-47a46e 293->295
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 07eed9a159fc66b2ba514cc8a44c6a2bba44b52673c12348f8450c7f256577f6
                                  • Instruction ID: f82f81f92c42d92669c2b0ec9a5c99ea3ab7bda3b872a70b15e0c44f920ec420
                                  • Opcode Fuzzy Hash: 07eed9a159fc66b2ba514cc8a44c6a2bba44b52673c12348f8450c7f256577f6
                                  • Instruction Fuzzy Hash: 6C712A71900205ABDB14DF68DD49BDFBBE8EF81304F10855EF8089B382E7B99945C796
                                  Function 0056549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 296 56549c-5654be 297 5654c4-5654c6 296->297 298 5656b1 296->298 300 5654f2-565515 297->300 301 5654c8-5654e7 call 554723 297->301 299 5656b3-5656b7 298->299 303 565517-565519 300->303 304 56551b-565521 300->304 309 5654ea-5654ed 301->309 303->304 305 565523-565534 303->305 304->301 304->305 307 565536-565544 call 55e17d 305->307 308 565547-565557 call 564fe1 305->308 307->308 314 5655a0-5655b2 308->314 315 565559-56555f 308->315 309->299 316 5655b4-5655ba 314->316 317 565609-565629 WriteFile 314->317 318 565561-565564 315->318 319 565588-56559e call 564bb2 315->319 323 5655f5-565607 call 56505e 316->323 324 5655bc-5655bf 316->324 320 565634 317->320 321 56562b-565631 317->321 325 565566-565569 318->325 326 56556f-56557e call 564f79 318->326 335 565581-565583 319->335 328 565637-565642 320->328 321->320 347 5655dc-5655df 323->347 329 5655e1-5655f3 call 565222 324->329 330 5655c1-5655c4 324->330 325->326 331 565649-56564c 325->331 326->335 336 565644-565647 328->336 337 5656ac-5656af 328->337 329->347 338 56564f-565651 330->338 339 5655ca-5655d7 call 565139 330->339 331->338 335->328 336->331 337->299 344 565653-565658 338->344 345 56567f-56568b 338->345 339->347 348 565671-56567a call 55d208 344->348 349 56565a-56566c 344->349 350 565695-5656a7 345->350 351 56568d-565693 345->351 347->335 348->309 349->309 350->309 351->298 351->350
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00559087,?,00000000,00000000,00000000,?,00000000,?,0047A3EB,00559087,00000000,0047A3EB,?,?), ref: 00565622
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 7545f1637d64250e1338682d5aad4b3841452b3dcf7b9383ab18719d1900c393
                                  • Instruction ID: 3c93ae1709f9fb722470ed2f912aeb4859218ef1a149646d326cf90d37a68504
                                  • Opcode Fuzzy Hash: 7545f1637d64250e1338682d5aad4b3841452b3dcf7b9383ab18719d1900c393
                                  • Instruction Fuzzy Hash: 4D61C172D4451AAFDF11DFA8C888EEEBFBABF59304F140589E801A7215E731D915CBA0
                                  Function 004E0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 354 4e0560-4e057f 355 4e06a9 call 472270 354->355 356 4e0585-4e0598 354->356 361 4e06ae call 4721d0 355->361 357 4e059a 356->357 358 4e05c0-4e05c8 356->358 360 4e059c-4e05a1 357->360 362 4e05ca-4e05cf 358->362 363 4e05d1-4e05d5 358->363 364 4e05a4-4e05a5 call 54f290 360->364 369 4e06b3-4e06b8 call 5547b0 361->369 362->360 366 4e05d9-4e05e1 363->366 367 4e05d7 363->367 372 4e05aa-4e05af 364->372 370 4e05e3-4e05e8 366->370 371 4e05f0-4e05f2 366->371 367->366 370->361 374 4e05ee 370->374 375 4e05f4-4e05ff call 54f290 371->375 376 4e0601 371->376 372->369 379 4e05b5-4e05be 372->379 374->364 378 4e0603-4e0629 375->378 376->378 382 4e062b-4e0655 call 550f70 call 5514f0 378->382 383 4e0680-4e06a6 call 550f70 call 5514f0 378->383 379->378 392 4e0669-4e067d call 54f511 382->392 393 4e0657-4e0665 382->393 393->369 394 4e0667 393->394 394->392
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004E06AE
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: f618768c6266538dd77c15a6d8daef243134769be093fadf45a63ab83ffcd639
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 5C412472A00154ABCB15DF69DD806AE7BA5EF89302F1001ABFC15DB302D7B0DDA08BE5
                                  Function 00564B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 397 564b12-564b26 call 56a6de 400 564b2c-564b34 397->400 401 564b28-564b2a 397->401 402 564b36-564b3d 400->402 403 564b3f-564b42 400->403 404 564b7a-564b9a call 56a64d 401->404 402->403 405 564b4a-564b5e call 56a6de * 2 402->405 406 564b44-564b48 403->406 407 564b60-564b70 call 56a6de FindCloseChangeNotification 403->407 412 564bac 404->412 413 564b9c-564baa call 55d208 404->413 405->401 405->407 406->405 406->407 407->401 419 564b72-564b78 407->419 417 564bae-564bb1 412->417 413->417 419->404
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,005649F9,00000000,CF830579,005A1140,0000000C,00564AB5,00558BBD,?), ref: 00564B69
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 9347b99ea81f54fd447820527e9137325d7151829f76753a88647aa202aff755
                                  • Instruction ID: a9a268f30dc744d2c27efd438f81ddf9702a35d87f64ce09db50f61aa4e8e5ed
                                  • Opcode Fuzzy Hash: 9347b99ea81f54fd447820527e9137325d7151829f76753a88647aa202aff755
                                  • Instruction Fuzzy Hash: 4E116B33B0416417CF246234E855B7FBF4AEBC3774F290609F8149B0E2EE21DC815A55
                                  Function 0055E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 423 55e05c-55e074 call 56a6de 426 55e076-55e07d 423->426 427 55e08a-55e0a0 SetFilePointerEx 423->427 428 55e084-55e088 426->428 429 55e0b5-55e0bf 427->429 430 55e0a2-55e0b3 call 55d208 427->430 431 55e0db-55e0de 428->431 429->428 432 55e0c1-55e0d6 429->432 430->428 432->431
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,005A0DF8,0047A3EB,00000002,0047A3EB,00000000,?,?,?,0055E166,00000000,?,0047A3EB,00000002,005A0DF8), ref: 0055E099
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 4db73a2f5911e53e88013511818d0e6502e55c9e3909b94fb222e3d1a57e5908
                                  • Instruction ID: 4c9ef94dac46f682939e475c204705d672533eee2113522c041bc75af487a63a
                                  • Opcode Fuzzy Hash: 4db73a2f5911e53e88013511818d0e6502e55c9e3909b94fb222e3d1a57e5908
                                  • Instruction Fuzzy Hash: 61012632614119ABCF09DF18CC2AC9E3F29EB86335F240649FC519B1E1E6B1EE419BD0
                                  Function 005663F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 436 5663f3-5663fe 437 566400-56640a 436->437 438 56640c-566412 436->438 437->438 439 566440-56644b call 55d23f 437->439 440 566414-566415 438->440 441 56642b-56643c RtlAllocateHeap 438->441 445 56644d-56644f 439->445 440->441 442 566417-56641e call 563f93 441->442 443 56643e 441->443 442->439 449 566420-566429 call 5617d8 442->449 443->445 449->439 449->441
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,005591F7,00000000,?,00565D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0055D244,005589C3,005591F7,00000000), ref: 00566435
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 41738c6dc70bae5cccd8a47a2c5e4cdc530f8dd5cf47bd7465e8e6a4fc496a5b
                                  • Instruction ID: 7fa4d5591f0b0000b30e013cbd03d3aaccf6f31e8b697396419403a96014f7fe
                                  • Opcode Fuzzy Hash: 41738c6dc70bae5cccd8a47a2c5e4cdc530f8dd5cf47bd7465e8e6a4fc496a5b
                                  • Instruction Fuzzy Hash: B1F0E93150412566DF316B629C86B6B7F4CFF917A2F158511EC0897080EE30E81046F1
                                  Function 00566E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 566e2d-566e39 453 566e6b-566e76 call 55d23f 452->453 454 566e3b-566e3d 452->454 461 566e78-566e7a 453->461 456 566e56-566e67 RtlAllocateHeap 454->456 457 566e3f-566e40 454->457 458 566e42-566e49 call 563f93 456->458 459 566e69 456->459 457->456 458->453 464 566e4b-566e54 call 5617d8 458->464 459->461 464->453 464->456
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,0056D635,4D88C033,?,0056D635,00000220,?,005657EF,4D88C033), ref: 00566E60
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 0f65574856b26072984b08638ed4b5b9211d6ef0b25129d0f36bbd5850a6900d
                                  • Instruction ID: 975f91dd20dea68610f05eff3444def97b3b877b771e5caeb075400635749a1b
                                  • Opcode Fuzzy Hash: 0f65574856b26072984b08638ed4b5b9211d6ef0b25129d0f36bbd5850a6900d
                                  • Instruction Fuzzy Hash: EBE0223A9006266ADB302266CD08B6B7F8CFF923B0F050521FC04D30D0DB22CC4082F8

                                  Non-executed Functions

                                  Function 00478D70 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 327libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,?), ref: 00478E0E
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00478E1B
                                  • GetModuleHandleA.KERNEL32(?), ref: 00478E85
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00478E8C
                                  • CloseHandle.KERNEL32(?), ref: 00479092
                                  • CloseHandle.KERNEL32(?), ref: 004790F4
                                  • CloseHandle.KERNEL32(00000000), ref: 00479121
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Handle$Close$AddressModuleProc
                                  • String ID: File$bkg`$eHlW$l$lwcf$p$t
                                  • API String ID: 4110381430-3184506882
                                  • Opcode ID: b74ec0f29035aa3a3a308ab28fcd2dad0d3a044eb3670960dc467d2a00721248
                                  • Instruction ID: 364cf3e49dce4f86d66f46625d63d85431607bb2214cecbc0495c45ece8b2751
                                  • Opcode Fuzzy Hash: b74ec0f29035aa3a3a308ab28fcd2dad0d3a044eb3670960dc467d2a00721248
                                  • Instruction Fuzzy Hash: 43C1C170D102599AEF20DFA4CC85BEEBBB9FF05300F10846EE508BB291DB759945CB69
                                  Function 004F55B0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F55FC
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F563E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 004F5686
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F56C7
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F5708
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 004F5746
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F578E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 004F57D6
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F5817
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 004F585D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: Fhnf$eIcm$yNrw
                                  • API String ID: 190572456-2794250838
                                  • Opcode ID: cdb6aa0b2b11038018ea66bd777482d024b75d1533eaaa1fb2f9dbc52c3f22a9
                                  • Instruction ID: d8ab32376093c22d7b34103e1964970333fc6507b1881b6f39c6a0090ad12990
                                  • Opcode Fuzzy Hash: cdb6aa0b2b11038018ea66bd777482d024b75d1533eaaa1fb2f9dbc52c3f22a9
                                  • Instruction Fuzzy Hash: DC816CB0C1834CAEDF04CFA4C9456EEBFB9EF56300F50809ED851AB251D379420ADBA5
                                  Function 005584A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: fdeaaa3ebf0b10747bb9f0a00c45aa8294b30e96e2f7feb6652133174872ed00
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: D3025B71E002199BDF14CFA8C8906AEFBF1FF48315F24826AD919F7381DB31A9458B90
                                  Function 004DF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DF833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DF855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DF875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DF89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DF90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 004DF959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 004DF973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DFA08
                                  • std::_Facet_Register.LIBCPMT ref: 004DFA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$"Y
                                  • API String ID: 3375549084-4290172922
                                  • Opcode ID: 44b9caf6caef79627000c4dbf6a91b1358725d129a376d51520ff679fc1611d9
                                  • Instruction ID: 74a1e5712e4ba7e3d2811e03c27fc60b48c7f496728338e8fb9bbf40c6a835d6
                                  • Opcode Fuzzy Hash: 44b9caf6caef79627000c4dbf6a91b1358725d129a376d51520ff679fc1611d9
                                  • Instruction Fuzzy Hash: 6B61A0B1D002499BDF20EFA4D859B9EBFB4BF55314F14406AE805A7341D738E909CBA6
                                  Function 00473D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00473E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3G$@3G$G>G$G>G$`!G$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-563398080
                                  • Opcode ID: bce0b297a1f7d57a012639120c9477a19674d159c273f9915af8eb9c39165454
                                  • Instruction ID: e91d1a608da2b7727c3d7d5bce3acbd783f40bdf0b967d246c1488e4d85a8287
                                  • Opcode Fuzzy Hash: bce0b297a1f7d57a012639120c9477a19674d159c273f9915af8eb9c39165454
                                  • Instruction Fuzzy Hash: F941C1B2900208AFCB14DF68D845BDEBBE8FB49310F14C52FE919D7741E774AA018BA4
                                  Function 00552E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00552E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00552E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00552ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00552F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00552F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: iZ$csm
                                  • API String ID: 1170836740-778996790
                                  • Opcode ID: a5c1332197daa4c36e0807b9edec7e6013b89222bd6565aff3a42ed9301fa6d1
                                  • Instruction ID: 33566db12410dc95ad1d2354497647e3c84eba4e5185683615c2afa1aed334ad
                                  • Opcode Fuzzy Hash: a5c1332197daa4c36e0807b9edec7e6013b89222bd6565aff3a42ed9301fa6d1
                                  • Instruction Fuzzy Hash: 8A41C930A002099BCF10DF68D896AAEBFB5BF46315F148456ED189B392D731DE49CB91
                                  Function 00473DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00473E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3G$@3G$`!G$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-2384014072
                                  • Opcode ID: f9c2c221fee2b9c2c5423dd66de4cb946d6d44738dc94b5ac0f334e7a662fb80
                                  • Instruction ID: 2723b3050cea0ece6a5e53a1deebc0a498e0f2425cfda54d0ed9bda69b50234f
                                  • Opcode Fuzzy Hash: f9c2c221fee2b9c2c5423dd66de4cb946d6d44738dc94b5ac0f334e7a662fb80
                                  • Instruction Fuzzy Hash: 642105B29007056BC714DF58D806BD6BBDCBB44311F18C82BFA6C8B681E774EA149B95
                                  Function 00474C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00474F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00474FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004750C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: @3G$`!G$recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-2986438110
                                  • Opcode ID: e00df74d540a41ab65799de826fe7cc2ccf64af4ef066fe7dd9266144ec27ac6
                                  • Instruction ID: c0597bfa6a472b4b5ed250750946c58b26976e0e2b054e651030a0428a48acf5
                                  • Opcode Fuzzy Hash: e00df74d540a41ab65799de826fe7cc2ccf64af4ef066fe7dd9266144ec27ac6
                                  • Instruction Fuzzy Hash: 54E138719002059FCB28DF68D945BAEFBF9FF85300F10852EE45A97781E778A904CBA5
                                  Function 00477820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00477B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$out_of_range$type_error
                                  • API String ID: 2659868963-851137949
                                  • Opcode ID: b0b7fa2ff347624bbf5de9bc186952118a5cdac52a92cb535326f92b7f614a5f
                                  • Instruction ID: 6fe9b5689b8be54bdc56cc292593b840867bf9a17ba0e2d786b68bb86398bf90
                                  • Opcode Fuzzy Hash: b0b7fa2ff347624bbf5de9bc186952118a5cdac52a92cb535326f92b7f614a5f
                                  • Instruction Fuzzy Hash: DFC158B1D002089FDB08CFA8D98479DBBF5FF49304F14866AE419EB792E774A984CB54
                                  Function 00473190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004732C6
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00473350
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: +4G$@3G$`!G$`!G
                                  • API String ID: 2970364248-3559336284
                                  • Opcode ID: 3a7aa2bdca2219234ae42c56b794a60985d304c75aea1acfac25bd50af028015
                                  • Instruction ID: 667d16a6ab7ea3d8959fe79c5b13f4a0dfc5d5f2956904c045b1750ec808006d
                                  • Opcode Fuzzy Hash: 3a7aa2bdca2219234ae42c56b794a60985d304c75aea1acfac25bd50af028015
                                  • Instruction Fuzzy Hash: 8C51BD719002089FDB18CF98D889BDEBBF5FF49300F14812AE819A7382E7749A41CB94
                                  Function 004739F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00473A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00473AA4
                                  • __Getctype.LIBCPMT ref: 00473ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00473AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00473B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: efed89d3fe8b498b217300821948781b63d2b113f772384345a46754d2a26a93
                                  • Instruction ID: 70efdd35b9c9b0d9c028b1abfe49b4792fda1fb6aad441632d6e919cae533f72
                                  • Opcode Fuzzy Hash: efed89d3fe8b498b217300821948781b63d2b113f772384345a46754d2a26a93
                                  • Instruction Fuzzy Hash: 915155B1D002099BDF10DF94D845BDEBFB8BF54315F14806AE809AB342E779EA08CB65
                                  Function 004DDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DDE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 004DDEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DDED6
                                  • std::_Facet_Register.LIBCPMT ref: 004DDF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 004DDF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004DDF7B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 668e7b1d4786d6d702c5465ded3c327bda0971fcc79fadb70a045dcdb5acfe43
                                  • Instruction ID: 2068c38516469a1e4d40cc816413e4b3b901670ab9840ff521b245c0e3745c58
                                  • Opcode Fuzzy Hash: 668e7b1d4786d6d702c5465ded3c327bda0971fcc79fadb70a045dcdb5acfe43
                                  • Instruction Fuzzy Hash: D6412071D0020ADFCB10DF54D885AAABBB4FB56324F14462FE8169B382D734AD05CBE5
                                  Function 00476F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00477340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$parse error$parse_error
                                  • API String ID: 2659868963-2190908755
                                  • Opcode ID: 6f3f3042948ca537abbee36cb7f2eca19dd65496e58836aab1686f2038104c84
                                  • Instruction ID: 5878e24ccd26e0ea6043a797032d0321f771fa604de04d2348ba9a0efe53c201
                                  • Opcode Fuzzy Hash: 6f3f3042948ca537abbee36cb7f2eca19dd65496e58836aab1686f2038104c84
                                  • Instruction Fuzzy Hash: FCE17F709042488FDB18CF68C984B9DBBB1FF49304F6482AAE418EB792D7749A81CF55
                                  Function 004773B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004775BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 004775CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column $`!G
                                  • API String ID: 4194217158-538675771
                                  • Opcode ID: e314b7aef53c17d9a565b88a96f8e913db8f718a8fc5c7f8bc590d3aede9c481
                                  • Instruction ID: 3563161adefc5bda7352f905d98c89c665a5038a81d7deb37f29c3e09d35d8c7
                                  • Opcode Fuzzy Hash: e314b7aef53c17d9a565b88a96f8e913db8f718a8fc5c7f8bc590d3aede9c481
                                  • Instruction Fuzzy Hash: D6613A70A04205AFDB08DF68DD84BEDBBB1FF45300F20862DE419A7B81D778A944CB95
                                  Function 00473370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00473190: ___std_exception_copy.LIBVCRUNTIME ref: 004732C6
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4G$@3G$@3G$`!G
                                  • API String ID: 2659868963-1434760016
                                  • Opcode ID: f967517a841866efc0edea5b0f4eb6935eebd1e57f1e3aef7b5cb30a329de6a5
                                  • Instruction ID: 18c07e934f2c49bc0a53e750f943995a901f31c744afcf50c1d6c1f15f12cb21
                                  • Opcode Fuzzy Hash: f967517a841866efc0edea5b0f4eb6935eebd1e57f1e3aef7b5cb30a329de6a5
                                  • Instruction Fuzzy Hash: 1031A3729002099FCB18DFA8D845ADEFFF8FB08310F10852BE918D7641E774AA50DB95
                                  Function 00473410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0047345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4G$@3G$@3G$`!G
                                  • API String ID: 2659868963-1434760016
                                  • Opcode ID: 4ab2cdb75484263c2dd6a34df84a48335cbc32d2b11be930e4406d753440490d
                                  • Instruction ID: 441aacaf2fbf4067bd02fdc7a15be91b8a7639fafb8118caa63ba8a8f9e9952f
                                  • Opcode Fuzzy Hash: 4ab2cdb75484263c2dd6a34df84a48335cbc32d2b11be930e4406d753440490d
                                  • Instruction Fuzzy Hash: 34014F7650420AAF8704DFA9D84589AFBFCFF48300700C42AE91987611EBB0E514CB94
                                  Function 00476C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00476F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00476F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.$`!G
                                  • API String ID: 4194217158-617180572
                                  • Opcode ID: 85fe0bb9c0c1ac58b45817ab3e954ad9fb2413a4f6c5af9ce08e642efc208dc7
                                  • Instruction ID: 13dbcce3d8a8315c86f950cf5e129a5cc2a78c8e07e7f8b7915b2713019f9d47
                                  • Opcode Fuzzy Hash: 85fe0bb9c0c1ac58b45817ab3e954ad9fb2413a4f6c5af9ce08e642efc208dc7
                                  • Instruction Fuzzy Hash: 4B91F570A006049FDB18CF68D984BDEBBF6FF45300F20856DE419AB792D774AA41CB95
                                  Function 00472270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00472275
                                    • Part of subcall function 0054D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0054D6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$LZ$LZ
                                  • API String ID: 1997705970-3809129928
                                  • Opcode ID: e17a5dd1155751cc145263871ee355878a880674fc5c5285c7e32af1dc7dd40d
                                  • Instruction ID: d84c34cf85c847d8c23c612a771a30f4f67220a8bbf8ef0e19c7a700a9a0df7f
                                  • Opcode Fuzzy Hash: e17a5dd1155751cc145263871ee355878a880674fc5c5285c7e32af1dc7dd40d
                                  • Instruction Fuzzy Hash: 58812375A042859FDB01CFA8C5507EEBFF1EF5A300F18816EC898A7742C3B98545CBA5
                                  Function 00477620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004777B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$invalid_iterator
                                  • API String ID: 2659868963-1772924453
                                  • Opcode ID: 0e754a55f320b80e09edf9b3791d8589806ba4b2bc04ca2e1f80463f8ffac1f1
                                  • Instruction ID: 2d7402885feecea2b2b5ead667445c2483a5f34eae7b678b3c747594bb75b441
                                  • Opcode Fuzzy Hash: 0e754a55f320b80e09edf9b3791d8589806ba4b2bc04ca2e1f80463f8ffac1f1
                                  • Instruction Fuzzy Hash: 565159B09002099FDB08CF68D99479DFBF1FB49300F14866AE419EB792E774A984CB95
                                  Function 00477BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00477D67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G$other_error
                                  • API String ID: 2659868963-708321997
                                  • Opcode ID: b1dad1ce256b1684a8175d856f874e6d727c14fefad776fbc74133d5c77e269f
                                  • Instruction ID: 0059f7ea0b8d7d0d65c4a78e40f0e4aafdcd3f574c447779c698194a06912c45
                                  • Opcode Fuzzy Hash: b1dad1ce256b1684a8175d856f874e6d727c14fefad776fbc74133d5c77e269f
                                  • Instruction Fuzzy Hash: 915147B09002489FDB18CFA8D9847EDBFF1BF49300F14866AE459EB792E7749984CB54
                                  Function 004DD050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004DD06F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004DD096
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: ffc60683d30c1fc0373124680826eb6edad203088708ffb1e629b638cf993db1
                                  • Instruction ID: 8e18b37ce29d110f99ca7a28c8c3b9f4d49a30332fe73968d718eb274a4bb29c
                                  • Opcode Fuzzy Hash: ffc60683d30c1fc0373124680826eb6edad203088708ffb1e629b638cf993db1
                                  • Instruction Fuzzy Hash: 9001B6B6500706AF8704DF59D449882FBF8FB48710704C52BE929CBB11E7B0E528CFA0
                                  Function 004EB3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004EB3DF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 004EB406
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: 560c1bd13681fac5801e16c9e48f818d085bdb0ba9fbd0fc6d6104bcab60f0bb
                                  • Instruction ID: 5cf2fa362dbffaac2d6be0449ecf0d541c4a9b2f6fe90d9c37c8b6d4df1a8620
                                  • Opcode Fuzzy Hash: 560c1bd13681fac5801e16c9e48f818d085bdb0ba9fbd0fc6d6104bcab60f0bb
                                  • Instruction Fuzzy Hash: 99F0C4B6500606AF8708DF58D409886BBE8FA44710705852BE92ACBB01E7B0E528CBA0
                                  Function 004EB450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 004EB612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: PxN$invalid hash bucket count
                                  • API String ID: 909987262-1733123108
                                  • Opcode ID: 686853c08590834f98b4d53dc8c848f6fb3878168f741035d229321d22d8fdc8
                                  • Instruction ID: 89a5f42ad7e59ce31d8c25ed597cfa7b4da97e2e0051c6818ee6d7366520562e
                                  • Opcode Fuzzy Hash: 686853c08590834f98b4d53dc8c848f6fb3878168f741035d229321d22d8fdc8
                                  • Instruction Fuzzy Hash: CA7111B4A00605EFCB14CF4AC58086AFBF5FF89305724C5AAD8599B355D731EA42CF94
                                  Function 004EE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 004EE491
                                  Strings
                                  • type must be string, but is , xrefs: 004EE4F8
                                  • type must be boolean, but is , xrefs: 004EE582
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 85f755cd5281175665b6242d1c0b5ceb5c41c05e4c23346af8f45d0c1d25a1d2
                                  • Instruction ID: 81dfc1ba44078b301363169bcf37febc4f1db22a60191b8dd76db3b29e99c359
                                  • Opcode Fuzzy Hash: 85f755cd5281175665b6242d1c0b5ceb5c41c05e4c23346af8f45d0c1d25a1d2
                                  • Instruction Fuzzy Hash: 04418FB5904248AFCB04EBE5D916B9E7BA8EB00304F14857BF419D77C1EB39E900C759
                                  Function 00473050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00473078
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3319154863.0000000000471000.00000040.00000001.01000000.00000004.sdmp, Offset: 00470000, based on PE: true
                                  • Associated: 00000007.00000002.3319088494.0000000000470000.00000004.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319154863.00000000005A3000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319454932.00000000005A8000.00000008.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000005AC000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.000000000072F000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007C1000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F0000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.00000000007F7000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3319492334.0000000000806000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320050095.0000000000807000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320247369.0000000000961000.00000040.00000001.01000000.00000004.sdmpDownload File
                                  • Associated: 00000007.00000002.3320274736.0000000000962000.00000080.00000001.01000000.00000004.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_470000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!G$`!G
                                  • API String ID: 2659868963-861533128
                                  • Opcode ID: 99447c82e472c91620c5841f6879504ffad7e8dd6ed193e35288c35b8d1fa9aa
                                  • Instruction ID: 6fb6a8f85e173953e4c39241ac04ff95093df2c826d5703955637a110fd3ece0
                                  • Opcode Fuzzy Hash: 99447c82e472c91620c5841f6879504ffad7e8dd6ed193e35288c35b8d1fa9aa
                                  • Instruction Fuzzy Hash: 69E012B29053199BC710DFA8D8459CAFFF8AB59701F04C6BAE948D7300F6B0D5549BD1

                                  Execution Graph

                                  Execution Coverage:3.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:650
                                  Total number of Limit Nodes:68
                                  execution_graph 18111 e3e0a0 WSAStartup 18112 e3e0d8 18111->18112 18116 e3e1a7 18111->18116 18113 e3e175 socket 18112->18113 18112->18116 18114 e3e18b connect 18113->18114 18113->18116 18115 e3e19d closesocket 18114->18115 18114->18116 18115->18113 18115->18116 18117 f0d168 18118 f0d17b __fread_nolock 18117->18118 18123 f0cf4a 18118->18123 18120 f0d190 18121 f044dc __fread_nolock RtlAllocateHeap 18120->18121 18122 f0d19d 18121->18122 18124 f0cf58 18123->18124 18129 f0cf80 18123->18129 18125 f0cf65 18124->18125 18126 f0cf87 18124->18126 18124->18129 18127 f04723 __fread_nolock RtlAllocateHeap 18125->18127 18131 f0cea3 18126->18131 18127->18129 18129->18120 18130 f0cfbf 18130->18120 18132 f0ceaf __fread_nolock 18131->18132 18135 f0cefe 18132->18135 18134 f0ceca 18134->18130 18142 f18644 18135->18142 18162 f18606 18142->18162 18144 f0cf16 18149 f0cfc1 18144->18149 18145 f18655 18145->18144 18146 f16e2d __fread_nolock 2 API calls 18145->18146 18147 f186ae 18146->18147 18148 f16db3 ___std_exception_copy RtlAllocateHeap 18147->18148 18148->18144 18151 f0cfd3 18149->18151 18153 f0cf34 18149->18153 18150 f0cfe1 18152 f04723 __fread_nolock RtlAllocateHeap 18150->18152 18151->18150 18151->18153 18156 f0d017 std::locale::_Locimp::_Locimp 18151->18156 18152->18153 18158 f186ef 18153->18158 18154 f055d3 4 API calls 18154->18156 18155 f15f82 __fread_nolock RtlAllocateHeap 18155->18156 18156->18153 18156->18154 18156->18155 18157 f1538b 4 API calls 18156->18157 18157->18156 18159 f0cf40 18158->18159 18160 f186fa 18158->18160 18159->18134 18160->18159 18161 f055d3 4 API calls 18160->18161 18161->18159 18163 f18612 18162->18163 18164 f1863c 18163->18164 18165 f15f82 __fread_nolock RtlAllocateHeap 18163->18165 18164->18145 18166 f1862d 18165->18166 18167 f20d44 __fread_nolock RtlAllocateHeap 18166->18167 18168 f18633 18167->18168 18168->18145 18169 e83a40 GetCursorPos 18170 e83a55 GetCursorPos 18169->18170 18171 e83b28 GetPEB 18170->18171 18174 e83a67 18170->18174 18171->18174 18172 e83a73 GetPEB 18172->18174 18173 e83b9d Sleep 18173->18170 18174->18171 18174->18172 18174->18173 18174->18174 18175 e83ae8 Sleep 18174->18175 18176 e83bc7 18174->18176 18175->18174 17386 e2a210 17419 eff290 17386->17419 17388 e2a248 17424 e22ae0 17388->17424 17390 e2a28b 17440 f05362 17390->17440 17394 e2a377 17397 e2a34e 17397->17394 17469 f047b0 17397->17469 17400 f09136 4 API calls 17401 e2a2fc 17400->17401 17406 e2a318 17401->17406 17455 e8cf60 17401->17455 17460 f0dbdf 17406->17460 17421 e221d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 17419->17421 17420 eff2af 17420->17388 17421->17420 17472 f00651 17421->17472 17425 e22ba5 17424->17425 17427 e22af6 17424->17427 17690 e22270 17425->17690 17429 e22b02 std::locale::_Locimp::_Locimp 17427->17429 17430 e22b2a 17427->17430 17434 e22b65 17427->17434 17435 e22b6e 17427->17435 17428 e22baa 17700 e221d0 17428->17700 17429->17390 17432 eff290 std::_Facet_Register RtlAllocateHeap 17430->17432 17433 e22b3d 17432->17433 17436 f047b0 RtlAllocateHeap 17433->17436 17439 e22b46 std::locale::_Locimp::_Locimp 17433->17439 17434->17428 17434->17430 17438 eff290 std::_Facet_Register RtlAllocateHeap 17435->17438 17435->17439 17437 e22bb4 17436->17437 17438->17439 17439->17390 17713 f052a0 17440->17713 17442 e2a2d7 17442->17397 17443 f09136 17442->17443 17444 f09149 __fread_nolock 17443->17444 17737 f08e8d 17444->17737 17446 f0915e 17447 f044dc __fread_nolock RtlAllocateHeap 17446->17447 17448 e2a2ea 17447->17448 17449 f04eeb 17448->17449 17450 f04efe __fread_nolock 17449->17450 17870 f04801 17450->17870 17452 f04f0a 17453 f044dc __fread_nolock RtlAllocateHeap 17452->17453 17454 e2a2f0 17453->17454 17454->17400 17456 e8cfa7 17455->17456 17459 e8cf78 __fread_nolock 17455->17459 17918 e90560 17456->17918 17458 e8cfba 17458->17406 17459->17406 17933 f0dbfc 17460->17933 17462 e2a348 17463 f08be8 17462->17463 17464 f08bfb __fread_nolock 17463->17464 18057 f08ac3 17464->18057 17466 f08c07 17467 f044dc __fread_nolock RtlAllocateHeap 17466->17467 17468 f08c13 17467->17468 17468->17397 17470 f046ec __fread_nolock RtlAllocateHeap 17469->17470 17471 f047bf __Getctype 17470->17471 17473 f0065e ___std_exception_copy 17472->17473 17477 e22213 17472->17477 17476 f0068b 17473->17476 17473->17477 17478 f156b8 17473->17478 17487 f0d7d6 17476->17487 17477->17388 17479 f156d4 17478->17479 17480 f156c6 17478->17480 17490 f0d23f 17479->17490 17480->17479 17485 f156ec 17480->17485 17482 f156dc 17493 f047a0 17482->17493 17484 f156e6 17484->17476 17485->17484 17486 f0d23f __dosmaperr RtlAllocateHeap 17485->17486 17486->17482 17488 f16db3 ___std_exception_copy RtlAllocateHeap 17487->17488 17489 f0d7ee 17488->17489 17489->17477 17496 f15d2c 17490->17496 17601 f046ec 17493->17601 17497 f15d36 __dosmaperr 17496->17497 17504 f0d244 17497->17504 17507 f163f3 17497->17507 17499 f15d79 __dosmaperr 17500 f15db9 17499->17500 17501 f15d81 __dosmaperr 17499->17501 17515 f15a09 17500->17515 17511 f16db3 17501->17511 17504->17482 17506 f16db3 ___std_exception_copy RtlAllocateHeap 17506->17504 17510 f16400 __dosmaperr std::_Facet_Register 17507->17510 17508 f1642b RtlAllocateHeap 17509 f1643e __dosmaperr 17508->17509 17508->17510 17509->17499 17510->17508 17510->17509 17512 f16de8 17511->17512 17513 f16dbe __dosmaperr 17511->17513 17512->17504 17513->17512 17514 f0d23f __dosmaperr RtlAllocateHeap 17513->17514 17514->17512 17516 f15a77 __dosmaperr 17515->17516 17519 f159af 17516->17519 17518 f15aa0 17518->17506 17520 f159bb __fread_nolock std::_Lockit::_Lockit 17519->17520 17523 f15b90 17520->17523 17522 f159dd __dosmaperr 17522->17518 17524 f15bc6 __Getctype 17523->17524 17525 f15b9f __Getctype 17523->17525 17524->17522 17525->17524 17527 f1f2a7 17525->17527 17528 f1f2bd 17527->17528 17529 f1f327 17527->17529 17528->17529 17533 f1f2f0 17528->17533 17536 f16db3 ___std_exception_copy RtlAllocateHeap 17528->17536 17531 f16db3 ___std_exception_copy RtlAllocateHeap 17529->17531 17554 f1f375 17529->17554 17532 f1f349 17531->17532 17534 f16db3 ___std_exception_copy RtlAllocateHeap 17532->17534 17535 f1f312 17533->17535 17541 f16db3 ___std_exception_copy RtlAllocateHeap 17533->17541 17537 f1f35c 17534->17537 17538 f16db3 ___std_exception_copy RtlAllocateHeap 17535->17538 17539 f1f2e5 17536->17539 17540 f16db3 ___std_exception_copy RtlAllocateHeap 17537->17540 17542 f1f31c 17538->17542 17555 f1e5ab 17539->17555 17546 f1f36a 17540->17546 17547 f1f307 17541->17547 17549 f16db3 ___std_exception_copy RtlAllocateHeap 17542->17549 17543 f1f3e3 17544 f16db3 ___std_exception_copy RtlAllocateHeap 17543->17544 17550 f1f3e9 17544->17550 17551 f16db3 ___std_exception_copy RtlAllocateHeap 17546->17551 17583 f1ea0a 17547->17583 17548 f1f383 17548->17543 17553 f16db3 RtlAllocateHeap ___std_exception_copy 17548->17553 17549->17529 17550->17524 17551->17554 17553->17548 17595 f1f418 17554->17595 17556 f1e5bc 17555->17556 17582 f1e6a5 17555->17582 17557 f1e5cd 17556->17557 17558 f16db3 ___std_exception_copy RtlAllocateHeap 17556->17558 17559 f1e5df 17557->17559 17560 f16db3 ___std_exception_copy RtlAllocateHeap 17557->17560 17558->17557 17561 f1e5f1 17559->17561 17562 f16db3 ___std_exception_copy RtlAllocateHeap 17559->17562 17560->17559 17563 f16db3 ___std_exception_copy RtlAllocateHeap 17561->17563 17565 f1e603 17561->17565 17562->17561 17563->17565 17564 f1e615 17567 f1e627 17564->17567 17568 f16db3 ___std_exception_copy RtlAllocateHeap 17564->17568 17565->17564 17566 f16db3 ___std_exception_copy RtlAllocateHeap 17565->17566 17566->17564 17569 f1e639 17567->17569 17570 f16db3 ___std_exception_copy RtlAllocateHeap 17567->17570 17568->17567 17571 f1e64b 17569->17571 17572 f16db3 ___std_exception_copy RtlAllocateHeap 17569->17572 17570->17569 17573 f1e65d 17571->17573 17574 f16db3 ___std_exception_copy RtlAllocateHeap 17571->17574 17572->17571 17575 f1e66f 17573->17575 17576 f16db3 ___std_exception_copy RtlAllocateHeap 17573->17576 17574->17573 17577 f1e681 17575->17577 17578 f16db3 ___std_exception_copy RtlAllocateHeap 17575->17578 17576->17575 17579 f1e693 17577->17579 17580 f16db3 ___std_exception_copy RtlAllocateHeap 17577->17580 17578->17577 17581 f16db3 ___std_exception_copy RtlAllocateHeap 17579->17581 17579->17582 17580->17579 17581->17582 17582->17533 17584 f1ea17 17583->17584 17594 f1ea6f 17583->17594 17585 f1ea27 17584->17585 17586 f16db3 ___std_exception_copy RtlAllocateHeap 17584->17586 17587 f1ea39 17585->17587 17588 f16db3 ___std_exception_copy RtlAllocateHeap 17585->17588 17586->17585 17589 f16db3 ___std_exception_copy RtlAllocateHeap 17587->17589 17591 f1ea4b 17587->17591 17588->17587 17589->17591 17590 f1ea5d 17593 f16db3 ___std_exception_copy RtlAllocateHeap 17590->17593 17590->17594 17591->17590 17592 f16db3 ___std_exception_copy RtlAllocateHeap 17591->17592 17592->17590 17593->17594 17594->17535 17596 f1f425 17595->17596 17597 f1f444 17595->17597 17596->17597 17598 f1ef31 __Getctype RtlAllocateHeap 17596->17598 17597->17548 17599 f1f43e 17598->17599 17600 f16db3 ___std_exception_copy RtlAllocateHeap 17599->17600 17600->17597 17602 f046fe __fread_nolock 17601->17602 17607 f04723 17602->17607 17604 f04716 17614 f044dc 17604->17614 17608 f04733 17607->17608 17611 f0473a __fread_nolock __Getctype 17607->17611 17620 f04541 17608->17620 17610 f04748 17610->17604 17611->17610 17612 f046ec __fread_nolock RtlAllocateHeap 17611->17612 17613 f047ac 17612->17613 17613->17604 17616 f044e8 17614->17616 17615 f044ff 17618 f04512 17615->17618 17619 f04587 __fread_nolock RtlAllocateHeap 17615->17619 17616->17615 17635 f04587 17616->17635 17618->17484 17619->17618 17621 f04551 17620->17621 17624 f15ddd 17621->17624 17625 f15df0 __dosmaperr 17624->17625 17626 f163f3 __dosmaperr RtlAllocateHeap 17625->17626 17634 f04572 17625->17634 17628 f15e20 __dosmaperr 17626->17628 17627 f15e28 __dosmaperr 17631 f16db3 ___std_exception_copy RtlAllocateHeap 17627->17631 17628->17627 17629 f15e5c 17628->17629 17630 f15a09 __dosmaperr RtlAllocateHeap 17629->17630 17632 f15e67 17630->17632 17631->17634 17633 f16db3 ___std_exception_copy RtlAllocateHeap 17632->17633 17633->17634 17634->17611 17636 f04591 17635->17636 17637 f0459a 17635->17637 17638 f04541 __fread_nolock RtlAllocateHeap 17636->17638 17637->17615 17639 f04596 17638->17639 17639->17637 17642 f10259 17639->17642 17643 f1025e std::locale::_Setgloballocale 17642->17643 17647 f10269 std::locale::_Setgloballocale 17643->17647 17648 f1c7c6 17643->17648 17669 f0f224 17647->17669 17651 f1c7d2 __fread_nolock 17648->17651 17649 f15d2c __dosmaperr RtlAllocateHeap 17654 f1c803 std::locale::_Setgloballocale 17649->17654 17650 f1c822 17652 f0d23f __dosmaperr RtlAllocateHeap 17650->17652 17651->17649 17651->17650 17651->17654 17656 f1c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 17651->17656 17653 f1c827 17652->17653 17655 f047a0 __fread_nolock RtlAllocateHeap 17653->17655 17654->17650 17654->17656 17668 f1c80c 17654->17668 17655->17668 17657 f1c9a4 std::_Lockit::~_Lockit 17656->17657 17658 f1c8a7 17656->17658 17660 f1c8d5 std::locale::_Setgloballocale 17656->17660 17659 f0f224 std::locale::_Setgloballocale RtlAllocateHeap 17657->17659 17658->17660 17672 f15bdb 17658->17672 17662 f1c9b7 17659->17662 17663 f15bdb __Getctype RtlAllocateHeap 17660->17663 17666 f1c92a 17660->17666 17660->17668 17663->17666 17665 f15bdb __Getctype RtlAllocateHeap 17665->17660 17667 f15bdb __Getctype RtlAllocateHeap 17666->17667 17666->17668 17667->17668 17668->17647 17686 f0f094 17669->17686 17671 f0f235 17673 f15be5 __dosmaperr 17672->17673 17674 f163f3 __dosmaperr RtlAllocateHeap 17673->17674 17675 f15bfb 17673->17675 17678 f15c28 __dosmaperr 17674->17678 17676 f15c8b 17675->17676 17677 f10259 __Getctype RtlAllocateHeap 17675->17677 17676->17665 17680 f15c95 17677->17680 17679 f15c68 17678->17679 17681 f15c30 __dosmaperr 17678->17681 17683 f15a09 __dosmaperr RtlAllocateHeap 17679->17683 17682 f16db3 ___std_exception_copy RtlAllocateHeap 17681->17682 17682->17675 17684 f15c73 17683->17684 17685 f16db3 ___std_exception_copy RtlAllocateHeap 17684->17685 17685->17675 17688 f0f0c1 std::locale::_Setgloballocale 17686->17688 17687 f0ef23 std::locale::_Setgloballocale RtlAllocateHeap 17689 f0f10a std::locale::_Setgloballocale 17687->17689 17688->17687 17689->17671 17704 efd6e9 17690->17704 17701 e221de Concurrency::cancel_current_task 17700->17701 17702 f00651 ___std_exception_copy RtlAllocateHeap 17701->17702 17703 e22213 17702->17703 17703->17433 17707 efd4af 17704->17707 17706 efd6fa Concurrency::cancel_current_task 17710 e23010 17707->17710 17711 f00651 ___std_exception_copy RtlAllocateHeap 17710->17711 17712 e2303d 17711->17712 17712->17706 17716 f052ac __fread_nolock 17713->17716 17714 f052b3 17715 f0d23f __dosmaperr RtlAllocateHeap 17714->17715 17717 f052b8 17715->17717 17716->17714 17718 f052d3 17716->17718 17719 f047a0 __fread_nolock RtlAllocateHeap 17717->17719 17720 f052e5 17718->17720 17721 f052d8 17718->17721 17726 f052c3 17719->17726 17727 f16688 17720->17727 17722 f0d23f __dosmaperr RtlAllocateHeap 17721->17722 17722->17726 17724 f052ee 17725 f0d23f __dosmaperr RtlAllocateHeap 17724->17725 17724->17726 17725->17726 17726->17442 17728 f16694 __fread_nolock std::_Lockit::_Lockit 17727->17728 17731 f1672c 17728->17731 17730 f166af 17730->17724 17732 f1674f __fread_nolock 17731->17732 17733 f163f3 __dosmaperr RtlAllocateHeap 17732->17733 17736 f16795 __fread_nolock 17732->17736 17734 f167b0 17733->17734 17735 f16db3 ___std_exception_copy RtlAllocateHeap 17734->17735 17735->17736 17736->17730 17739 f08e99 __fread_nolock 17737->17739 17738 f08e9f 17740 f04723 __fread_nolock RtlAllocateHeap 17738->17740 17739->17738 17741 f08ee2 __fread_nolock 17739->17741 17743 f08eba 17740->17743 17744 f09010 17741->17744 17743->17446 17745 f09023 17744->17745 17746 f09036 17744->17746 17745->17743 17753 f08f37 17746->17753 17748 f09059 17752 f090e7 17748->17752 17757 f055d3 17748->17757 17752->17743 17754 f08f48 17753->17754 17755 f08fa0 17753->17755 17754->17755 17766 f0e13d 17754->17766 17755->17748 17758 f05613 17757->17758 17759 f055ec 17757->17759 17763 f0e17d 17758->17763 17759->17758 17793 f15f82 17759->17793 17761 f05608 17800 f1538b 17761->17800 17764 f0e05c __fread_nolock 2 API calls 17763->17764 17765 f0e196 17764->17765 17765->17752 17767 f0e151 __fread_nolock 17766->17767 17772 f0e05c 17767->17772 17769 f0e166 17770 f044dc __fread_nolock RtlAllocateHeap 17769->17770 17771 f0e175 17770->17771 17771->17755 17777 f1a6de 17772->17777 17774 f0e06e 17775 f0e08a SetFilePointerEx 17774->17775 17776 f0e076 __fread_nolock 17774->17776 17775->17776 17776->17769 17778 f1a700 17777->17778 17779 f1a6eb 17777->17779 17782 f0d22c __dosmaperr RtlAllocateHeap 17778->17782 17784 f1a725 17778->17784 17790 f0d22c 17779->17790 17785 f1a730 17782->17785 17783 f0d23f __dosmaperr RtlAllocateHeap 17786 f1a6f8 17783->17786 17784->17774 17787 f0d23f __dosmaperr RtlAllocateHeap 17785->17787 17786->17774 17788 f1a738 17787->17788 17789 f047a0 __fread_nolock RtlAllocateHeap 17788->17789 17789->17786 17791 f15d2c __dosmaperr RtlAllocateHeap 17790->17791 17792 f0d231 17791->17792 17792->17783 17794 f15fa3 17793->17794 17795 f15f8e 17793->17795 17794->17761 17796 f0d23f __dosmaperr RtlAllocateHeap 17795->17796 17797 f15f93 17796->17797 17798 f047a0 __fread_nolock RtlAllocateHeap 17797->17798 17799 f15f9e 17798->17799 17799->17761 17802 f15397 __fread_nolock 17800->17802 17801 f153d8 17803 f04723 __fread_nolock RtlAllocateHeap 17801->17803 17802->17801 17804 f1541e 17802->17804 17806 f1539f 17802->17806 17803->17806 17804->17806 17807 f1549c 17804->17807 17806->17758 17808 f154c4 17807->17808 17820 f154e7 __fread_nolock 17807->17820 17809 f154c8 17808->17809 17811 f15523 17808->17811 17810 f04723 __fread_nolock RtlAllocateHeap 17809->17810 17810->17820 17812 f15541 17811->17812 17814 f0e17d 2 API calls 17811->17814 17821 f14fe1 17812->17821 17814->17812 17816 f155a0 17818 f15609 WriteFile 17816->17818 17816->17820 17817 f15559 17817->17820 17826 f14bb2 17817->17826 17818->17820 17820->17806 17832 f20d44 17821->17832 17823 f14ff3 17825 f15021 17823->17825 17841 f09d10 17823->17841 17825->17816 17825->17817 17827 f14c1b 17826->17827 17828 f09d10 std::_Locinfo::_Locinfo_dtor 2 API calls 17827->17828 17829 f14c2b std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 17827->17829 17828->17829 17830 f184be RtlAllocateHeap RtlAllocateHeap 17829->17830 17831 f14ee1 _ValidateLocalCookies 17829->17831 17830->17829 17831->17820 17833 f20d51 17832->17833 17835 f20d5e 17832->17835 17834 f0d23f __dosmaperr RtlAllocateHeap 17833->17834 17836 f20d56 17834->17836 17837 f20d6a 17835->17837 17838 f0d23f __dosmaperr RtlAllocateHeap 17835->17838 17836->17823 17837->17823 17839 f20d8b 17838->17839 17840 f047a0 __fread_nolock RtlAllocateHeap 17839->17840 17840->17836 17842 f04587 __fread_nolock RtlAllocateHeap 17841->17842 17843 f09d20 17842->17843 17848 f15ef3 17843->17848 17849 f09d3d 17848->17849 17850 f15f0a 17848->17850 17852 f15f51 17849->17852 17850->17849 17856 f1f4f3 17850->17856 17853 f15f68 17852->17853 17854 f09d4a 17852->17854 17853->17854 17865 f1d81e 17853->17865 17854->17825 17857 f1f4ff __fread_nolock 17856->17857 17858 f15bdb __Getctype RtlAllocateHeap 17857->17858 17860 f1f508 std::_Lockit::_Lockit 17858->17860 17859 f1f54e 17859->17849 17860->17859 17861 f1f574 __Getctype RtlAllocateHeap 17860->17861 17862 f1f537 __Getctype 17861->17862 17862->17859 17863 f10259 __Getctype RtlAllocateHeap 17862->17863 17864 f1f573 17863->17864 17866 f15bdb __Getctype RtlAllocateHeap 17865->17866 17867 f1d823 17866->17867 17868 f1d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 17867->17868 17869 f1d82e 17868->17869 17869->17854 17871 f0480d __fread_nolock 17870->17871 17872 f04814 17871->17872 17874 f04835 __fread_nolock 17871->17874 17873 f04723 __fread_nolock RtlAllocateHeap 17872->17873 17876 f0482d 17873->17876 17877 f04910 17874->17877 17876->17452 17880 f04942 17877->17880 17879 f04922 17879->17876 17881 f04951 17880->17881 17882 f04979 17880->17882 17883 f04723 __fread_nolock RtlAllocateHeap 17881->17883 17884 f15f82 __fread_nolock RtlAllocateHeap 17882->17884 17885 f0496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17883->17885 17886 f04982 17884->17886 17885->17879 17893 f0e11f 17886->17893 17889 f04a2c 17896 f04cae 17889->17896 17890 f04a43 17890->17885 17904 f04ae3 17890->17904 17911 f0df37 17893->17911 17895 f049a0 17895->17885 17895->17889 17895->17890 17897 f04cbd 17896->17897 17898 f15f82 __fread_nolock RtlAllocateHeap 17897->17898 17899 f04cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17898->17899 17900 f0e11f 2 API calls 17899->17900 17903 f04ce5 _ValidateLocalCookies 17899->17903 17901 f04d39 17900->17901 17902 f0e11f 2 API calls 17901->17902 17901->17903 17902->17903 17903->17885 17905 f15f82 __fread_nolock RtlAllocateHeap 17904->17905 17906 f04af6 17905->17906 17907 f04b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17906->17907 17908 f0e11f 2 API calls 17906->17908 17907->17885 17909 f04b9d 17908->17909 17909->17907 17910 f0e11f 2 API calls 17909->17910 17910->17907 17912 f0df43 __fread_nolock 17911->17912 17913 f0df86 17912->17913 17915 f0dfcc 17912->17915 17917 f0df4b 17912->17917 17914 f04723 __fread_nolock RtlAllocateHeap 17913->17914 17914->17917 17916 f0e05c __fread_nolock 2 API calls 17915->17916 17915->17917 17916->17917 17917->17895 17919 e906a9 17918->17919 17923 e90585 17918->17923 17920 e22270 RtlAllocateHeap 17919->17920 17921 e906ae 17920->17921 17922 e221d0 Concurrency::cancel_current_task RtlAllocateHeap 17921->17922 17927 e905aa __fread_nolock std::locale::_Locimp::_Locimp 17922->17927 17925 e905f0 17923->17925 17926 e905e3 17923->17926 17929 e9059a 17923->17929 17924 eff290 std::_Facet_Register RtlAllocateHeap 17924->17927 17925->17927 17930 eff290 std::_Facet_Register RtlAllocateHeap 17925->17930 17926->17921 17926->17929 17928 f047b0 RtlAllocateHeap 17927->17928 17932 e90667 __fread_nolock std::locale::_Locimp::_Locimp 17927->17932 17931 e906b8 17928->17931 17929->17924 17930->17927 17932->17458 17934 f0dc08 __fread_nolock 17933->17934 17935 f0dc52 __fread_nolock 17934->17935 17936 f0dc1b __fread_nolock 17934->17936 17941 f0dc40 __fread_nolock 17934->17941 17942 f0da06 17935->17942 17937 f0d23f __dosmaperr RtlAllocateHeap 17936->17937 17938 f0dc35 17937->17938 17940 f047a0 __fread_nolock RtlAllocateHeap 17938->17940 17940->17941 17941->17462 17943 f0da35 17942->17943 17946 f0da18 __fread_nolock 17942->17946 17943->17941 17944 f0da25 17945 f0d23f __dosmaperr RtlAllocateHeap 17944->17945 17953 f0da2a 17945->17953 17946->17943 17946->17944 17948 f0da76 __fread_nolock 17946->17948 17947 f047a0 __fread_nolock RtlAllocateHeap 17947->17943 17948->17943 17950 f15f82 __fread_nolock RtlAllocateHeap 17948->17950 17952 f0dba1 __fread_nolock 17948->17952 17955 f14623 17948->17955 18014 f08a2b 17948->18014 17950->17948 17951 f0d23f __dosmaperr RtlAllocateHeap 17951->17953 17952->17951 17953->17947 17956 f14635 17955->17956 17957 f1464d 17955->17957 17958 f0d22c __dosmaperr RtlAllocateHeap 17956->17958 17959 f1498f 17957->17959 17964 f14690 17957->17964 17961 f1463a 17958->17961 17960 f0d22c __dosmaperr RtlAllocateHeap 17959->17960 17962 f14994 17960->17962 17963 f0d23f __dosmaperr RtlAllocateHeap 17961->17963 17965 f0d23f __dosmaperr RtlAllocateHeap 17962->17965 17966 f14642 17963->17966 17964->17966 17967 f1469b 17964->17967 17973 f146cb 17964->17973 17969 f146a8 17965->17969 17966->17948 17968 f0d22c __dosmaperr RtlAllocateHeap 17967->17968 17970 f146a0 17968->17970 17972 f047a0 __fread_nolock RtlAllocateHeap 17969->17972 17971 f0d23f __dosmaperr RtlAllocateHeap 17970->17971 17971->17969 17972->17966 17974 f146e4 17973->17974 17975 f146f1 17973->17975 17976 f1471f 17973->17976 17974->17975 17999 f1470d 17974->17999 17977 f0d22c __dosmaperr RtlAllocateHeap 17975->17977 18028 f16e2d 17976->18028 17979 f146f6 17977->17979 17981 f0d23f __dosmaperr RtlAllocateHeap 17979->17981 17984 f146fd 17981->17984 17982 f20d44 __fread_nolock RtlAllocateHeap 17997 f1486b 17982->17997 17983 f16db3 ___std_exception_copy RtlAllocateHeap 17985 f14739 17983->17985 17986 f047a0 __fread_nolock RtlAllocateHeap 17984->17986 17988 f16db3 ___std_exception_copy RtlAllocateHeap 17985->17988 18013 f14708 __fread_nolock 17986->18013 17987 f148e3 ReadFile 17989 f14957 17987->17989 17990 f148fb 17987->17990 17991 f14740 17988->17991 18001 f14964 17989->18001 18002 f148b5 17989->18002 17990->17989 17992 f148d4 17990->17992 17993 f14765 17991->17993 17994 f1474a 17991->17994 18005 f14920 17992->18005 18006 f14937 17992->18006 17992->18013 17996 f0e13d __fread_nolock 2 API calls 17993->17996 17998 f0d23f __dosmaperr RtlAllocateHeap 17994->17998 17995 f16db3 ___std_exception_copy RtlAllocateHeap 17995->17966 17996->17999 17997->17987 18000 f1489b 17997->18000 18003 f1474f 17998->18003 17999->17982 18000->17992 18000->18002 18004 f0d23f __dosmaperr RtlAllocateHeap 18001->18004 18002->18013 18034 f0d1e5 18002->18034 18007 f0d22c __dosmaperr RtlAllocateHeap 18003->18007 18008 f14969 18004->18008 18039 f14335 18005->18039 18006->18013 18049 f1417b 18006->18049 18007->18013 18012 f0d22c __dosmaperr RtlAllocateHeap 18008->18012 18012->18013 18013->17995 18015 f08a3c 18014->18015 18018 f08a38 std::locale::_Locimp::_Locimp 18014->18018 18016 f08a43 18015->18016 18020 f08a56 __fread_nolock 18015->18020 18017 f0d23f __dosmaperr RtlAllocateHeap 18016->18017 18019 f08a48 18017->18019 18018->17948 18021 f047a0 __fread_nolock RtlAllocateHeap 18019->18021 18020->18018 18022 f08a84 18020->18022 18024 f08a8d 18020->18024 18021->18018 18023 f0d23f __dosmaperr RtlAllocateHeap 18022->18023 18025 f08a89 18023->18025 18024->18018 18026 f0d23f __dosmaperr RtlAllocateHeap 18024->18026 18027 f047a0 __fread_nolock RtlAllocateHeap 18025->18027 18026->18025 18027->18018 18029 f16e6b 18028->18029 18030 f16e3b __dosmaperr std::_Facet_Register 18028->18030 18032 f0d23f __dosmaperr RtlAllocateHeap 18029->18032 18030->18029 18031 f16e56 RtlAllocateHeap 18030->18031 18031->18030 18033 f14730 18031->18033 18032->18033 18033->17983 18035 f0d22c __dosmaperr RtlAllocateHeap 18034->18035 18036 f0d1f0 __dosmaperr 18035->18036 18037 f0d23f __dosmaperr RtlAllocateHeap 18036->18037 18038 f0d203 18037->18038 18038->18013 18053 f1402e 18039->18053 18041 f1437d 18041->18013 18042 f14391 __fread_nolock 18042->18041 18048 f0d1e5 __dosmaperr RtlAllocateHeap 18042->18048 18043 f143d7 18043->18042 18047 f0e13d __fread_nolock 2 API calls 18043->18047 18044 f143c7 18046 f0d23f __dosmaperr RtlAllocateHeap 18044->18046 18046->18041 18047->18042 18048->18041 18050 f141b5 18049->18050 18051 f14246 18050->18051 18052 f0e13d __fread_nolock 2 API calls 18050->18052 18051->18013 18052->18051 18054 f14062 18053->18054 18055 f140ce 18054->18055 18056 f0e13d __fread_nolock 2 API calls 18054->18056 18055->18041 18055->18042 18055->18043 18055->18044 18056->18055 18058 f08acf __fread_nolock 18057->18058 18059 f08ad9 18058->18059 18062 f08afc __fread_nolock 18058->18062 18060 f04723 __fread_nolock RtlAllocateHeap 18059->18060 18061 f08af4 18060->18061 18061->17466 18062->18061 18064 f08b5a 18062->18064 18065 f08b67 18064->18065 18066 f08b8a 18064->18066 18067 f04723 __fread_nolock RtlAllocateHeap 18065->18067 18068 f08b82 18066->18068 18069 f055d3 4 API calls 18066->18069 18067->18068 18068->18061 18070 f08ba2 18069->18070 18078 f16ded 18070->18078 18073 f15f82 __fread_nolock RtlAllocateHeap 18074 f08bb6 18073->18074 18082 f14a3f 18074->18082 18077 f16db3 ___std_exception_copy RtlAllocateHeap 18077->18068 18079 f16e04 18078->18079 18080 f08baa 18078->18080 18079->18080 18081 f16db3 ___std_exception_copy RtlAllocateHeap 18079->18081 18080->18073 18081->18080 18083 f14a68 18082->18083 18088 f08bbd 18082->18088 18084 f14ab7 18083->18084 18086 f14a8f 18083->18086 18085 f04723 __fread_nolock RtlAllocateHeap 18084->18085 18085->18088 18089 f149ae 18086->18089 18088->18068 18088->18077 18090 f149ba __fread_nolock 18089->18090 18092 f149f9 18090->18092 18093 f14b12 18090->18093 18092->18088 18094 f1a6de __fread_nolock RtlAllocateHeap 18093->18094 18097 f14b22 18094->18097 18095 f14b28 18105 f1a64d 18095->18105 18097->18095 18098 f14b5a 18097->18098 18099 f1a6de __fread_nolock RtlAllocateHeap 18097->18099 18098->18095 18100 f1a6de __fread_nolock RtlAllocateHeap 18098->18100 18101 f14b51 18099->18101 18102 f14b66 FindCloseChangeNotification 18100->18102 18103 f1a6de __fread_nolock RtlAllocateHeap 18101->18103 18102->18095 18103->18098 18104 f14b80 __fread_nolock 18104->18092 18106 f1a65c 18105->18106 18107 f0d23f __dosmaperr RtlAllocateHeap 18106->18107 18110 f1a686 18106->18110 18108 f1a6c8 18107->18108 18109 f0d22c __dosmaperr RtlAllocateHeap 18108->18109 18109->18110 18110->18104

                                  Executed Functions

                                  Function 00E83A40 Relevance: 6.2, APIs: 4, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 e83a40-e83a53 GetCursorPos 1 e83a55-e83a61 GetCursorPos 0->1 2 e83b28-e83b31 GetPEB 1->2 3 e83a67-e83a6d 1->3 4 e83b34-e83b48 2->4 3->2 5 e83a73-e83a7f GetPEB 3->5 6 e83b99-e83b9b 4->6 7 e83b4a-e83b4f 4->7 8 e83a80-e83a94 5->8 6->4 7->6 9 e83b51-e83b59 7->9 10 e83ae4-e83ae6 8->10 11 e83a96-e83a9b 8->11 12 e83b60-e83b73 9->12 10->8 11->10 13 e83a9d-e83aa3 11->13 14 e83b92-e83b97 12->14 15 e83b75-e83b88 12->15 16 e83aa5-e83ab8 13->16 14->6 14->12 15->15 17 e83b8a-e83b90 15->17 18 e83aba 16->18 19 e83add-e83ae2 16->19 17->14 20 e83b9d-e83bc2 Sleep 17->20 21 e83ac0-e83ad3 18->21 19->10 19->16 20->1 21->21 22 e83ad5-e83adb 21->22 22->19 23 e83ae8-e83b0e Sleep 22->23 24 e83b14-e83b1a 23->24 24->2 25 e83b1c-e83b22 24->25 25->2 26 e83bc7-e83bd8 call e26bd0 25->26 29 e83bda-e83bdc 26->29 30 e83bde 26->30 31 e83be0-e83bfd call e26bd0 29->31 30->31
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 00E83A53
                                  • GetCursorPos.USER32(?), ref: 00E83A59
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00E83DB6), ref: 00E83B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00E83DB6), ref: 00E83BBA
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CursorSleep
                                  • String ID:
                                  • API String ID: 4211308429-0
                                  • Opcode ID: 95db7cfec9a3487ce25382a4d25d1ed3d675f644640085c6378ecf76888fa269
                                  • Instruction ID: b02dbafd8d822de8045ff959e7a6dfcf32d10143d32389b03428d1a9794a9b34
                                  • Opcode Fuzzy Hash: 95db7cfec9a3487ce25382a4d25d1ed3d675f644640085c6378ecf76888fa269
                                  • Instruction Fuzzy Hash: 9851CE75A041198FCB28DF68C8D0EA9B3B1FF45B08F29559AD449AF351D731EE05CB80
                                  Function 00E3E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 34 e3e0a0-e3e0d2 WSAStartup 35 e3e1b7-e3e1c0 34->35 36 e3e0d8-e3e102 call e26bd0 * 2 34->36 41 e3e104-e3e108 36->41 42 e3e10e-e3e165 36->42 41->35 41->42 44 e3e1b1 42->44 45 e3e167-e3e16d 42->45 44->35 46 e3e1c5-e3e1cf 45->46 47 e3e16f 45->47 46->44 51 e3e1d1-e3e1d9 46->51 48 e3e175-e3e189 socket 47->48 48->44 50 e3e18b-e3e19b connect 48->50 52 e3e1c1 50->52 53 e3e19d-e3e1a5 closesocket 50->53 52->46 53->48 54 e3e1a7-e3e1ab 53->54 54->44
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: d4415bb2678a5e9c11eb5e88b1a18c136dca9f9d066c4e6b5375664871c93330
                                  • Instruction ID: 79b7c39fce77d68e32868530486a266989b43519767541d5a49d8599183a32e9
                                  • Opcode Fuzzy Hash: d4415bb2678a5e9c11eb5e88b1a18c136dca9f9d066c4e6b5375664871c93330
                                  • Instruction Fuzzy Hash: 2F3192726053116BD7209F259C8976BBBE4EB85738F016F1DF9A8A73E0D3719804CB92
                                  Function 00EFF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 55 eff290-eff293 56 eff2a2-eff2a5 call f0df2c 55->56 58 eff2aa-eff2ad 56->58 59 eff2af-eff2b0 58->59 60 eff295-eff2a0 call f117d8 58->60 60->56 63 eff2b1-eff2b5 60->63 64 e221d0-e22220 call e221b0 call f00efb call f00651 63->64 65 eff2bb 63->65 65->65
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2220E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: eab32b943f562d70d5863ea0e895703991a18446330479bed5feb8665a34cc35
                                  • Instruction ID: ae8cc15cf3f3d62894ca46a069ee0f44517381d210be0b1bca848ac53258cec5
                                  • Opcode Fuzzy Hash: eab32b943f562d70d5863ea0e895703991a18446330479bed5feb8665a34cc35
                                  • Instruction Fuzzy Hash: 27012B3550030DABCB14AF98EC029A977EC9E00314F008439FB18EB591EB70E964A791
                                  Function 00E2A210 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 72 e2a210-e2a2ab call eff290 call e22ae0 77 e2a2b0-e2a2bb 72->77 77->77 78 e2a2bd-e2a2c8 77->78 79 e2a2ca 78->79 80 e2a2cd-e2a2de call f05362 78->80 79->80 83 e2a2e0-e2a305 call f09136 call f04eeb call f09136 80->83 84 e2a351-e2a357 80->84 101 e2a307 83->101 102 e2a30c-e2a316 83->102 86 e2a381-e2a393 84->86 87 e2a359-e2a365 84->87 89 e2a377-e2a37e call eff511 87->89 90 e2a367-e2a375 87->90 89->86 90->89 92 e2a394-e2a3ae call f047b0 90->92 100 e2a3b0-e2a3bb 92->100 100->100 103 e2a3bd-e2a3c8 100->103 101->102 106 e2a328-e2a32f call e8cf60 102->106 107 e2a318-e2a31c 102->107 104 e2a3ca 103->104 105 e2a3cd-e2a3df call f05362 103->105 104->105 114 e2a3e1-e2a3f9 call f09136 call f04eeb call f08be8 105->114 115 e2a3fc-e2a403 105->115 113 e2a334-e2a33a 106->113 109 e2a320-e2a326 107->109 110 e2a31e 107->110 109->113 110->109 116 e2a33e-e2a349 call f0dbdf call f08be8 113->116 117 e2a33c 113->117 114->115 120 e2a405-e2a411 115->120 121 e2a42d-e2a433 115->121 131 e2a34e 116->131 117->116 124 e2a423-e2a42a call eff511 120->124 125 e2a413-e2a421 120->125 124->121 125->124 128 e2a434-e2a45e call f047b0 125->128 139 e2a460-e2a464 128->139 140 e2a46f-e2a474 128->140 131->84 139->140 141 e2a466-e2a46e 139->141
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID: />
                                  • API String ID: 2638373210-3782486657
                                  • Opcode ID: 613f405078d69c61e7afa1c37658272bacd72fc0c55d0e3bfd55429607f926db
                                  • Instruction ID: 5207932235581cc8bad34de8421368986b5c50a8a6b747b12d9adaf104e066a1
                                  • Opcode Fuzzy Hash: 613f405078d69c61e7afa1c37658272bacd72fc0c55d0e3bfd55429607f926db
                                  • Instruction Fuzzy Hash: 99715870900214AFDB14DF68EC45BAFB7E9EF41704F14856DF809AB282D7B9E9418792
                                  Function 00F14623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 142 f14623-f14633 143 f14635-f14648 call f0d22c call f0d23f 142->143 144 f1464d-f1464f 142->144 162 f149a7 143->162 146 f14655-f1465b 144->146 147 f1498f-f1499c call f0d22c call f0d23f 144->147 146->147 150 f14661-f1468a 146->150 164 f149a2 call f047a0 147->164 150->147 153 f14690-f14699 150->153 156 f146b3-f146b5 153->156 157 f1469b-f146ae call f0d22c call f0d23f 153->157 160 f1498b-f1498d 156->160 161 f146bb-f146bf 156->161 157->164 166 f149aa-f149ad 160->166 161->160 165 f146c5-f146c9 161->165 162->166 164->162 165->157 169 f146cb-f146e2 165->169 171 f146e4-f146e7 169->171 172 f14717-f1471d 169->172 175 f146e9-f146ef 171->175 176 f1470d-f14715 171->176 173 f146f1-f14708 call f0d22c call f0d23f call f047a0 172->173 174 f1471f-f14726 172->174 203 f148c2 173->203 178 f14728 174->178 179 f1472a-f14748 call f16e2d call f16db3 * 2 174->179 175->173 175->176 177 f1478a-f147a9 176->177 181 f14865-f1486e call f20d44 177->181 182 f147af-f147bb 177->182 178->179 211 f14765-f14788 call f0e13d 179->211 212 f1474a-f14760 call f0d23f call f0d22c 179->212 193 f14870-f14882 181->193 194 f148df 181->194 182->181 185 f147c1-f147c3 182->185 185->181 190 f147c9-f147ea 185->190 190->181 195 f147ec-f14802 190->195 193->194 199 f14884-f14893 193->199 200 f148e3-f148f9 ReadFile 194->200 195->181 201 f14804-f14806 195->201 199->194 216 f14895-f14899 199->216 204 f14957-f14962 200->204 205 f148fb-f14901 200->205 201->181 206 f14808-f1482b 201->206 213 f148c5-f148cf call f16db3 203->213 224 f14964-f14976 call f0d23f call f0d22c 204->224 225 f1497b-f1497e 204->225 205->204 209 f14903 205->209 206->181 210 f1482d-f14843 206->210 218 f14906-f14918 209->218 210->181 219 f14845-f14847 210->219 211->177 212->203 213->166 216->200 223 f1489b-f148b3 216->223 218->213 226 f1491a-f1491e 218->226 219->181 227 f14849-f14860 219->227 243 f148b5 223->243 244 f148d4-f148dd 223->244 224->203 232 f14984-f14986 225->232 233 f148bb-f148c1 call f0d1e5 225->233 230 f14920-f14930 call f14335 226->230 231 f14937-f14944 226->231 227->181 252 f14933-f14935 230->252 240 f14950-f14955 call f1417b 231->240 241 f14946 call f1448c 231->241 232->213 233->203 249 f1494b-f1494e 240->249 241->249 243->233 244->218 249->252 252->213
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 19cf0eefd71166cb62f510b92777136c8afa4b57cee8dc053ce5749408e04845
                                  • Instruction ID: 1586b34f15cb8f03c044df063045f8fd5a3a9577a610e9a2166ded10919de28c
                                  • Opcode Fuzzy Hash: 19cf0eefd71166cb62f510b92777136c8afa4b57cee8dc053ce5749408e04845
                                  • Instruction Fuzzy Hash: 1BB10671E04249AFDB11DFA8D840BFEBBB1AF86324F544158E5549B282C774BD81FB60
                                  Function 00F1549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 253 f1549c-f154be 254 f156b1 253->254 255 f154c4-f154c6 253->255 258 f156b3-f156b7 254->258 256 f154f2-f15515 255->256 257 f154c8-f154e7 call f04723 255->257 260 f15517-f15519 256->260 261 f1551b-f15521 256->261 264 f154ea-f154ed 257->264 260->261 263 f15523-f15534 260->263 261->257 261->263 265 f15547-f15557 call f14fe1 263->265 266 f15536-f15544 call f0e17d 263->266 264->258 271 f155a0-f155b2 265->271 272 f15559-f1555f 265->272 266->265 275 f155b4-f155ba 271->275 276 f15609-f15629 WriteFile 271->276 273 f15561-f15564 272->273 274 f15588-f1559e call f14bb2 272->274 279 f15566-f15569 273->279 280 f1556f-f1557e call f14f79 273->280 298 f15581-f15583 274->298 277 f155f5-f15607 call f1505e 275->277 278 f155bc-f155bf 275->278 282 f15634 276->282 283 f1562b-f15631 276->283 304 f155dc-f155df 277->304 285 f155e1-f155f3 call f15222 278->285 286 f155c1-f155c4 278->286 279->280 287 f15649-f1564c 279->287 280->298 284 f15637-f15642 282->284 283->282 291 f15644-f15647 284->291 292 f156ac-f156af 284->292 285->304 293 f155ca-f155d7 call f15139 286->293 294 f1564f-f15651 286->294 287->294 291->287 292->258 293->304 301 f15653-f15658 294->301 302 f1567f-f1568b 294->302 298->284 305 f15671-f1567a call f0d208 301->305 306 f1565a-f1566c 301->306 307 f15695-f156a7 302->307 308 f1568d-f15693 302->308 304->298 305->264 306->264 307->264 308->254 308->307
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00F09087,?,00000000,00000000,00000000,?,00000000,?,00E2A3EB,00F09087,00000000,00E2A3EB,?,?), ref: 00F15622
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: fbd21c2d98e7224b2bfe3df50a123d83b9cd553216ca1c47d175f167c32d04df
                                  • Instruction ID: c790f5d81f0ff709c99c89fad30e406dfeb3fead40c12cd59cceb9b0e84d857a
                                  • Opcode Fuzzy Hash: fbd21c2d98e7224b2bfe3df50a123d83b9cd553216ca1c47d175f167c32d04df
                                  • Instruction Fuzzy Hash: 1761C372D04519EFDF11CFA8CC44EEEBBBAAF89718F540149E904A7205D335D981ABA0
                                  Function 00F04942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 311 f04942-f0494f 312 f04951-f04974 call f04723 311->312 313 f04979-f0498d call f15f82 311->313 318 f04ae0-f04ae2 312->318 319 f04992-f0499b call f0e11f 313->319 320 f0498f 313->320 322 f049a0-f049af 319->322 320->319 323 f049b1 322->323 324 f049bf-f049c8 322->324 327 f049b7-f049b9 323->327 328 f04a89-f04a8e 323->328 325 f049ca-f049d7 324->325 326 f049dc-f04a10 324->326 329 f04adc 325->329 330 f04a12-f04a1c 326->330 331 f04a6d-f04a79 326->331 327->324 327->328 332 f04ade-f04adf 328->332 329->332 333 f04a43-f04a4f 330->333 334 f04a1e-f04a2a 330->334 335 f04a90-f04a93 331->335 336 f04a7b-f04a82 331->336 332->318 333->335 338 f04a51-f04a6b call f04e59 333->338 334->333 337 f04a2c-f04a3e call f04cae 334->337 339 f04a96-f04a9e 335->339 336->328 337->332 338->339 340 f04aa0-f04aa6 339->340 341 f04ada 339->341 344 f04aa8-f04abc call f04ae3 340->344 345 f04abe-f04ac2 340->345 341->329 344->332 349 f04ac4-f04ad2 call f24a10 345->349 350 f04ad5-f04ad7 345->350 349->350 350->341
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aecc307ec2b021fa93ff545d67021f98fc702a582b53f0f61bf0f37a024f6f59
                                  • Instruction ID: 5441e602c5e7303d5e46355f10d3cc31ed826ae4dbb4abe37245bc8874a73806
                                  • Opcode Fuzzy Hash: aecc307ec2b021fa93ff545d67021f98fc702a582b53f0f61bf0f37a024f6f59
                                  • Instruction Fuzzy Hash: 5151D7B1B00208AFDF14CF58CC45AAABBB1EF45364F248158F9499B292D375BE41FB90
                                  Function 00E90560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 354 e90560-e9057f 355 e906a9 call e22270 354->355 356 e90585-e90598 354->356 361 e906ae call e221d0 355->361 357 e9059a 356->357 358 e905c0-e905c8 356->358 360 e9059c-e905a1 357->360 362 e905ca-e905cf 358->362 363 e905d1-e905d5 358->363 364 e905a4-e905a5 call eff290 360->364 369 e906b3-e906b8 call f047b0 361->369 362->360 366 e905d9-e905e1 363->366 367 e905d7 363->367 374 e905aa-e905af 364->374 370 e905f0-e905f2 366->370 371 e905e3-e905e8 366->371 367->366 372 e90601 370->372 373 e905f4-e905ff call eff290 370->373 371->361 376 e905ee 371->376 378 e90603-e90629 372->378 373->378 374->369 379 e905b5-e905be 374->379 376->364 382 e9062b-e90655 call f00f70 call f014f0 378->382 383 e90680-e906a6 call f00f70 call f014f0 378->383 379->378 392 e90669-e9067d call eff511 382->392 393 e90657-e90665 382->393 393->369 394 e90667 393->394 394->392
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E906AE
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 58e506cfc00d3c3ab2b10e81f9d74b94323ab56c43e16216cc7c744f5a420204
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 0F41B172A001189FCF15DF68DC806AE7BE5EF89350F550569F805AB342DB30DE60ABE1
                                  Function 00F14B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 397 f14b12-f14b26 call f1a6de 400 f14b28-f14b2a 397->400 401 f14b2c-f14b34 397->401 402 f14b7a-f14b9a call f1a64d 400->402 403 f14b36-f14b3d 401->403 404 f14b3f-f14b42 401->404 412 f14bac 402->412 413 f14b9c-f14baa call f0d208 402->413 403->404 406 f14b4a-f14b5e call f1a6de * 2 403->406 407 f14b60-f14b70 call f1a6de FindCloseChangeNotification 404->407 408 f14b44-f14b48 404->408 406->400 406->407 407->400 419 f14b72-f14b78 407->419 408->406 408->407 417 f14bae-f14bb1 412->417 413->417 419->402
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00F149F9,00000000,CF830579,00F51140,0000000C,00F14AB5,00F08BBD,?), ref: 00F14B69
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 9b1cf9dd1e5ae230e640009c12dcba2bed402a95dbed2428f3dbb4deba414159
                                  • Instruction ID: dc6d73cd8d5cc340d6d833f3a0cab5af6babc1881deeb17112a0890a007776a0
                                  • Opcode Fuzzy Hash: 9b1cf9dd1e5ae230e640009c12dcba2bed402a95dbed2428f3dbb4deba414159
                                  • Instruction Fuzzy Hash: DD116633B0D22816C724E274AC45BFE774A8BD27B4F29061DF9288B0C2EE25F8C17195
                                  Function 00F0E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 423 f0e05c-f0e074 call f1a6de 426 f0e076-f0e07d 423->426 427 f0e08a-f0e0a0 SetFilePointerEx 423->427 428 f0e084-f0e088 426->428 429 f0e0a2-f0e0b3 call f0d208 427->429 430 f0e0b5-f0e0bf 427->430 431 f0e0db-f0e0de 428->431 429->428 430->428 432 f0e0c1-f0e0d6 430->432 432->431
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00F50DF8,00E2A3EB,00000002,00E2A3EB,00000000,?,?,?,00F0E166,00000000,?,00E2A3EB,00000002,00F50DF8), ref: 00F0E099
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: b5b4e972b5ce813e3436bae8cef153d4afed02cc1c653ffd8270a2ab4029433b
                                  • Instruction ID: 5ce4e9126ccf6e7ba1657cb4e341831f8b9b31728f6301df91eaa04229d70216
                                  • Opcode Fuzzy Hash: b5b4e972b5ce813e3436bae8cef153d4afed02cc1c653ffd8270a2ab4029433b
                                  • Instruction Fuzzy Hash: 5601D632614119ABCF05CF59CC45D9E3B29DB85334B240648F8519B1D1E6B1E951BBD0
                                  Function 00F163F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 436 f163f3-f163fe 437 f16400-f1640a 436->437 438 f1640c-f16412 436->438 437->438 439 f16440-f1644b call f0d23f 437->439 440 f16414-f16415 438->440 441 f1642b-f1643c RtlAllocateHeap 438->441 445 f1644d-f1644f 439->445 440->441 442 f16417-f1641e call f13f93 441->442 443 f1643e 441->443 442->439 449 f16420-f16429 call f117d8 442->449 443->445 449->439 449->441
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00F091F7,00000000,?,00F15D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00F0D244,00F089C3,00F091F7,00000000), ref: 00F16435
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 57b917eea78ff5fd76c29319be16ae228437c5b3d40001d72034a02aa1604c5a
                                  • Instruction ID: 3bdd311eb0078a429a2fc75de3e8095fa5b2402a76ae5f20e7d55d6864e16007
                                  • Opcode Fuzzy Hash: 57b917eea78ff5fd76c29319be16ae228437c5b3d40001d72034a02aa1604c5a
                                  • Instruction Fuzzy Hash: 65F0E93290022466DB21EB629D02BEB3B48AF51774F158015FC08D61C4CB30E891B2F1
                                  Function 00F16E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 f16e2d-f16e39 453 f16e6b-f16e76 call f0d23f 452->453 454 f16e3b-f16e3d 452->454 461 f16e78-f16e7a 453->461 455 f16e56-f16e67 RtlAllocateHeap 454->455 456 f16e3f-f16e40 454->456 458 f16e42-f16e49 call f13f93 455->458 459 f16e69 455->459 456->455 458->453 464 f16e4b-f16e54 call f117d8 458->464 459->461 464->453 464->455
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00F1D635,4D88C033,?,00F1D635,00000220,?,00F157EF,4D88C033), ref: 00F16E60
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 0e90ce7ef563a7dedaca3b838c8ff6c26b719bab6defff7395129a5792e341c8
                                  • Instruction ID: e9a63d774361e04c5e61189beefc558a617c10e9bb143e0bdff9b71b68269a36
                                  • Opcode Fuzzy Hash: 0e90ce7ef563a7dedaca3b838c8ff6c26b719bab6defff7395129a5792e341c8
                                  • Instruction Fuzzy Hash: 40E0ED3A9006266ADE3022A5EE10BEB768CDF823B0F050320FD04D20D0CB20C880B7EC

                                  Non-executed Functions

                                  Function 00E28D70 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 327libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,?), ref: 00E28E0E
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00E28E1B
                                  • GetModuleHandleA.KERNEL32(?), ref: 00E28E85
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00E28E8C
                                  • CloseHandle.KERNEL32(?), ref: 00E29092
                                  • CloseHandle.KERNEL32(?), ref: 00E290F4
                                  • CloseHandle.KERNEL32(00000000), ref: 00E29121
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Handle$Close$AddressModuleProc
                                  • String ID: File$bkg`$eHlW$l$lwcf$p$t
                                  • API String ID: 4110381430-3184506882
                                  • Opcode ID: 9091102b83599149e82ce9bd28b61c6fbea91f02a7affbcc63be7b8aae466bfd
                                  • Instruction ID: 0d454d004931ca7e96a82758d8ebe79540815df0cb89ef609f4344b1a822753b
                                  • Opcode Fuzzy Hash: 9091102b83599149e82ce9bd28b61c6fbea91f02a7affbcc63be7b8aae466bfd
                                  • Instruction Fuzzy Hash: 19C1DF70D0026D9AEF24CFA4DC85BEEBBB9FF05304F105469E504BB282DB71AA45CB65
                                  Function 00EA55B0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA55FC
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA563E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00EA5686
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA56C7
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA5708
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00EA5746
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA578E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00EA57D6
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA5817
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA585D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: `ic$eIcm$yNrw
                                  • API String ID: 190572456-2666854388
                                  • Opcode ID: 86a20adcc6b54d1d01c12debeb9f873ac98b0b3d25a45bf5c1f0a1b29b0c0570
                                  • Instruction ID: 26c21558885654b5768b888d4b593a509d3127d4bcc205002389c1166a2171d2
                                  • Opcode Fuzzy Hash: 86a20adcc6b54d1d01c12debeb9f873ac98b0b3d25a45bf5c1f0a1b29b0c0570
                                  • Instruction Fuzzy Hash: 0E816CB0C1834CAEDF08DFA4D8456EEBFB9EF46300F50809ED841AB651D779520ADBA5
                                  Function 00F084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 8599618bf8421a068af755f4fd3c5bd1ec1b8610abd7510a5cb7e0b2cf50733d
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: A4024C71E012199BDF14CFA8C8806AEFBF1FF48364F258269D955A7381DB31AD42DB90
                                  Function 00E8F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E8F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00E8F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8FA08
                                  • std::_Facet_Register.LIBCPMT ref: 00E8FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: fe7294090611237b26b0d0edb4fd5a97461b95abb5bf5fe5ccbe8aec534d7691
                                  • Instruction ID: edddf34285541e57feae91260793dbe96afe4e68444be5238c1c7a52445bb7b4
                                  • Opcode Fuzzy Hash: fe7294090611237b26b0d0edb4fd5a97461b95abb5bf5fe5ccbe8aec534d7691
                                  • Instruction Fuzzy Hash: 72619E71D003089BEB10EFA4D845BAEBBF4AF54314F145168E90DBB391E774E905CBA2
                                  Function 00E23D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E23E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3$@3$G>$G>$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-2705522371
                                  • Opcode ID: 941b569fd9b372534b43720e848cea379f200e4c3e487be86c76d6942423ac1f
                                  • Instruction ID: 9c193e03661e311e661bf4aab044759bd87bff4d00b77d912e8bb799c81abe40
                                  • Opcode Fuzzy Hash: 941b569fd9b372534b43720e848cea379f200e4c3e487be86c76d6942423ac1f
                                  • Instruction Fuzzy Hash: 0941D7B2900214AFCB14DF68DC45BAEB7F9EF48710F14852AF915E7741E774AA048FA0
                                  Function 00E23DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E23E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3$@3$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-3684864891
                                  • Opcode ID: 64c1155f8a9888826ef219a3a4217401c42159e752cab8134caaa9bdaa011c5d
                                  • Instruction ID: ef27cd10cbcd0b5cfde570eb25b9332899fd82c4c889184476310ac7fef79f0a
                                  • Opcode Fuzzy Hash: 64c1155f8a9888826ef219a3a4217401c42159e752cab8134caaa9bdaa011c5d
                                  • Instruction Fuzzy Hash: CD21EEB25007156BC714DF64E805B96B7E8AF04310F58883AFA58A7642E774EA18DF91
                                  Function 00E24C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E24F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E24FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E250C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: @3$`!$recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-3572337925
                                  • Opcode ID: 2b9a69c3b1bfa0d381865fbdf330cb6c31409aa6b632432770519b7dcf0bd211
                                  • Instruction ID: cd89ac12825f66d830b6811a158454a4cda269e082b78cad544c5c8aa9b13da6
                                  • Opcode Fuzzy Hash: 2b9a69c3b1bfa0d381865fbdf330cb6c31409aa6b632432770519b7dcf0bd211
                                  • Instruction Fuzzy Hash: F8E104B19002149FDB28DF68EC45BAEBBF9FF44700F144A2DE456A7781D774A904CBA1
                                  Function 00E27820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E27B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$out_of_range$type_error
                                  • API String ID: 2659868963-4040272994
                                  • Opcode ID: 07a31e1575d485ce63107cf4b94ab372cab17ecfe74e090b3c70833e42db892c
                                  • Instruction ID: ddb3e1b346a2632c455f5834395cf01db8d958608bb5068d2a0ebf62d3cccee0
                                  • Opcode Fuzzy Hash: 07a31e1575d485ce63107cf4b94ab372cab17ecfe74e090b3c70833e42db892c
                                  • Instruction Fuzzy Hash: 2FC169B19002188FDB18DFA8E88479DFBF2FF49310F148669E459EB792E7749980CB51
                                  Function 00E23190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E232C6
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E23350
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: +4$@3$`!$`!
                                  • API String ID: 2970364248-797261742
                                  • Opcode ID: cb8d67bdaf3631c3bf867aff67256b17223afeea57db475b3a2ba143d3444560
                                  • Instruction ID: 65759c6bf99bcd676b492d2a9cacf7f33d60f1635fdf3eb8b77cc7c8f9e46b12
                                  • Opcode Fuzzy Hash: cb8d67bdaf3631c3bf867aff67256b17223afeea57db475b3a2ba143d3444560
                                  • Instruction Fuzzy Hash: FD518E719102189FDB08CFA8D885BEEBBF5FF48310F14812AE815A7392D7789A45CF91
                                  Function 00E239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E23A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E23AA4
                                  • __Getctype.LIBCPMT ref: 00E23ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00E23AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E23B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 3c76d7475267286d309b316430108f47342dd7520ab42b16f7d314c3cb66b883
                                  • Instruction ID: 8b277ce00ec62846becfbaeb22aa02aaf31843b854dfcd7d9ccd491de4bb66cd
                                  • Opcode Fuzzy Hash: 3c76d7475267286d309b316430108f47342dd7520ab42b16f7d314c3cb66b883
                                  • Instruction Fuzzy Hash: E35150B1D002589BEB10DFA4DC45B9EBBF8AF14314F145169E909BB381E778EA04DB51
                                  Function 00F02E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00F02E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00F02E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00F02ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00F02F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00F02F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 6b068ed09a4c9b9bc7e4eece4a127dd5df4daee327261ef60b394e6bbe1985ca
                                  • Instruction ID: 4446ba945c82f459669d658930f36dc23b73c64d22b0a7afb040ee226c32c5d2
                                  • Opcode Fuzzy Hash: 6b068ed09a4c9b9bc7e4eece4a127dd5df4daee327261ef60b394e6bbe1985ca
                                  • Instruction Fuzzy Hash: 5941E630E00209ABCF50DF68CC89A9EBBB5AF44325F148055E9149B3D2DB75EE45FBA1
                                  Function 00E8DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8DED6
                                  • std::_Facet_Register.LIBCPMT ref: 00E8DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E8DF7B
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: b0b15a1e2affc74a74216257518afbbd0ff9eb3deb73b49f747dade3abb57075
                                  • Instruction ID: f684e413ea51eb0b897539e284efc3f9e7a857329b545cd4d167d7426794e556
                                  • Opcode Fuzzy Hash: b0b15a1e2affc74a74216257518afbbd0ff9eb3deb73b49f747dade3abb57075
                                  • Instruction Fuzzy Hash: C141C171E042199FCB14EF54DC41AAEBBB4FB04724F144269EA1ABB392D730AD00DBD1
                                  Function 00E26F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E27340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$parse error$parse_error
                                  • API String ID: 2659868963-1090282668
                                  • Opcode ID: 7a810dc789a2c2214f73fb8e95d8e7b696bddb87427a19360a71baf05bdd1a89
                                  • Instruction ID: 73eccc8488515a1544c7b2f7430b507cd7de2adc626cf15972268ac38c9a3437
                                  • Opcode Fuzzy Hash: 7a810dc789a2c2214f73fb8e95d8e7b696bddb87427a19360a71baf05bdd1a89
                                  • Instruction Fuzzy Hash: 38E18E709042188FDB18CF68D885B9DBBF2FF49300F248269E458EB792D7749A81DF91
                                  Function 00E273B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E275BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E275CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column $`!
                                  • API String ID: 4194217158-1910556284
                                  • Opcode ID: 9cee3126e46bba7d0f3090d5d149f81e6b41256bb25eadb4b0a93c6b46638939
                                  • Instruction ID: f1a4cefb22b72449f43d944da465206b8a130bd8e38ee2cf895b601f8247dbc5
                                  • Opcode Fuzzy Hash: 9cee3126e46bba7d0f3090d5d149f81e6b41256bb25eadb4b0a93c6b46638939
                                  • Instruction Fuzzy Hash: 88610471A042189FDB08DF68EC85BADFBB6FF44300F24462CE455A7B82D774AA40DB91
                                  Function 00E23370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E23190: ___std_exception_copy.LIBVCRUNTIME ref: 00E232C6
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4$@3$@3$`!
                                  • API String ID: 2659868963-2319638956
                                  • Opcode ID: 83d5bc14befcc14809a7fff9923f64899a864920fd5d4623842cd20969aaa280
                                  • Instruction ID: a9c11b4f5675c3ef13326b7a82451c6435dd35c5991051ad663e5e61f9de190b
                                  • Opcode Fuzzy Hash: 83d5bc14befcc14809a7fff9923f64899a864920fd5d4623842cd20969aaa280
                                  • Instruction Fuzzy Hash: BC3194719002199FCB18DFA8D841AAEFBF9FF08710F10852AF514E7A41E774AA54DF91
                                  Function 00E23410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4$@3$@3$`!
                                  • API String ID: 2659868963-2319638956
                                  • Opcode ID: 4424335e6ac9a0082b184d32fdf35380147a62c479cae05fd148ec0bc7334109
                                  • Instruction ID: c1e088df5a8e6465786e9178781bf7859c2039cd5a94477c73765e20e320c139
                                  • Opcode Fuzzy Hash: 4424335e6ac9a0082b184d32fdf35380147a62c479cae05fd148ec0bc7334109
                                  • Instruction Fuzzy Hash: 97014F76500209AFC704DFA8E801896FBFCBF05310B00843AE52997611EBB4E628DF90
                                  Function 00E26C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E26F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E26F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.$`!
                                  • API String ID: 4194217158-2932383579
                                  • Opcode ID: 6c622cbdc460e3b970bd150d5240e01207666aebc943c58e14544e86142340c4
                                  • Instruction ID: 48adba08bea6bd3e1cd2fdbf4ca052bf784b273308ac14e9665348c1ab4dc37a
                                  • Opcode Fuzzy Hash: 6c622cbdc460e3b970bd150d5240e01207666aebc943c58e14544e86142340c4
                                  • Instruction Fuzzy Hash: CF91E370A002189FDB18CF68D985B9EBBF2FF44300F20866DE415AB792D775AA41CB90
                                  Function 00E27620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E277B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$invalid_iterator
                                  • API String ID: 2659868963-1518100916
                                  • Opcode ID: a593c55b5f056541eb49bb2f1b6ffd6cde8b698a186152b76a5c812f55306841
                                  • Instruction ID: 00e65235b09eae74e274c918c41551fe088134bb5fdde04ab83015e9221f09a8
                                  • Opcode Fuzzy Hash: a593c55b5f056541eb49bb2f1b6ffd6cde8b698a186152b76a5c812f55306841
                                  • Instruction Fuzzy Hash: 7F514AB09002188FDB18CF68E88479DFBF1FF49310F14866AE459EB792E7749980CB94
                                  Function 00E27BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E27D67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$other_error
                                  • API String ID: 2659868963-2644867674
                                  • Opcode ID: 5d1636e28fa67f2107719020437dc496fde5f13289f1dde8bcc844f75bbc0622
                                  • Instruction ID: 1376918ab173513a550c89a191be5d7b981cf396c629d345932b35cf89d6cc9a
                                  • Opcode Fuzzy Hash: 5d1636e28fa67f2107719020437dc496fde5f13289f1dde8bcc844f75bbc0622
                                  • Instruction Fuzzy Hash: D9516BB09002588FDB18CFA8E88479DFBF1FF49300F148669E459EB792D774A984CB51
                                  Function 00E8D050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E8D06F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E8D096
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: 73999430599f08e79885edc71edc38918d40805b10b7029058dc1838a2fdef63
                                  • Instruction ID: 803e7154287e4386bdd47d106ad582b7d269e830daa559e4878833b2715db83a
                                  • Opcode Fuzzy Hash: 73999430599f08e79885edc71edc38918d40805b10b7029058dc1838a2fdef63
                                  • Instruction Fuzzy Hash: 5301A4B6500616AFC704DF59D505982FBF8FB49710704853BA929CBB11E7B0E528DFA0
                                  Function 00E9B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E9B3DF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E9B406
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: 85198b0f4d25c001fee0b32d0b5a39a20c76fc956bd22bbb2b2e849715ce8908
                                  • Instruction ID: b6eb54f067dd5123c54f6e130b01c5dad0c46cba8f61e5494eb96c41ac7d66df
                                  • Opcode Fuzzy Hash: 85198b0f4d25c001fee0b32d0b5a39a20c76fc956bd22bbb2b2e849715ce8908
                                  • Instruction Fuzzy Hash: B9F0C4B6500616AF8708DF58D505986BBF8FB45710705853BE52ACBB01E7B0E528DBA0
                                  Function 00E22270 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00E22275
                                    • Part of subcall function 00EFD6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00EFD6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$)
                                  • API String ID: 1997705970-906081222
                                  • Opcode ID: bcd7d4183c767adb930f9acbba96b35754209002afc9e4f0d376d8301899b119
                                  • Instruction ID: 2d7a99db14ea08e8806ebd7182c340b27fcc3c6c3fab88be1272cad1caa83779
                                  • Opcode Fuzzy Hash: bcd7d4183c767adb930f9acbba96b35754209002afc9e4f0d376d8301899b119
                                  • Instruction Fuzzy Hash: 3C813275A0429AAFCB02CF68C4507EDBFF1EF5A300F1841AECA94A7742C3359545CBA0
                                  Function 00E9B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00E9B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Px$invalid hash bucket count
                                  • API String ID: 909987262-1779506432
                                  • Opcode ID: 37a2cd6eecc92ff53301f3383126d605a5c14ff7059684deb759e1f968a0e16a
                                  • Instruction ID: 8f2ce83f6dfd477ea7d6ec6f6a224365b40125daf9ee55e6aaa316681e618c9e
                                  • Opcode Fuzzy Hash: 37a2cd6eecc92ff53301f3383126d605a5c14ff7059684deb759e1f968a0e16a
                                  • Instruction Fuzzy Hash: 9D7102B4A00619DFCB14CF49D280869FBF6FF88314725C5AAD859AB356D731EA41CF90
                                  Function 00E9E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E9E491
                                  Strings
                                  • type must be boolean, but is , xrefs: 00E9E582
                                  • type must be string, but is , xrefs: 00E9E4F8
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 354e5571da3c5cefc0e48bbb9622d531af7749b882e3575be750a5a63d52cb40
                                  • Instruction ID: aaea65f4c193baca37a67387fc6f9003876c1c31060a09e5ae6ba120b5db35ea
                                  • Opcode Fuzzy Hash: 354e5571da3c5cefc0e48bbb9622d531af7749b882e3575be750a5a63d52cb40
                                  • Instruction Fuzzy Hash: E6413CB1900248AFDB14EBA4E802B9E77E8DB00314F144679F619F7792EB35E944C792
                                  Function 00E23050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E23078
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3319260844.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 00000008.00000002.3319083155.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319260844.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319515508.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3319559246.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320094232.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320293029.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000008.00000002.3320334801.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: 00599af393aa1bf7e6d0f0448e1ad4590a0aae8e106d7a35474f25a8210d0728
                                  • Instruction ID: 6532ee06e612f181bbec3c8f70d4044cdb6382071e6c8136134e768e3bc8d89a
                                  • Opcode Fuzzy Hash: 00599af393aa1bf7e6d0f0448e1ad4590a0aae8e106d7a35474f25a8210d0728
                                  • Instruction Fuzzy Hash: 88E012B29113189BC710DFA8D9059CAFFF8AB19701F0486BAE948D7301FAB1D5549BD1

                                  Execution Graph

                                  Execution Coverage:3.4%
                                  Dynamic/Decrypted Code Coverage:0%
                                  Signature Coverage:0%
                                  Total number of Nodes:650
                                  Total number of Limit Nodes:68
                                  execution_graph 18111 e3e0a0 WSAStartup 18112 e3e0d8 18111->18112 18116 e3e1a7 18111->18116 18113 e3e175 socket 18112->18113 18112->18116 18114 e3e18b connect 18113->18114 18113->18116 18115 e3e19d closesocket 18114->18115 18114->18116 18115->18113 18115->18116 18117 f0d168 18118 f0d17b __fread_nolock 18117->18118 18123 f0cf4a 18118->18123 18120 f0d190 18121 f044dc __fread_nolock RtlAllocateHeap 18120->18121 18122 f0d19d 18121->18122 18124 f0cf58 18123->18124 18129 f0cf80 18123->18129 18125 f0cf65 18124->18125 18126 f0cf87 18124->18126 18124->18129 18127 f04723 __fread_nolock RtlAllocateHeap 18125->18127 18131 f0cea3 18126->18131 18127->18129 18129->18120 18130 f0cfbf 18130->18120 18132 f0ceaf __fread_nolock 18131->18132 18135 f0cefe 18132->18135 18134 f0ceca 18134->18130 18142 f18644 18135->18142 18162 f18606 18142->18162 18144 f0cf16 18149 f0cfc1 18144->18149 18145 f18655 18145->18144 18146 f16e2d __fread_nolock 2 API calls 18145->18146 18147 f186ae 18146->18147 18148 f16db3 ___std_exception_destroy RtlAllocateHeap 18147->18148 18148->18144 18151 f0cfd3 18149->18151 18153 f0cf34 18149->18153 18150 f0cfe1 18152 f04723 __fread_nolock RtlAllocateHeap 18150->18152 18151->18150 18151->18153 18156 f0d017 std::locale::_Locimp::_Locimp 18151->18156 18152->18153 18158 f186ef 18153->18158 18154 f055d3 4 API calls 18154->18156 18155 f15f82 __fread_nolock RtlAllocateHeap 18155->18156 18156->18153 18156->18154 18156->18155 18157 f1538b 4 API calls 18156->18157 18157->18156 18159 f0cf40 18158->18159 18160 f186fa 18158->18160 18159->18134 18160->18159 18161 f055d3 4 API calls 18160->18161 18161->18159 18163 f18612 18162->18163 18164 f1863c 18163->18164 18165 f15f82 __fread_nolock RtlAllocateHeap 18163->18165 18164->18145 18166 f1862d 18165->18166 18167 f20d44 __fread_nolock RtlAllocateHeap 18166->18167 18168 f18633 18167->18168 18168->18145 18169 e83a40 GetCursorPos 18170 e83a55 GetCursorPos 18169->18170 18171 e83b28 GetPEB 18170->18171 18174 e83a67 18170->18174 18171->18174 18172 e83a73 GetPEB 18172->18174 18173 e83b9d Sleep 18173->18170 18174->18171 18174->18172 18174->18173 18174->18174 18175 e83ae8 Sleep 18174->18175 18176 e83bc7 18174->18176 18175->18174 17386 e2a210 17419 eff290 17386->17419 17388 e2a248 17424 e22ae0 17388->17424 17390 e2a28b 17440 f05362 17390->17440 17394 e2a377 17397 e2a34e 17397->17394 17469 f047b0 17397->17469 17400 f09136 4 API calls 17401 e2a2fc 17400->17401 17406 e2a318 17401->17406 17455 e8cf60 17401->17455 17460 f0dbdf 17406->17460 17421 e221d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 17419->17421 17420 eff2af 17420->17388 17421->17420 17472 f00651 17421->17472 17425 e22ba5 17424->17425 17427 e22af6 17424->17427 17690 e22270 17425->17690 17429 e22b02 std::locale::_Locimp::_Locimp 17427->17429 17430 e22b2a 17427->17430 17434 e22b65 17427->17434 17435 e22b6e 17427->17435 17428 e22baa 17700 e221d0 17428->17700 17429->17390 17432 eff290 std::_Facet_Register RtlAllocateHeap 17430->17432 17433 e22b3d 17432->17433 17436 f047b0 RtlAllocateHeap 17433->17436 17439 e22b46 std::locale::_Locimp::_Locimp 17433->17439 17434->17428 17434->17430 17438 eff290 std::_Facet_Register RtlAllocateHeap 17435->17438 17435->17439 17437 e22bb4 17436->17437 17438->17439 17439->17390 17713 f052a0 17440->17713 17442 e2a2d7 17442->17397 17443 f09136 17442->17443 17444 f09149 __fread_nolock 17443->17444 17737 f08e8d 17444->17737 17446 f0915e 17447 f044dc __fread_nolock RtlAllocateHeap 17446->17447 17448 e2a2ea 17447->17448 17449 f04eeb 17448->17449 17450 f04efe __fread_nolock 17449->17450 17870 f04801 17450->17870 17452 f04f0a 17453 f044dc __fread_nolock RtlAllocateHeap 17452->17453 17454 e2a2f0 17453->17454 17454->17400 17456 e8cfa7 17455->17456 17459 e8cf78 __fread_nolock 17455->17459 17918 e90560 17456->17918 17458 e8cfba 17458->17406 17459->17406 17933 f0dbfc 17460->17933 17462 e2a348 17463 f08be8 17462->17463 17464 f08bfb __fread_nolock 17463->17464 18057 f08ac3 17464->18057 17466 f08c07 17467 f044dc __fread_nolock RtlAllocateHeap 17466->17467 17468 f08c13 17467->17468 17468->17397 17470 f046ec __fread_nolock RtlAllocateHeap 17469->17470 17471 f047bf __Getctype 17470->17471 17473 f0065e ___std_exception_copy 17472->17473 17477 e22213 17472->17477 17476 f0068b 17473->17476 17473->17477 17478 f156b8 17473->17478 17487 f0d7d6 17476->17487 17477->17388 17479 f156d4 17478->17479 17480 f156c6 17478->17480 17490 f0d23f 17479->17490 17480->17479 17485 f156ec 17480->17485 17482 f156dc 17493 f047a0 17482->17493 17484 f156e6 17484->17476 17485->17484 17486 f0d23f __dosmaperr RtlAllocateHeap 17485->17486 17486->17482 17488 f16db3 ___std_exception_destroy RtlAllocateHeap 17487->17488 17489 f0d7ee 17488->17489 17489->17477 17496 f15d2c 17490->17496 17601 f046ec 17493->17601 17497 f15d36 __dosmaperr 17496->17497 17504 f0d244 17497->17504 17507 f163f3 17497->17507 17499 f15d79 __dosmaperr 17500 f15db9 17499->17500 17501 f15d81 __dosmaperr 17499->17501 17515 f15a09 17500->17515 17511 f16db3 17501->17511 17504->17482 17506 f16db3 ___std_exception_destroy RtlAllocateHeap 17506->17504 17510 f16400 __dosmaperr std::_Facet_Register 17507->17510 17508 f1642b RtlAllocateHeap 17509 f1643e __dosmaperr 17508->17509 17508->17510 17509->17499 17510->17508 17510->17509 17512 f16de8 17511->17512 17513 f16dbe __dosmaperr 17511->17513 17512->17504 17513->17512 17514 f0d23f __dosmaperr RtlAllocateHeap 17513->17514 17514->17512 17516 f15a77 __dosmaperr 17515->17516 17519 f159af 17516->17519 17518 f15aa0 17518->17506 17520 f159bb __fread_nolock std::_Lockit::_Lockit 17519->17520 17523 f15b90 17520->17523 17522 f159dd __dosmaperr 17522->17518 17524 f15bc6 __Getctype 17523->17524 17525 f15b9f __Getctype 17523->17525 17524->17522 17525->17524 17527 f1f2a7 17525->17527 17528 f1f2bd 17527->17528 17529 f1f327 17527->17529 17528->17529 17533 f1f2f0 17528->17533 17536 f16db3 ___std_exception_destroy RtlAllocateHeap 17528->17536 17531 f16db3 ___std_exception_destroy RtlAllocateHeap 17529->17531 17554 f1f375 17529->17554 17532 f1f349 17531->17532 17534 f16db3 ___std_exception_destroy RtlAllocateHeap 17532->17534 17535 f1f312 17533->17535 17541 f16db3 ___std_exception_destroy RtlAllocateHeap 17533->17541 17537 f1f35c 17534->17537 17538 f16db3 ___std_exception_destroy RtlAllocateHeap 17535->17538 17539 f1f2e5 17536->17539 17540 f16db3 ___std_exception_destroy RtlAllocateHeap 17537->17540 17542 f1f31c 17538->17542 17555 f1e5ab 17539->17555 17546 f1f36a 17540->17546 17547 f1f307 17541->17547 17549 f16db3 ___std_exception_destroy RtlAllocateHeap 17542->17549 17543 f1f3e3 17544 f16db3 ___std_exception_destroy RtlAllocateHeap 17543->17544 17550 f1f3e9 17544->17550 17551 f16db3 ___std_exception_destroy RtlAllocateHeap 17546->17551 17583 f1ea0a 17547->17583 17548 f1f383 17548->17543 17553 f16db3 RtlAllocateHeap ___std_exception_destroy 17548->17553 17549->17529 17550->17524 17551->17554 17553->17548 17595 f1f418 17554->17595 17556 f1e5bc 17555->17556 17582 f1e6a5 17555->17582 17557 f1e5cd 17556->17557 17558 f16db3 ___std_exception_destroy RtlAllocateHeap 17556->17558 17559 f1e5df 17557->17559 17560 f16db3 ___std_exception_destroy RtlAllocateHeap 17557->17560 17558->17557 17561 f1e5f1 17559->17561 17562 f16db3 ___std_exception_destroy RtlAllocateHeap 17559->17562 17560->17559 17563 f16db3 ___std_exception_destroy RtlAllocateHeap 17561->17563 17565 f1e603 17561->17565 17562->17561 17563->17565 17564 f1e615 17567 f1e627 17564->17567 17568 f16db3 ___std_exception_destroy RtlAllocateHeap 17564->17568 17565->17564 17566 f16db3 ___std_exception_destroy RtlAllocateHeap 17565->17566 17566->17564 17569 f1e639 17567->17569 17570 f16db3 ___std_exception_destroy RtlAllocateHeap 17567->17570 17568->17567 17571 f1e64b 17569->17571 17572 f16db3 ___std_exception_destroy RtlAllocateHeap 17569->17572 17570->17569 17573 f1e65d 17571->17573 17574 f16db3 ___std_exception_destroy RtlAllocateHeap 17571->17574 17572->17571 17575 f1e66f 17573->17575 17576 f16db3 ___std_exception_destroy RtlAllocateHeap 17573->17576 17574->17573 17577 f1e681 17575->17577 17578 f16db3 ___std_exception_destroy RtlAllocateHeap 17575->17578 17576->17575 17579 f1e693 17577->17579 17580 f16db3 ___std_exception_destroy RtlAllocateHeap 17577->17580 17578->17577 17581 f16db3 ___std_exception_destroy RtlAllocateHeap 17579->17581 17579->17582 17580->17579 17581->17582 17582->17533 17584 f1ea17 17583->17584 17594 f1ea6f 17583->17594 17585 f1ea27 17584->17585 17586 f16db3 ___std_exception_destroy RtlAllocateHeap 17584->17586 17587 f1ea39 17585->17587 17588 f16db3 ___std_exception_destroy RtlAllocateHeap 17585->17588 17586->17585 17589 f16db3 ___std_exception_destroy RtlAllocateHeap 17587->17589 17591 f1ea4b 17587->17591 17588->17587 17589->17591 17590 f1ea5d 17593 f16db3 ___std_exception_destroy RtlAllocateHeap 17590->17593 17590->17594 17591->17590 17592 f16db3 ___std_exception_destroy RtlAllocateHeap 17591->17592 17592->17590 17593->17594 17594->17535 17596 f1f425 17595->17596 17597 f1f444 17595->17597 17596->17597 17598 f1ef31 __Getctype RtlAllocateHeap 17596->17598 17597->17548 17599 f1f43e 17598->17599 17600 f16db3 ___std_exception_destroy RtlAllocateHeap 17599->17600 17600->17597 17602 f046fe __fread_nolock 17601->17602 17607 f04723 17602->17607 17604 f04716 17614 f044dc 17604->17614 17608 f04733 17607->17608 17611 f0473a __fread_nolock __Getctype 17607->17611 17620 f04541 17608->17620 17610 f04748 17610->17604 17611->17610 17612 f046ec __fread_nolock RtlAllocateHeap 17611->17612 17613 f047ac 17612->17613 17613->17604 17616 f044e8 17614->17616 17615 f044ff 17618 f04512 17615->17618 17619 f04587 __fread_nolock RtlAllocateHeap 17615->17619 17616->17615 17635 f04587 17616->17635 17618->17484 17619->17618 17621 f04551 17620->17621 17624 f15ddd 17621->17624 17625 f15df0 __dosmaperr 17624->17625 17626 f163f3 __dosmaperr RtlAllocateHeap 17625->17626 17634 f04572 17625->17634 17628 f15e20 __dosmaperr 17626->17628 17627 f15e28 __dosmaperr 17631 f16db3 ___std_exception_destroy RtlAllocateHeap 17627->17631 17628->17627 17629 f15e5c 17628->17629 17630 f15a09 __dosmaperr RtlAllocateHeap 17629->17630 17632 f15e67 17630->17632 17631->17634 17633 f16db3 ___std_exception_destroy RtlAllocateHeap 17632->17633 17633->17634 17634->17611 17636 f04591 17635->17636 17637 f0459a 17635->17637 17638 f04541 __fread_nolock RtlAllocateHeap 17636->17638 17637->17615 17639 f04596 17638->17639 17639->17637 17642 f10259 17639->17642 17643 f1025e std::locale::_Setgloballocale 17642->17643 17647 f10269 std::locale::_Setgloballocale 17643->17647 17648 f1c7c6 17643->17648 17669 f0f224 17647->17669 17651 f1c7d2 __fread_nolock 17648->17651 17649 f15d2c __dosmaperr RtlAllocateHeap 17654 f1c803 std::locale::_Setgloballocale 17649->17654 17650 f1c822 17652 f0d23f __dosmaperr RtlAllocateHeap 17650->17652 17651->17649 17651->17650 17651->17654 17656 f1c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 17651->17656 17653 f1c827 17652->17653 17655 f047a0 __fread_nolock RtlAllocateHeap 17653->17655 17654->17650 17654->17656 17668 f1c80c 17654->17668 17655->17668 17657 f1c9a4 std::_Lockit::~_Lockit 17656->17657 17658 f1c8a7 17656->17658 17660 f1c8d5 std::locale::_Setgloballocale 17656->17660 17659 f0f224 std::locale::_Setgloballocale RtlAllocateHeap 17657->17659 17658->17660 17672 f15bdb 17658->17672 17662 f1c9b7 17659->17662 17663 f15bdb __Getctype RtlAllocateHeap 17660->17663 17666 f1c92a 17660->17666 17660->17668 17663->17666 17665 f15bdb __Getctype RtlAllocateHeap 17665->17660 17667 f15bdb __Getctype RtlAllocateHeap 17666->17667 17666->17668 17667->17668 17668->17647 17686 f0f094 17669->17686 17671 f0f235 17673 f15be5 __dosmaperr 17672->17673 17674 f163f3 __dosmaperr RtlAllocateHeap 17673->17674 17675 f15bfb 17673->17675 17678 f15c28 __dosmaperr 17674->17678 17676 f15c8b 17675->17676 17677 f10259 __Getctype RtlAllocateHeap 17675->17677 17676->17665 17680 f15c95 17677->17680 17679 f15c68 17678->17679 17681 f15c30 __dosmaperr 17678->17681 17683 f15a09 __dosmaperr RtlAllocateHeap 17679->17683 17682 f16db3 ___std_exception_destroy RtlAllocateHeap 17681->17682 17682->17675 17684 f15c73 17683->17684 17685 f16db3 ___std_exception_destroy RtlAllocateHeap 17684->17685 17685->17675 17688 f0f0c1 std::locale::_Setgloballocale 17686->17688 17687 f0ef23 std::locale::_Setgloballocale RtlAllocateHeap 17689 f0f10a std::locale::_Setgloballocale 17687->17689 17688->17687 17689->17671 17704 efd6e9 17690->17704 17701 e221de Concurrency::cancel_current_task 17700->17701 17702 f00651 ___std_exception_copy RtlAllocateHeap 17701->17702 17703 e22213 17702->17703 17703->17433 17707 efd4af 17704->17707 17706 efd6fa Concurrency::cancel_current_task 17710 e23010 17707->17710 17711 f00651 ___std_exception_copy RtlAllocateHeap 17710->17711 17712 e2303d 17711->17712 17712->17706 17716 f052ac __fread_nolock 17713->17716 17714 f052b3 17715 f0d23f __dosmaperr RtlAllocateHeap 17714->17715 17717 f052b8 17715->17717 17716->17714 17718 f052d3 17716->17718 17719 f047a0 __fread_nolock RtlAllocateHeap 17717->17719 17720 f052e5 17718->17720 17721 f052d8 17718->17721 17726 f052c3 17719->17726 17727 f16688 17720->17727 17722 f0d23f __dosmaperr RtlAllocateHeap 17721->17722 17722->17726 17724 f052ee 17725 f0d23f __dosmaperr RtlAllocateHeap 17724->17725 17724->17726 17725->17726 17726->17442 17728 f16694 __fread_nolock std::_Lockit::_Lockit 17727->17728 17731 f1672c 17728->17731 17730 f166af 17730->17724 17732 f1674f __fread_nolock 17731->17732 17733 f163f3 __dosmaperr RtlAllocateHeap 17732->17733 17736 f16795 __fread_nolock 17732->17736 17734 f167b0 17733->17734 17735 f16db3 ___std_exception_destroy RtlAllocateHeap 17734->17735 17735->17736 17736->17730 17739 f08e99 __fread_nolock 17737->17739 17738 f08e9f 17740 f04723 __fread_nolock RtlAllocateHeap 17738->17740 17739->17738 17741 f08ee2 __fread_nolock 17739->17741 17743 f08eba 17740->17743 17744 f09010 17741->17744 17743->17446 17745 f09023 17744->17745 17746 f09036 17744->17746 17745->17743 17753 f08f37 17746->17753 17748 f09059 17752 f090e7 17748->17752 17757 f055d3 17748->17757 17752->17743 17754 f08f48 17753->17754 17755 f08fa0 17753->17755 17754->17755 17766 f0e13d 17754->17766 17755->17748 17758 f05613 17757->17758 17759 f055ec 17757->17759 17763 f0e17d 17758->17763 17759->17758 17793 f15f82 17759->17793 17761 f05608 17800 f1538b 17761->17800 17764 f0e05c __fread_nolock 2 API calls 17763->17764 17765 f0e196 17764->17765 17765->17752 17767 f0e151 __fread_nolock 17766->17767 17772 f0e05c 17767->17772 17769 f0e166 17770 f044dc __fread_nolock RtlAllocateHeap 17769->17770 17771 f0e175 17770->17771 17771->17755 17777 f1a6de 17772->17777 17774 f0e06e 17775 f0e08a SetFilePointerEx 17774->17775 17776 f0e076 __fread_nolock 17774->17776 17775->17776 17776->17769 17778 f1a700 17777->17778 17779 f1a6eb 17777->17779 17782 f0d22c __dosmaperr RtlAllocateHeap 17778->17782 17784 f1a725 17778->17784 17790 f0d22c 17779->17790 17785 f1a730 17782->17785 17783 f0d23f __dosmaperr RtlAllocateHeap 17786 f1a6f8 17783->17786 17784->17774 17787 f0d23f __dosmaperr RtlAllocateHeap 17785->17787 17786->17774 17788 f1a738 17787->17788 17789 f047a0 __fread_nolock RtlAllocateHeap 17788->17789 17789->17786 17791 f15d2c __dosmaperr RtlAllocateHeap 17790->17791 17792 f0d231 17791->17792 17792->17783 17794 f15fa3 17793->17794 17795 f15f8e 17793->17795 17794->17761 17796 f0d23f __dosmaperr RtlAllocateHeap 17795->17796 17797 f15f93 17796->17797 17798 f047a0 __fread_nolock RtlAllocateHeap 17797->17798 17799 f15f9e 17798->17799 17799->17761 17802 f15397 __fread_nolock 17800->17802 17801 f153d8 17803 f04723 __fread_nolock RtlAllocateHeap 17801->17803 17802->17801 17804 f1541e 17802->17804 17806 f1539f 17802->17806 17803->17806 17804->17806 17807 f1549c 17804->17807 17806->17758 17808 f154c4 17807->17808 17820 f154e7 __fread_nolock 17807->17820 17809 f154c8 17808->17809 17811 f15523 17808->17811 17810 f04723 __fread_nolock RtlAllocateHeap 17809->17810 17810->17820 17812 f15541 17811->17812 17814 f0e17d 2 API calls 17811->17814 17821 f14fe1 17812->17821 17814->17812 17816 f155a0 17818 f15609 WriteFile 17816->17818 17816->17820 17817 f15559 17817->17820 17826 f14bb2 17817->17826 17818->17820 17820->17806 17832 f20d44 17821->17832 17823 f14ff3 17825 f15021 17823->17825 17841 f09d10 17823->17841 17825->17816 17825->17817 17827 f14c1b 17826->17827 17828 f09d10 std::_Locinfo::_Locinfo_dtor 2 API calls 17827->17828 17829 f14c2b std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 17827->17829 17828->17829 17830 f184be RtlAllocateHeap RtlAllocateHeap 17829->17830 17831 f14ee1 _ValidateLocalCookies 17829->17831 17830->17829 17831->17820 17833 f20d51 17832->17833 17835 f20d5e 17832->17835 17834 f0d23f __dosmaperr RtlAllocateHeap 17833->17834 17836 f20d56 17834->17836 17837 f20d6a 17835->17837 17838 f0d23f __dosmaperr RtlAllocateHeap 17835->17838 17836->17823 17837->17823 17839 f20d8b 17838->17839 17840 f047a0 __fread_nolock RtlAllocateHeap 17839->17840 17840->17836 17842 f04587 __fread_nolock RtlAllocateHeap 17841->17842 17843 f09d20 17842->17843 17848 f15ef3 17843->17848 17849 f09d3d 17848->17849 17850 f15f0a 17848->17850 17852 f15f51 17849->17852 17850->17849 17856 f1f4f3 17850->17856 17853 f15f68 17852->17853 17854 f09d4a 17852->17854 17853->17854 17865 f1d81e 17853->17865 17854->17825 17857 f1f4ff __fread_nolock 17856->17857 17858 f15bdb __Getctype RtlAllocateHeap 17857->17858 17860 f1f508 std::_Lockit::_Lockit 17858->17860 17859 f1f54e 17859->17849 17860->17859 17861 f1f574 __Getctype RtlAllocateHeap 17860->17861 17862 f1f537 __Getctype 17861->17862 17862->17859 17863 f10259 __Getctype RtlAllocateHeap 17862->17863 17864 f1f573 17863->17864 17866 f15bdb __Getctype RtlAllocateHeap 17865->17866 17867 f1d823 17866->17867 17868 f1d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 17867->17868 17869 f1d82e 17868->17869 17869->17854 17871 f0480d __fread_nolock 17870->17871 17872 f04814 17871->17872 17874 f04835 __fread_nolock 17871->17874 17873 f04723 __fread_nolock RtlAllocateHeap 17872->17873 17876 f0482d 17873->17876 17877 f04910 17874->17877 17876->17452 17880 f04942 17877->17880 17879 f04922 17879->17876 17881 f04951 17880->17881 17882 f04979 17880->17882 17883 f04723 __fread_nolock RtlAllocateHeap 17881->17883 17884 f15f82 __fread_nolock RtlAllocateHeap 17882->17884 17885 f0496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17883->17885 17886 f04982 17884->17886 17885->17879 17893 f0e11f 17886->17893 17889 f04a2c 17896 f04cae 17889->17896 17890 f04a43 17890->17885 17904 f04ae3 17890->17904 17911 f0df37 17893->17911 17895 f049a0 17895->17885 17895->17889 17895->17890 17897 f04cbd 17896->17897 17898 f15f82 __fread_nolock RtlAllocateHeap 17897->17898 17899 f04cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17898->17899 17900 f0e11f 2 API calls 17899->17900 17903 f04ce5 _ValidateLocalCookies 17899->17903 17901 f04d39 17900->17901 17902 f0e11f 2 API calls 17901->17902 17901->17903 17902->17903 17903->17885 17905 f15f82 __fread_nolock RtlAllocateHeap 17904->17905 17906 f04af6 17905->17906 17907 f04b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 17906->17907 17908 f0e11f 2 API calls 17906->17908 17907->17885 17909 f04b9d 17908->17909 17909->17907 17910 f0e11f 2 API calls 17909->17910 17910->17907 17912 f0df43 __fread_nolock 17911->17912 17913 f0df86 17912->17913 17915 f0dfcc 17912->17915 17917 f0df4b 17912->17917 17914 f04723 __fread_nolock RtlAllocateHeap 17913->17914 17914->17917 17916 f0e05c __fread_nolock 2 API calls 17915->17916 17915->17917 17916->17917 17917->17895 17919 e906a9 17918->17919 17923 e90585 17918->17923 17920 e22270 RtlAllocateHeap 17919->17920 17921 e906ae 17920->17921 17922 e221d0 Concurrency::cancel_current_task RtlAllocateHeap 17921->17922 17927 e905aa __fread_nolock std::locale::_Locimp::_Locimp 17922->17927 17925 e905f0 17923->17925 17926 e905e3 17923->17926 17929 e9059a 17923->17929 17924 eff290 std::_Facet_Register RtlAllocateHeap 17924->17927 17925->17927 17930 eff290 std::_Facet_Register RtlAllocateHeap 17925->17930 17926->17921 17926->17929 17928 f047b0 RtlAllocateHeap 17927->17928 17932 e90667 __fread_nolock std::locale::_Locimp::_Locimp 17927->17932 17931 e906b8 17928->17931 17929->17924 17930->17927 17932->17458 17934 f0dc08 __fread_nolock 17933->17934 17935 f0dc52 __fread_nolock 17934->17935 17936 f0dc1b __fread_nolock 17934->17936 17941 f0dc40 __fread_nolock 17934->17941 17942 f0da06 17935->17942 17937 f0d23f __dosmaperr RtlAllocateHeap 17936->17937 17938 f0dc35 17937->17938 17940 f047a0 __fread_nolock RtlAllocateHeap 17938->17940 17940->17941 17941->17462 17943 f0da35 17942->17943 17946 f0da18 __fread_nolock 17942->17946 17943->17941 17944 f0da25 17945 f0d23f __dosmaperr RtlAllocateHeap 17944->17945 17953 f0da2a 17945->17953 17946->17943 17946->17944 17948 f0da76 __fread_nolock 17946->17948 17947 f047a0 __fread_nolock RtlAllocateHeap 17947->17943 17948->17943 17950 f15f82 __fread_nolock RtlAllocateHeap 17948->17950 17952 f0dba1 __fread_nolock 17948->17952 17955 f14623 17948->17955 18014 f08a2b 17948->18014 17950->17948 17951 f0d23f __dosmaperr RtlAllocateHeap 17951->17953 17952->17951 17953->17947 17956 f14635 17955->17956 17957 f1464d 17955->17957 17958 f0d22c __dosmaperr RtlAllocateHeap 17956->17958 17959 f1498f 17957->17959 17964 f14690 17957->17964 17961 f1463a 17958->17961 17960 f0d22c __dosmaperr RtlAllocateHeap 17959->17960 17962 f14994 17960->17962 17963 f0d23f __dosmaperr RtlAllocateHeap 17961->17963 17965 f0d23f __dosmaperr RtlAllocateHeap 17962->17965 17966 f14642 17963->17966 17964->17966 17967 f1469b 17964->17967 17973 f146cb 17964->17973 17969 f146a8 17965->17969 17966->17948 17968 f0d22c __dosmaperr RtlAllocateHeap 17967->17968 17970 f146a0 17968->17970 17972 f047a0 __fread_nolock RtlAllocateHeap 17969->17972 17971 f0d23f __dosmaperr RtlAllocateHeap 17970->17971 17971->17969 17972->17966 17974 f146e4 17973->17974 17975 f146f1 17973->17975 17976 f1471f 17973->17976 17974->17975 17999 f1470d 17974->17999 17977 f0d22c __dosmaperr RtlAllocateHeap 17975->17977 18028 f16e2d 17976->18028 17979 f146f6 17977->17979 17981 f0d23f __dosmaperr RtlAllocateHeap 17979->17981 17984 f146fd 17981->17984 17982 f20d44 __fread_nolock RtlAllocateHeap 17997 f1486b 17982->17997 17983 f16db3 ___std_exception_destroy RtlAllocateHeap 17985 f14739 17983->17985 17986 f047a0 __fread_nolock RtlAllocateHeap 17984->17986 17988 f16db3 ___std_exception_destroy RtlAllocateHeap 17985->17988 18013 f14708 __fread_nolock 17986->18013 17987 f148e3 ReadFile 17989 f14957 17987->17989 17990 f148fb 17987->17990 17991 f14740 17988->17991 18001 f14964 17989->18001 18002 f148b5 17989->18002 17990->17989 17992 f148d4 17990->17992 17993 f14765 17991->17993 17994 f1474a 17991->17994 18005 f14920 17992->18005 18006 f14937 17992->18006 17992->18013 17996 f0e13d __fread_nolock 2 API calls 17993->17996 17998 f0d23f __dosmaperr RtlAllocateHeap 17994->17998 17995 f16db3 ___std_exception_destroy RtlAllocateHeap 17995->17966 17996->17999 17997->17987 18000 f1489b 17997->18000 18003 f1474f 17998->18003 17999->17982 18000->17992 18000->18002 18004 f0d23f __dosmaperr RtlAllocateHeap 18001->18004 18002->18013 18034 f0d1e5 18002->18034 18007 f0d22c __dosmaperr RtlAllocateHeap 18003->18007 18008 f14969 18004->18008 18039 f14335 18005->18039 18006->18013 18049 f1417b 18006->18049 18007->18013 18012 f0d22c __dosmaperr RtlAllocateHeap 18008->18012 18012->18013 18013->17995 18015 f08a3c 18014->18015 18018 f08a38 std::locale::_Locimp::_Locimp 18014->18018 18016 f08a43 18015->18016 18020 f08a56 __fread_nolock 18015->18020 18017 f0d23f __dosmaperr RtlAllocateHeap 18016->18017 18019 f08a48 18017->18019 18018->17948 18021 f047a0 __fread_nolock RtlAllocateHeap 18019->18021 18020->18018 18022 f08a84 18020->18022 18024 f08a8d 18020->18024 18021->18018 18023 f0d23f __dosmaperr RtlAllocateHeap 18022->18023 18025 f08a89 18023->18025 18024->18018 18026 f0d23f __dosmaperr RtlAllocateHeap 18024->18026 18027 f047a0 __fread_nolock RtlAllocateHeap 18025->18027 18026->18025 18027->18018 18029 f16e6b 18028->18029 18030 f16e3b __dosmaperr std::_Facet_Register 18028->18030 18032 f0d23f __dosmaperr RtlAllocateHeap 18029->18032 18030->18029 18031 f16e56 RtlAllocateHeap 18030->18031 18031->18030 18033 f14730 18031->18033 18032->18033 18033->17983 18035 f0d22c __dosmaperr RtlAllocateHeap 18034->18035 18036 f0d1f0 __dosmaperr 18035->18036 18037 f0d23f __dosmaperr RtlAllocateHeap 18036->18037 18038 f0d203 18037->18038 18038->18013 18053 f1402e 18039->18053 18041 f1437d 18041->18013 18042 f14391 __fread_nolock 18042->18041 18048 f0d1e5 __dosmaperr RtlAllocateHeap 18042->18048 18043 f143d7 18043->18042 18047 f0e13d __fread_nolock 2 API calls 18043->18047 18044 f143c7 18046 f0d23f __dosmaperr RtlAllocateHeap 18044->18046 18046->18041 18047->18042 18048->18041 18050 f141b5 18049->18050 18051 f14246 18050->18051 18052 f0e13d __fread_nolock 2 API calls 18050->18052 18051->18013 18052->18051 18054 f14062 18053->18054 18055 f140ce 18054->18055 18056 f0e13d __fread_nolock 2 API calls 18054->18056 18055->18041 18055->18042 18055->18043 18055->18044 18056->18055 18058 f08acf __fread_nolock 18057->18058 18059 f08ad9 18058->18059 18062 f08afc __fread_nolock 18058->18062 18060 f04723 __fread_nolock RtlAllocateHeap 18059->18060 18061 f08af4 18060->18061 18061->17466 18062->18061 18064 f08b5a 18062->18064 18065 f08b67 18064->18065 18066 f08b8a 18064->18066 18067 f04723 __fread_nolock RtlAllocateHeap 18065->18067 18068 f08b82 18066->18068 18069 f055d3 4 API calls 18066->18069 18067->18068 18068->18061 18070 f08ba2 18069->18070 18078 f16ded 18070->18078 18073 f15f82 __fread_nolock RtlAllocateHeap 18074 f08bb6 18073->18074 18082 f14a3f 18074->18082 18077 f16db3 ___std_exception_destroy RtlAllocateHeap 18077->18068 18079 f16e04 18078->18079 18080 f08baa 18078->18080 18079->18080 18081 f16db3 ___std_exception_destroy RtlAllocateHeap 18079->18081 18080->18073 18081->18080 18083 f14a68 18082->18083 18088 f08bbd 18082->18088 18084 f14ab7 18083->18084 18086 f14a8f 18083->18086 18085 f04723 __fread_nolock RtlAllocateHeap 18084->18085 18085->18088 18089 f149ae 18086->18089 18088->18068 18088->18077 18090 f149ba __fread_nolock 18089->18090 18092 f149f9 18090->18092 18093 f14b12 18090->18093 18092->18088 18094 f1a6de __fread_nolock RtlAllocateHeap 18093->18094 18097 f14b22 18094->18097 18095 f14b28 18105 f1a64d 18095->18105 18097->18095 18098 f14b5a 18097->18098 18099 f1a6de __fread_nolock RtlAllocateHeap 18097->18099 18098->18095 18100 f1a6de __fread_nolock RtlAllocateHeap 18098->18100 18101 f14b51 18099->18101 18102 f14b66 FindCloseChangeNotification 18100->18102 18103 f1a6de __fread_nolock RtlAllocateHeap 18101->18103 18102->18095 18103->18098 18104 f14b80 __fread_nolock 18104->18092 18106 f1a65c 18105->18106 18107 f0d23f __dosmaperr RtlAllocateHeap 18106->18107 18110 f1a686 18106->18110 18108 f1a6c8 18107->18108 18109 f0d22c __dosmaperr RtlAllocateHeap 18108->18109 18109->18110 18110->18104

                                  Executed Functions

                                  Function 00E83A40 Relevance: 6.2, APIs: 4, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 e83a40-e83a53 GetCursorPos 1 e83a55-e83a61 GetCursorPos 0->1 2 e83b28-e83b31 GetPEB 1->2 3 e83a67-e83a6d 1->3 4 e83b34-e83b48 2->4 3->2 5 e83a73-e83a7f GetPEB 3->5 6 e83b99-e83b9b 4->6 7 e83b4a-e83b4f 4->7 8 e83a80-e83a94 5->8 6->4 7->6 9 e83b51-e83b59 7->9 10 e83ae4-e83ae6 8->10 11 e83a96-e83a9b 8->11 12 e83b60-e83b73 9->12 10->8 11->10 13 e83a9d-e83aa3 11->13 14 e83b92-e83b97 12->14 15 e83b75-e83b88 12->15 16 e83aa5-e83ab8 13->16 14->6 14->12 15->15 17 e83b8a-e83b90 15->17 18 e83aba 16->18 19 e83add-e83ae2 16->19 17->14 20 e83b9d-e83bc2 Sleep 17->20 21 e83ac0-e83ad3 18->21 19->10 19->16 20->1 21->21 22 e83ad5-e83adb 21->22 22->19 23 e83ae8-e83b0e Sleep 22->23 24 e83b14-e83b1a 23->24 24->2 25 e83b1c-e83b22 24->25 25->2 26 e83bc7-e83bd8 call e26bd0 25->26 29 e83bda-e83bdc 26->29 30 e83bde 26->30 31 e83be0-e83bfd call e26bd0 29->31 30->31
                                  APIs
                                  • GetCursorPos.USER32(?), ref: 00E83A53
                                  • GetCursorPos.USER32(?), ref: 00E83A59
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00E83DB6), ref: 00E83B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00E83DB6), ref: 00E83BBA
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CursorSleep
                                  • String ID:
                                  • API String ID: 4211308429-0
                                  • Opcode ID: 95db7cfec9a3487ce25382a4d25d1ed3d675f644640085c6378ecf76888fa269
                                  • Instruction ID: b02dbafd8d822de8045ff959e7a6dfcf32d10143d32389b03428d1a9794a9b34
                                  • Opcode Fuzzy Hash: 95db7cfec9a3487ce25382a4d25d1ed3d675f644640085c6378ecf76888fa269
                                  • Instruction Fuzzy Hash: 9851CE75A041198FCB28DF68C8D0EA9B3B1FF45B08F29559AD449AF351D731EE05CB80
                                  Function 00E3E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 34 e3e0a0-e3e0d2 WSAStartup 35 e3e1b7-e3e1c0 34->35 36 e3e0d8-e3e102 call e26bd0 * 2 34->36 41 e3e104-e3e108 36->41 42 e3e10e-e3e165 36->42 41->35 41->42 44 e3e1b1 42->44 45 e3e167-e3e16d 42->45 44->35 46 e3e1c5-e3e1cf 45->46 47 e3e16f 45->47 46->44 51 e3e1d1-e3e1d9 46->51 48 e3e175-e3e189 socket 47->48 48->44 50 e3e18b-e3e19b connect 48->50 52 e3e1c1 50->52 53 e3e19d-e3e1a5 closesocket 50->53 52->46 53->48 54 e3e1a7-e3e1ab 53->54 54->44
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: d4415bb2678a5e9c11eb5e88b1a18c136dca9f9d066c4e6b5375664871c93330
                                  • Instruction ID: 79b7c39fce77d68e32868530486a266989b43519767541d5a49d8599183a32e9
                                  • Opcode Fuzzy Hash: d4415bb2678a5e9c11eb5e88b1a18c136dca9f9d066c4e6b5375664871c93330
                                  • Instruction Fuzzy Hash: 2F3192726053116BD7209F259C8976BBBE4EB85738F016F1DF9A8A73E0D3719804CB92
                                  Function 00EFF290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 55 eff290-eff293 56 eff2a2-eff2a5 call f0df2c 55->56 58 eff2aa-eff2ad 56->58 59 eff2af-eff2b0 58->59 60 eff295-eff2a0 call f117d8 58->60 60->56 63 eff2b1-eff2b5 60->63 64 e221d0-e22220 call e221b0 call f00efb call f00651 63->64 65 eff2bb 63->65 65->65
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2220E
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: eab32b943f562d70d5863ea0e895703991a18446330479bed5feb8665a34cc35
                                  • Instruction ID: ae8cc15cf3f3d62894ca46a069ee0f44517381d210be0b1bca848ac53258cec5
                                  • Opcode Fuzzy Hash: eab32b943f562d70d5863ea0e895703991a18446330479bed5feb8665a34cc35
                                  • Instruction Fuzzy Hash: 27012B3550030DABCB14AF98EC029A977EC9E00314F008439FB18EB591EB70E964A791
                                  Function 00E2A210 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 72 e2a210-e2a2ab call eff290 call e22ae0 77 e2a2b0-e2a2bb 72->77 77->77 78 e2a2bd-e2a2c8 77->78 79 e2a2ca 78->79 80 e2a2cd-e2a2de call f05362 78->80 79->80 83 e2a2e0-e2a305 call f09136 call f04eeb call f09136 80->83 84 e2a351-e2a357 80->84 101 e2a307 83->101 102 e2a30c-e2a316 83->102 86 e2a381-e2a393 84->86 87 e2a359-e2a365 84->87 89 e2a377-e2a37e call eff511 87->89 90 e2a367-e2a375 87->90 89->86 90->89 92 e2a394-e2a3ae call f047b0 90->92 100 e2a3b0-e2a3bb 92->100 100->100 103 e2a3bd-e2a3c8 100->103 101->102 106 e2a328-e2a32f call e8cf60 102->106 107 e2a318-e2a31c 102->107 104 e2a3ca 103->104 105 e2a3cd-e2a3df call f05362 103->105 104->105 114 e2a3e1-e2a3f9 call f09136 call f04eeb call f08be8 105->114 115 e2a3fc-e2a403 105->115 113 e2a334-e2a33a 106->113 109 e2a320-e2a326 107->109 110 e2a31e 107->110 109->113 110->109 116 e2a33e-e2a349 call f0dbdf call f08be8 113->116 117 e2a33c 113->117 114->115 120 e2a405-e2a411 115->120 121 e2a42d-e2a433 115->121 131 e2a34e 116->131 117->116 124 e2a423-e2a42a call eff511 120->124 125 e2a413-e2a421 120->125 124->121 125->124 128 e2a434-e2a45e call f047b0 125->128 139 e2a460-e2a464 128->139 140 e2a46f-e2a474 128->140 131->84 139->140 141 e2a466-e2a46e 139->141
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID: />
                                  • API String ID: 2638373210-3782486657
                                  • Opcode ID: 613f405078d69c61e7afa1c37658272bacd72fc0c55d0e3bfd55429607f926db
                                  • Instruction ID: 5207932235581cc8bad34de8421368986b5c50a8a6b747b12d9adaf104e066a1
                                  • Opcode Fuzzy Hash: 613f405078d69c61e7afa1c37658272bacd72fc0c55d0e3bfd55429607f926db
                                  • Instruction Fuzzy Hash: 99715870900214AFDB14DF68EC45BAFB7E9EF41704F14856DF809AB282D7B9E9418792
                                  Function 00F14623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 142 f14623-f14633 143 f14635-f14648 call f0d22c call f0d23f 142->143 144 f1464d-f1464f 142->144 162 f149a7 143->162 146 f14655-f1465b 144->146 147 f1498f-f1499c call f0d22c call f0d23f 144->147 146->147 150 f14661-f1468a 146->150 164 f149a2 call f047a0 147->164 150->147 153 f14690-f14699 150->153 156 f146b3-f146b5 153->156 157 f1469b-f146ae call f0d22c call f0d23f 153->157 160 f1498b-f1498d 156->160 161 f146bb-f146bf 156->161 157->164 166 f149aa-f149ad 160->166 161->160 165 f146c5-f146c9 161->165 162->166 164->162 165->157 169 f146cb-f146e2 165->169 171 f146e4-f146e7 169->171 172 f14717-f1471d 169->172 175 f146e9-f146ef 171->175 176 f1470d-f14715 171->176 173 f146f1-f14708 call f0d22c call f0d23f call f047a0 172->173 174 f1471f-f14726 172->174 203 f148c2 173->203 178 f14728 174->178 179 f1472a-f14748 call f16e2d call f16db3 * 2 174->179 175->173 175->176 177 f1478a-f147a9 176->177 181 f14865-f1486e call f20d44 177->181 182 f147af-f147bb 177->182 178->179 211 f14765-f14788 call f0e13d 179->211 212 f1474a-f14760 call f0d23f call f0d22c 179->212 193 f14870-f14882 181->193 194 f148df 181->194 182->181 185 f147c1-f147c3 182->185 185->181 190 f147c9-f147ea 185->190 190->181 195 f147ec-f14802 190->195 193->194 199 f14884-f14893 193->199 200 f148e3-f148f9 ReadFile 194->200 195->181 201 f14804-f14806 195->201 199->194 216 f14895-f14899 199->216 204 f14957-f14962 200->204 205 f148fb-f14901 200->205 201->181 206 f14808-f1482b 201->206 213 f148c5-f148cf call f16db3 203->213 224 f14964-f14976 call f0d23f call f0d22c 204->224 225 f1497b-f1497e 204->225 205->204 209 f14903 205->209 206->181 210 f1482d-f14843 206->210 218 f14906-f14918 209->218 210->181 219 f14845-f14847 210->219 211->177 212->203 213->166 216->200 223 f1489b-f148b3 216->223 218->213 226 f1491a-f1491e 218->226 219->181 227 f14849-f14860 219->227 243 f148b5 223->243 244 f148d4-f148dd 223->244 224->203 232 f14984-f14986 225->232 233 f148bb-f148c1 call f0d1e5 225->233 230 f14920-f14930 call f14335 226->230 231 f14937-f14944 226->231 227->181 252 f14933-f14935 230->252 240 f14950-f14955 call f1417b 231->240 241 f14946 call f1448c 231->241 232->213 233->203 249 f1494b-f1494e 240->249 241->249 243->233 244->218 249->252 252->213
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 19cf0eefd71166cb62f510b92777136c8afa4b57cee8dc053ce5749408e04845
                                  • Instruction ID: 1586b34f15cb8f03c044df063045f8fd5a3a9577a610e9a2166ded10919de28c
                                  • Opcode Fuzzy Hash: 19cf0eefd71166cb62f510b92777136c8afa4b57cee8dc053ce5749408e04845
                                  • Instruction Fuzzy Hash: 1BB10671E04249AFDB11DFA8D840BFEBBB1AF86324F544158E5549B282C774BD81FB60
                                  Function 00F1549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 253 f1549c-f154be 254 f156b1 253->254 255 f154c4-f154c6 253->255 258 f156b3-f156b7 254->258 256 f154f2-f15515 255->256 257 f154c8-f154e7 call f04723 255->257 260 f15517-f15519 256->260 261 f1551b-f15521 256->261 264 f154ea-f154ed 257->264 260->261 263 f15523-f15534 260->263 261->257 261->263 265 f15547-f15557 call f14fe1 263->265 266 f15536-f15544 call f0e17d 263->266 264->258 271 f155a0-f155b2 265->271 272 f15559-f1555f 265->272 266->265 275 f155b4-f155ba 271->275 276 f15609-f15629 WriteFile 271->276 273 f15561-f15564 272->273 274 f15588-f1559e call f14bb2 272->274 279 f15566-f15569 273->279 280 f1556f-f1557e call f14f79 273->280 298 f15581-f15583 274->298 277 f155f5-f15607 call f1505e 275->277 278 f155bc-f155bf 275->278 282 f15634 276->282 283 f1562b-f15631 276->283 304 f155dc-f155df 277->304 285 f155e1-f155f3 call f15222 278->285 286 f155c1-f155c4 278->286 279->280 287 f15649-f1564c 279->287 280->298 284 f15637-f15642 282->284 283->282 291 f15644-f15647 284->291 292 f156ac-f156af 284->292 285->304 293 f155ca-f155d7 call f15139 286->293 294 f1564f-f15651 286->294 287->294 291->287 292->258 293->304 301 f15653-f15658 294->301 302 f1567f-f1568b 294->302 298->284 305 f15671-f1567a call f0d208 301->305 306 f1565a-f1566c 301->306 307 f15695-f156a7 302->307 308 f1568d-f15693 302->308 304->298 305->264 306->264 307->264 308->254 308->307
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00F09087,?,00000000,00000000,00000000,?,00000000,?,00E2A3EB,00F09087,00000000,00E2A3EB,?,?), ref: 00F15622
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: fbd21c2d98e7224b2bfe3df50a123d83b9cd553216ca1c47d175f167c32d04df
                                  • Instruction ID: c790f5d81f0ff709c99c89fad30e406dfeb3fead40c12cd59cceb9b0e84d857a
                                  • Opcode Fuzzy Hash: fbd21c2d98e7224b2bfe3df50a123d83b9cd553216ca1c47d175f167c32d04df
                                  • Instruction Fuzzy Hash: 1761C372D04519EFDF11CFA8CC44EEEBBBAAF89718F540149E904A7205D335D981ABA0
                                  Function 00F04942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 311 f04942-f0494f 312 f04951-f04974 call f04723 311->312 313 f04979-f0498d call f15f82 311->313 318 f04ae0-f04ae2 312->318 319 f04992-f0499b call f0e11f 313->319 320 f0498f 313->320 322 f049a0-f049af 319->322 320->319 323 f049b1 322->323 324 f049bf-f049c8 322->324 327 f049b7-f049b9 323->327 328 f04a89-f04a8e 323->328 325 f049ca-f049d7 324->325 326 f049dc-f04a10 324->326 329 f04adc 325->329 330 f04a12-f04a1c 326->330 331 f04a6d-f04a79 326->331 327->324 327->328 332 f04ade-f04adf 328->332 329->332 333 f04a43-f04a4f 330->333 334 f04a1e-f04a2a 330->334 335 f04a90-f04a93 331->335 336 f04a7b-f04a82 331->336 332->318 333->335 338 f04a51-f04a6b call f04e59 333->338 334->333 337 f04a2c-f04a3e call f04cae 334->337 339 f04a96-f04a9e 335->339 336->328 337->332 338->339 340 f04aa0-f04aa6 339->340 341 f04ada 339->341 344 f04aa8-f04abc call f04ae3 340->344 345 f04abe-f04ac2 340->345 341->329 344->332 349 f04ac4-f04ad2 call f24a10 345->349 350 f04ad5-f04ad7 345->350 349->350 350->341
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aecc307ec2b021fa93ff545d67021f98fc702a582b53f0f61bf0f37a024f6f59
                                  • Instruction ID: 5441e602c5e7303d5e46355f10d3cc31ed826ae4dbb4abe37245bc8874a73806
                                  • Opcode Fuzzy Hash: aecc307ec2b021fa93ff545d67021f98fc702a582b53f0f61bf0f37a024f6f59
                                  • Instruction Fuzzy Hash: 5151D7B1B00208AFDF14CF58CC45AAABBB1EF45364F248158F9499B292D375BE41FB90
                                  Function 00E90560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 354 e90560-e9057f 355 e906a9 call e22270 354->355 356 e90585-e90598 354->356 361 e906ae call e221d0 355->361 357 e9059a 356->357 358 e905c0-e905c8 356->358 360 e9059c-e905a1 357->360 362 e905ca-e905cf 358->362 363 e905d1-e905d5 358->363 364 e905a4-e905a5 call eff290 360->364 369 e906b3-e906b8 call f047b0 361->369 362->360 366 e905d9-e905e1 363->366 367 e905d7 363->367 374 e905aa-e905af 364->374 370 e905f0-e905f2 366->370 371 e905e3-e905e8 366->371 367->366 372 e90601 370->372 373 e905f4-e905ff call eff290 370->373 371->361 376 e905ee 371->376 378 e90603-e90629 372->378 373->378 374->369 379 e905b5-e905be 374->379 376->364 382 e9062b-e90655 call f00f70 call f014f0 378->382 383 e90680-e906a6 call f00f70 call f014f0 378->383 379->378 392 e90669-e9067d call eff511 382->392 393 e90657-e90665 382->393 393->369 394 e90667 393->394 394->392
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E906AE
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 58e506cfc00d3c3ab2b10e81f9d74b94323ab56c43e16216cc7c744f5a420204
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 0F41B172A001189FCF15DF68DC806AE7BE5EF89350F550569F805AB342DB30DE60ABE1
                                  Function 00F14B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 397 f14b12-f14b26 call f1a6de 400 f14b28-f14b2a 397->400 401 f14b2c-f14b34 397->401 402 f14b7a-f14b9a call f1a64d 400->402 403 f14b36-f14b3d 401->403 404 f14b3f-f14b42 401->404 412 f14bac 402->412 413 f14b9c-f14baa call f0d208 402->413 403->404 406 f14b4a-f14b5e call f1a6de * 2 403->406 407 f14b60-f14b70 call f1a6de FindCloseChangeNotification 404->407 408 f14b44-f14b48 404->408 406->400 406->407 407->400 419 f14b72-f14b78 407->419 408->406 408->407 417 f14bae-f14bb1 412->417 413->417 419->402
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00F149F9,00000000,CF830579,00F51140,0000000C,00F14AB5,00F08BBD,?), ref: 00F14B69
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 9b1cf9dd1e5ae230e640009c12dcba2bed402a95dbed2428f3dbb4deba414159
                                  • Instruction ID: dc6d73cd8d5cc340d6d833f3a0cab5af6babc1881deeb17112a0890a007776a0
                                  • Opcode Fuzzy Hash: 9b1cf9dd1e5ae230e640009c12dcba2bed402a95dbed2428f3dbb4deba414159
                                  • Instruction Fuzzy Hash: DD116633B0D22816C724E274AC45BFE774A8BD27B4F29061DF9288B0C2EE25F8C17195
                                  Function 00F0E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 423 f0e05c-f0e074 call f1a6de 426 f0e076-f0e07d 423->426 427 f0e08a-f0e0a0 SetFilePointerEx 423->427 428 f0e084-f0e088 426->428 429 f0e0a2-f0e0b3 call f0d208 427->429 430 f0e0b5-f0e0bf 427->430 431 f0e0db-f0e0de 428->431 429->428 430->428 432 f0e0c1-f0e0d6 430->432 432->431
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00F50DF8,00E2A3EB,00000002,00E2A3EB,00000000,?,?,?,00F0E166,00000000,?,00E2A3EB,00000002,00F50DF8), ref: 00F0E099
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: b5b4e972b5ce813e3436bae8cef153d4afed02cc1c653ffd8270a2ab4029433b
                                  • Instruction ID: 5ce4e9126ccf6e7ba1657cb4e341831f8b9b31728f6301df91eaa04229d70216
                                  • Opcode Fuzzy Hash: b5b4e972b5ce813e3436bae8cef153d4afed02cc1c653ffd8270a2ab4029433b
                                  • Instruction Fuzzy Hash: 5601D632614119ABCF05CF59CC45D9E3B29DB85334B240648F8519B1D1E6B1E951BBD0
                                  Function 00F163F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 436 f163f3-f163fe 437 f16400-f1640a 436->437 438 f1640c-f16412 436->438 437->438 439 f16440-f1644b call f0d23f 437->439 440 f16414-f16415 438->440 441 f1642b-f1643c RtlAllocateHeap 438->441 445 f1644d-f1644f 439->445 440->441 442 f16417-f1641e call f13f93 441->442 443 f1643e 441->443 442->439 449 f16420-f16429 call f117d8 442->449 443->445 449->439 449->441
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00F091F7,00000000,?,00F15D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00F0D244,00F089C3,00F091F7,00000000), ref: 00F16435
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 57b917eea78ff5fd76c29319be16ae228437c5b3d40001d72034a02aa1604c5a
                                  • Instruction ID: 3bdd311eb0078a429a2fc75de3e8095fa5b2402a76ae5f20e7d55d6864e16007
                                  • Opcode Fuzzy Hash: 57b917eea78ff5fd76c29319be16ae228437c5b3d40001d72034a02aa1604c5a
                                  • Instruction Fuzzy Hash: 65F0E93290022466DB21EB629D02BEB3B48AF51774F158015FC08D61C4CB30E891B2F1
                                  Function 00F16E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 452 f16e2d-f16e39 453 f16e6b-f16e76 call f0d23f 452->453 454 f16e3b-f16e3d 452->454 461 f16e78-f16e7a 453->461 455 f16e56-f16e67 RtlAllocateHeap 454->455 456 f16e3f-f16e40 454->456 458 f16e42-f16e49 call f13f93 455->458 459 f16e69 455->459 456->455 458->453 464 f16e4b-f16e54 call f117d8 458->464 459->461 464->453 464->455
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00F1D635,4D88C033,?,00F1D635,00000220,?,00F157EF,4D88C033), ref: 00F16E60
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 0e90ce7ef563a7dedaca3b838c8ff6c26b719bab6defff7395129a5792e341c8
                                  • Instruction ID: e9a63d774361e04c5e61189beefc558a617c10e9bb143e0bdff9b71b68269a36
                                  • Opcode Fuzzy Hash: 0e90ce7ef563a7dedaca3b838c8ff6c26b719bab6defff7395129a5792e341c8
                                  • Instruction Fuzzy Hash: 40E0ED3A9006266ADE3022A5EE10BEB768CDF823B0F050320FD04D20D0CB20C880B7EC

                                  Non-executed Functions

                                  Function 00E28D70 Relevance: 24.8, APIs: 7, Strings: 7, Instructions: 327libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetModuleHandleA.KERNEL32(?,?,?,?), ref: 00E28E0E
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00E28E1B
                                  • GetModuleHandleA.KERNEL32(?), ref: 00E28E85
                                  • GetProcAddress.KERNEL32(00000000,?), ref: 00E28E8C
                                  • CloseHandle.KERNEL32(?), ref: 00E29092
                                  • CloseHandle.KERNEL32(?), ref: 00E290F4
                                  • CloseHandle.KERNEL32(00000000), ref: 00E29121
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Handle$Close$AddressModuleProc
                                  • String ID: File$bkg`$eHlW$l$lwcf$p$t
                                  • API String ID: 4110381430-3184506882
                                  • Opcode ID: 9091102b83599149e82ce9bd28b61c6fbea91f02a7affbcc63be7b8aae466bfd
                                  • Instruction ID: 0d454d004931ca7e96a82758d8ebe79540815df0cb89ef609f4344b1a822753b
                                  • Opcode Fuzzy Hash: 9091102b83599149e82ce9bd28b61c6fbea91f02a7affbcc63be7b8aae466bfd
                                  • Instruction Fuzzy Hash: 19C1DF70D0026D9AEF24CFA4DC85BEEBBB9FF05304F105469E504BB282DB71AA45CB65
                                  Function 00EA55B0 Relevance: 22.9, APIs: 10, Strings: 3, Instructions: 187libraryloaderCOMMON
                                  Download Yara Rule
                                  APIs
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA55FC
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA563E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00EA5686
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA56C7
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA5708
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00EA5746
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA578E
                                  • GetProcAddress.KERNEL32(00000000,878281BC), ref: 00EA57D6
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA5817
                                  • GetProcAddress.KERNEL32(00000000,92829BBD), ref: 00EA585D
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AddressProc
                                  • String ID: `ic$eIcm$yNrw
                                  • API String ID: 190572456-2666854388
                                  • Opcode ID: 86a20adcc6b54d1d01c12debeb9f873ac98b0b3d25a45bf5c1f0a1b29b0c0570
                                  • Instruction ID: 26c21558885654b5768b888d4b593a509d3127d4bcc205002389c1166a2171d2
                                  • Opcode Fuzzy Hash: 86a20adcc6b54d1d01c12debeb9f873ac98b0b3d25a45bf5c1f0a1b29b0c0570
                                  • Instruction Fuzzy Hash: 0E816CB0C1834CAEDF08DFA4D8456EEBFB9EF46300F50809ED841AB651D779520ADBA5
                                  Function 00F084A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 8599618bf8421a068af755f4fd3c5bd1ec1b8610abd7510a5cb7e0b2cf50733d
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: A4024C71E012199BDF14CFA8C8806AEFBF1FF48364F258269D955A7381DB31AD42DB90
                                  Function 00E8F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E8F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00E8F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8FA08
                                  • std::_Facet_Register.LIBCPMT ref: 00E8FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: fe7294090611237b26b0d0edb4fd5a97461b95abb5bf5fe5ccbe8aec534d7691
                                  • Instruction ID: edddf34285541e57feae91260793dbe96afe4e68444be5238c1c7a52445bb7b4
                                  • Opcode Fuzzy Hash: fe7294090611237b26b0d0edb4fd5a97461b95abb5bf5fe5ccbe8aec534d7691
                                  • Instruction Fuzzy Hash: 72619E71D003089BEB10EFA4D845BAEBBF4AF54314F145168E90DBB391E774E905CBA2
                                  Function 00E23D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E23E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3$@3$G>$G>$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-2705522371
                                  • Opcode ID: 941b569fd9b372534b43720e848cea379f200e4c3e487be86c76d6942423ac1f
                                  • Instruction ID: 9c193e03661e311e661bf4aab044759bd87bff4d00b77d912e8bb799c81abe40
                                  • Opcode Fuzzy Hash: 941b569fd9b372534b43720e848cea379f200e4c3e487be86c76d6942423ac1f
                                  • Instruction Fuzzy Hash: 0941D7B2900214AFCB14DF68DC45BAEB7F9EF48710F14852AF915E7741E774AA048FA0
                                  Function 00E23DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E23E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: @3$@3$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-3684864891
                                  • Opcode ID: 64c1155f8a9888826ef219a3a4217401c42159e752cab8134caaa9bdaa011c5d
                                  • Instruction ID: ef27cd10cbcd0b5cfde570eb25b9332899fd82c4c889184476310ac7fef79f0a
                                  • Opcode Fuzzy Hash: 64c1155f8a9888826ef219a3a4217401c42159e752cab8134caaa9bdaa011c5d
                                  • Instruction Fuzzy Hash: CD21EEB25007156BC714DF64E805B96B7E8AF04310F58883AFA58A7642E774EA18DF91
                                  Function 00E24C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E24F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E24FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E250C8
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: @3$`!$recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-3572337925
                                  • Opcode ID: 2b9a69c3b1bfa0d381865fbdf330cb6c31409aa6b632432770519b7dcf0bd211
                                  • Instruction ID: cd89ac12825f66d830b6811a158454a4cda269e082b78cad544c5c8aa9b13da6
                                  • Opcode Fuzzy Hash: 2b9a69c3b1bfa0d381865fbdf330cb6c31409aa6b632432770519b7dcf0bd211
                                  • Instruction Fuzzy Hash: F8E104B19002149FDB28DF68EC45BAEBBF9FF44700F144A2DE456A7781D774A904CBA1
                                  Function 00E27820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E27B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$out_of_range$type_error
                                  • API String ID: 2659868963-4040272994
                                  • Opcode ID: 07a31e1575d485ce63107cf4b94ab372cab17ecfe74e090b3c70833e42db892c
                                  • Instruction ID: ddb3e1b346a2632c455f5834395cf01db8d958608bb5068d2a0ebf62d3cccee0
                                  • Opcode Fuzzy Hash: 07a31e1575d485ce63107cf4b94ab372cab17ecfe74e090b3c70833e42db892c
                                  • Instruction Fuzzy Hash: 2FC169B19002188FDB18DFA8E88479DFBF2FF49310F148669E459EB792E7749980CB51
                                  Function 00E23190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E232C6
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E23350
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy___std_exception_destroy
                                  • String ID: +4$@3$`!$`!
                                  • API String ID: 2970364248-797261742
                                  • Opcode ID: cb8d67bdaf3631c3bf867aff67256b17223afeea57db475b3a2ba143d3444560
                                  • Instruction ID: 65759c6bf99bcd676b492d2a9cacf7f33d60f1635fdf3eb8b77cc7c8f9e46b12
                                  • Opcode Fuzzy Hash: cb8d67bdaf3631c3bf867aff67256b17223afeea57db475b3a2ba143d3444560
                                  • Instruction Fuzzy Hash: FD518E719102189FDB08CFA8D885BEEBBF5FF48310F14812AE815A7392D7789A45CF91
                                  Function 00E239F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E23A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00E23AA4
                                  • __Getctype.LIBCPMT ref: 00E23ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00E23AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E23B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: 3c76d7475267286d309b316430108f47342dd7520ab42b16f7d314c3cb66b883
                                  • Instruction ID: 8b277ce00ec62846becfbaeb22aa02aaf31843b854dfcd7d9ccd491de4bb66cd
                                  • Opcode Fuzzy Hash: 3c76d7475267286d309b316430108f47342dd7520ab42b16f7d314c3cb66b883
                                  • Instruction Fuzzy Hash: E35150B1D002589BEB10DFA4DC45B9EBBF8AF14314F145169E909BB381E778EA04DB51
                                  Function 00F02E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00F02E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00F02E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00F02ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00F02F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00F02F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 6b068ed09a4c9b9bc7e4eece4a127dd5df4daee327261ef60b394e6bbe1985ca
                                  • Instruction ID: 4446ba945c82f459669d658930f36dc23b73c64d22b0a7afb040ee226c32c5d2
                                  • Opcode Fuzzy Hash: 6b068ed09a4c9b9bc7e4eece4a127dd5df4daee327261ef60b394e6bbe1985ca
                                  • Instruction Fuzzy Hash: 5941E630E00209ABCF50DF68CC89A9EBBB5AF44325F148055E9149B3D2DB75EE45FBA1
                                  Function 00E8DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00E8DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8DED6
                                  • std::_Facet_Register.LIBCPMT ref: 00E8DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00E8DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E8DF7B
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: b0b15a1e2affc74a74216257518afbbd0ff9eb3deb73b49f747dade3abb57075
                                  • Instruction ID: f684e413ea51eb0b897539e284efc3f9e7a857329b545cd4d167d7426794e556
                                  • Opcode Fuzzy Hash: b0b15a1e2affc74a74216257518afbbd0ff9eb3deb73b49f747dade3abb57075
                                  • Instruction Fuzzy Hash: C141C171E042199FCB14EF54DC41AAEBBB4FB04724F144269EA1ABB392D730AD00DBD1
                                  Function 00E26F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E27340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$parse error$parse_error
                                  • API String ID: 2659868963-1090282668
                                  • Opcode ID: 7a810dc789a2c2214f73fb8e95d8e7b696bddb87427a19360a71baf05bdd1a89
                                  • Instruction ID: 73eccc8488515a1544c7b2f7430b507cd7de2adc626cf15972268ac38c9a3437
                                  • Opcode Fuzzy Hash: 7a810dc789a2c2214f73fb8e95d8e7b696bddb87427a19360a71baf05bdd1a89
                                  • Instruction Fuzzy Hash: 38E18E709042188FDB18CF68D885B9DBBF2FF49300F248269E458EB792D7749A81DF91
                                  Function 00E273B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E275BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E275CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column $`!
                                  • API String ID: 4194217158-1910556284
                                  • Opcode ID: 9cee3126e46bba7d0f3090d5d149f81e6b41256bb25eadb4b0a93c6b46638939
                                  • Instruction ID: f1a4cefb22b72449f43d944da465206b8a130bd8e38ee2cf895b601f8247dbc5
                                  • Opcode Fuzzy Hash: 9cee3126e46bba7d0f3090d5d149f81e6b41256bb25eadb4b0a93c6b46638939
                                  • Instruction Fuzzy Hash: 88610471A042189FDB08DF68EC85BADFBB6FF44300F24462CE455A7B82D774AA40DB91
                                  Function 00E23370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON
                                  Download Yara Rule
                                  APIs
                                    • Part of subcall function 00E23190: ___std_exception_copy.LIBVCRUNTIME ref: 00E232C6
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4$@3$@3$`!
                                  • API String ID: 2659868963-2319638956
                                  • Opcode ID: 83d5bc14befcc14809a7fff9923f64899a864920fd5d4623842cd20969aaa280
                                  • Instruction ID: a9c11b4f5675c3ef13326b7a82451c6435dd35c5991051ad663e5e61f9de190b
                                  • Opcode Fuzzy Hash: 83d5bc14befcc14809a7fff9923f64899a864920fd5d4623842cd20969aaa280
                                  • Instruction Fuzzy Hash: BC3194719002199FCB18DFA8D841AAEFBF9FF08710F10852AF514E7A41E774AA54DF91
                                  Function 00E23410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E2345F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: +4$@3$@3$`!
                                  • API String ID: 2659868963-2319638956
                                  • Opcode ID: 4424335e6ac9a0082b184d32fdf35380147a62c479cae05fd148ec0bc7334109
                                  • Instruction ID: c1e088df5a8e6465786e9178781bf7859c2039cd5a94477c73765e20e320c139
                                  • Opcode Fuzzy Hash: 4424335e6ac9a0082b184d32fdf35380147a62c479cae05fd148ec0bc7334109
                                  • Instruction Fuzzy Hash: 97014F76500209AFC704DFA8E801896FBFCBF05310B00843AE52997611EBB4E628DF90
                                  Function 00E26C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E26F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00E26F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.$`!
                                  • API String ID: 4194217158-2932383579
                                  • Opcode ID: 6c622cbdc460e3b970bd150d5240e01207666aebc943c58e14544e86142340c4
                                  • Instruction ID: 48adba08bea6bd3e1cd2fdbf4ca052bf784b273308ac14e9665348c1ab4dc37a
                                  • Opcode Fuzzy Hash: 6c622cbdc460e3b970bd150d5240e01207666aebc943c58e14544e86142340c4
                                  • Instruction Fuzzy Hash: CF91E370A002189FDB18CF68D985B9EBBF2FF44300F20866DE415AB792D775AA41CB90
                                  Function 00E27620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E277B4
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$invalid_iterator
                                  • API String ID: 2659868963-1518100916
                                  • Opcode ID: a593c55b5f056541eb49bb2f1b6ffd6cde8b698a186152b76a5c812f55306841
                                  • Instruction ID: 00e65235b09eae74e274c918c41551fe088134bb5fdde04ab83015e9221f09a8
                                  • Opcode Fuzzy Hash: a593c55b5f056541eb49bb2f1b6ffd6cde8b698a186152b76a5c812f55306841
                                  • Instruction Fuzzy Hash: 7F514AB09002188FDB18CF68E88479DFBF1FF49310F14866AE459EB792E7749980CB94
                                  Function 00E27BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E27D67
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!$other_error
                                  • API String ID: 2659868963-2644867674
                                  • Opcode ID: 5d1636e28fa67f2107719020437dc496fde5f13289f1dde8bcc844f75bbc0622
                                  • Instruction ID: 1376918ab173513a550c89a191be5d7b981cf396c629d345932b35cf89d6cc9a
                                  • Opcode Fuzzy Hash: 5d1636e28fa67f2107719020437dc496fde5f13289f1dde8bcc844f75bbc0622
                                  • Instruction Fuzzy Hash: D9516BB09002588FDB18CFA8E88479DFBF1FF49300F148669E459EB792D774A984CB51
                                  Function 00E8D050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E8D06F
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E8D096
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: 73999430599f08e79885edc71edc38918d40805b10b7029058dc1838a2fdef63
                                  • Instruction ID: 803e7154287e4386bdd47d106ad582b7d269e830daa559e4878833b2715db83a
                                  • Opcode Fuzzy Hash: 73999430599f08e79885edc71edc38918d40805b10b7029058dc1838a2fdef63
                                  • Instruction Fuzzy Hash: 5301A4B6500616AFC704DF59D505982FBF8FB49710704853BA929CBB11E7B0E528DFA0
                                  Function 00E9B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E9B3DF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E9B406
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: 85198b0f4d25c001fee0b32d0b5a39a20c76fc956bd22bbb2b2e849715ce8908
                                  • Instruction ID: b6eb54f067dd5123c54f6e130b01c5dad0c46cba8f61e5494eb96c41ac7d66df
                                  • Opcode Fuzzy Hash: 85198b0f4d25c001fee0b32d0b5a39a20c76fc956bd22bbb2b2e849715ce8908
                                  • Instruction Fuzzy Hash: B9F0C4B6500616AF8708DF58D505986BBF8FB45710705853BE52ACBB01E7B0E528DBA0
                                  Function 00E22270 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 218COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00E22275
                                    • Part of subcall function 00EFD6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 00EFD6F5
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
                                  • String ID: string too long$)
                                  • API String ID: 1997705970-906081222
                                  • Opcode ID: bcd7d4183c767adb930f9acbba96b35754209002afc9e4f0d376d8301899b119
                                  • Instruction ID: 2d7a99db14ea08e8806ebd7182c340b27fcc3c6c3fab88be1272cad1caa83779
                                  • Opcode Fuzzy Hash: bcd7d4183c767adb930f9acbba96b35754209002afc9e4f0d376d8301899b119
                                  • Instruction Fuzzy Hash: 3C813275A0429AAFCB02CF68C4507EDBFF1EF5A300F1841AECA94A7742C3359545CBA0
                                  Function 00E9B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Xinvalid_argument.LIBCPMT ref: 00E9B612
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Xinvalid_argumentstd::_
                                  • String ID: Px$invalid hash bucket count
                                  • API String ID: 909987262-1779506432
                                  • Opcode ID: 37a2cd6eecc92ff53301f3383126d605a5c14ff7059684deb759e1f968a0e16a
                                  • Instruction ID: 8f2ce83f6dfd477ea7d6ec6f6a224365b40125daf9ee55e6aaa316681e618c9e
                                  • Opcode Fuzzy Hash: 37a2cd6eecc92ff53301f3383126d605a5c14ff7059684deb759e1f968a0e16a
                                  • Instruction Fuzzy Hash: 9D7102B4A00619DFCB14CF49D280869FBF6FF88314725C5AAD859AB356D731EA41CF90
                                  Function 00E9E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00E9E491
                                  Strings
                                  • type must be string, but is , xrefs: 00E9E4F8
                                  • type must be boolean, but is , xrefs: 00E9E582
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 354e5571da3c5cefc0e48bbb9622d531af7749b882e3575be750a5a63d52cb40
                                  • Instruction ID: aaea65f4c193baca37a67387fc6f9003876c1c31060a09e5ae6ba120b5db35ea
                                  • Opcode Fuzzy Hash: 354e5571da3c5cefc0e48bbb9622d531af7749b882e3575be750a5a63d52cb40
                                  • Instruction Fuzzy Hash: E6413CB1900248AFDB14EBA4E802B9E77E8DB00314F144679F619F7792EB35E944C792
                                  Function 00E23050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00E23078
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3319651891.0000000000E21000.00000040.00000001.01000000.00000005.sdmp, Offset: 00E20000, based on PE: true
                                  • Associated: 0000000A.00000002.3319624486.0000000000E20000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319651891.0000000000F53000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319884627.0000000000F58000.00000008.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000000F5C000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000010DF000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.0000000001171000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011A7000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3319930362.00000000011B6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320409253.00000000011B7000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320607317.0000000001311000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 0000000A.00000002.3320641568.0000000001312000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_e20000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: `!$`!
                                  • API String ID: 2659868963-1501952390
                                  • Opcode ID: 00599af393aa1bf7e6d0f0448e1ad4590a0aae8e106d7a35474f25a8210d0728
                                  • Instruction ID: 6532ee06e612f181bbec3c8f70d4044cdb6382071e6c8136134e768e3bc8d89a
                                  • Opcode Fuzzy Hash: 00599af393aa1bf7e6d0f0448e1ad4590a0aae8e106d7a35474f25a8210d0728
                                  • Instruction Fuzzy Hash: 88E012B29113189BC710DFA8D9059CAFFF8AB19701F0486BAE948D7301FAB1D5549BD1