Edit tour

Windows Analysis Report
LisectAVT_2403002A_228.exe

Overview

General Information

Sample name:	LisectAVT_2403002A_228.exe
Analysis ID:	1482398
MD5:	ce5a350b93125774aa74515271c6d8ad
SHA1:	4e7f67212bd95ece241d4914be2cdbf9d5dc9573
SHA256:	5dbdcfb4702811e2f7cdac39ba83dccdc4a16dfa6b29a02b3879a1a70b3019dd
Tags:	exe
Infos:

Detection

RisePro Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Detected unpacking (changes PE section rights)

Yara detected RisePro Stealer

AI detected suspicious sample

Connects to many ports of the same IP (likely port scanning)

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Hides threads from debuggers

Machine Learning detection for dropped file

Machine Learning detection for sample

PE file contains section with special chars

Potentially malicious time measurement code found

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality for execution timing, often used to detect debuggers

Contains functionality to read the PEB

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Entry point lies outside standard sections

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

LisectAVT_2403002A_228.exe (PID: 6740 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_228.exe" MD5: CE5A350B93125774AA74515271C6D8AD)

schtasks.exe (PID: 2736 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 5888 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2472 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 2720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

MPGPH131.exe (PID: 4948 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: CE5A350B93125774AA74515271C6D8AD)

MPGPH131.exe (PID: 344 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: CE5A350B93125774AA74515271C6D8AD)

RageMP131.exe (PID: 7252 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: CE5A350B93125774AA74515271C6D8AD)

RageMP131.exe (PID: 7556 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: CE5A350B93125774AA74515271C6D8AD)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: LisectAVT_2403002A_228.exe PID: 6740	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 4948	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: MPGPH131.exe PID: 344	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7252	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Process Memory Space: RageMP131.exe PID: 7556	JoeSecurity_RiseProStealer	Yara detected RisePro Stealer	Joe Security
Click to see the 10 entries

Sigma Signatures

System Summary

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe, ProcessId: 6740, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

Snort Signatures

⊘No Snort rule has matched

Suricata Signatures

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:24:05.139725+0200
SID:	2049060
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:24:24.342287+0200
SID:	2046269
Source Port:	49740
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:24:12.593647+0200
SID:	2049060
Source Port:	49735
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:24:15.575871+0200
SID:	2046269
Source Port:	49735
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:24:08.131869+0200
SID:	2046269
Source Port:	49731
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:24:00.403951+0200
SID:	2046269
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE [ANY.RUN] RisePro TCP (Activity) - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:24:08.131731+0200
SID:	2046269
Source Port:	49732
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T22:24:51.619679+0200
SID:	2022930
Source Port:	443
Destination Port:	49741
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET MALWARE RisePro TCP Heartbeat Packet - Source IP: 192.168.2.4 - Destination IP: 193.233.132.74

Timestamp:	2024-07-25T22:23:57.416907+0200
SID:	2049060
Source Port:	49730
Destination Port:	58709
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow - Source IP: 40.68.123.157 - Destination IP: 192.168.2.4

Timestamp:	2024-07-25T22:24:13.208194+0200
SID:	2022930
Source Port:	443
Destination Port:	49733
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: LisectAVT_2403002A_228.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Avira: detection malicious, Label: TR/Redcap.hkdqs
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Avira: detection malicious, Label: TR/Redcap.hkdqs

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LisectAVT_2403002A_228.exe

Joe Sandbox ML: detected

Source: LisectAVT_2403002A_228.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Networking

Connects to many ports of the same IP (likely port scanning)

Source: global traffic

TCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 193.233.132.74:58709

Source: Joe Sandbox View

IP Address: 193.233.132.74 193.233.132.74

Source: Joe Sandbox View

ASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU

Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74
Source: unknown	TCP traffic detected without corresponding DNS query: 193.233.132.74

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Code function: 0_2_0067E0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,

0_2_0067E0A0

Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	String found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
Source: MPGPH131.exe, 00000006.00000002.4130999077.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4130773514.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORT
Source: MPGPH131.exe, 00000005.00000002.4131028142.000000000144D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTHr
Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://t.me/RiseProSUPPORTmJ

System Summary

PE file contains section with special chars

Source: LisectAVT_2403002A_228.exe	Static PE information: section name:
Source: LisectAVT_2403002A_228.exe	Static PE information: section name: .idata
Source: LisectAVT_2403002A_228.exe	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00759824	0_2_00759824
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006D50B0	0_2_006D50B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006E9880	0_2_006E9880
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006691A0	0_2_006691A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006D73F0	0_2_006D73F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_0074646A	0_2_0074646A
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00742CE0	0_2_00742CE0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006624F0	0_2_006624F0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_007484A0	0_2_007484A0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00668D70	0_2_00668D70
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006E6550	0_2_006E6550
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006E55B0	0_2_006E55B0
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_0074BEAF	0_2_0074BEAF
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_0075F771	0_2_0075F771
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00679F50	0_2_00679F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00189824	5_2_00189824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00119880	5_2_00119880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001050B0	5_2_001050B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_000991A0	5_2_000991A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001073F0	5_2_001073F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0017646A	5_2_0017646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001784A0	5_2_001784A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00172CE0	5_2_00172CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_000924F0	5_2_000924F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00116550	5_2_00116550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_00098D70	5_2_00098D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_001155B0	5_2_001155B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0017BEAF	5_2_0017BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_000A9F50	5_2_000A9F50
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00189824	6_2_00189824
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00119880	6_2_00119880
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001050B0	6_2_001050B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_000991A0	6_2_000991A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001073F0	6_2_001073F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0017646A	6_2_0017646A
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001784A0	6_2_001784A0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00172CE0	6_2_00172CE0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_000924F0	6_2_000924F0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00116550	6_2_00116550
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_00098D70	6_2_00098D70
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_001155B0	6_2_001155B0
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0017BEAF	6_2_0017BEAF
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_000A9F50	6_2_000A9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00299824	7_2_00299824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002150B0	7_2_002150B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00229880	7_2_00229880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_001A91A0	7_2_001A91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002173F0	7_2_002173F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0028646A	7_2_0028646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002884A0	7_2_002884A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00282CE0	7_2_00282CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_001A24F0	7_2_001A24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_001A8D70	7_2_001A8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00226550	7_2_00226550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_002255B0	7_2_002255B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0028BEAF	7_2_0028BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_001B9F50	7_2_001B9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_0029F771	7_2_0029F771
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00299824	9_2_00299824
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_002150B0	9_2_002150B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00229880	9_2_00229880
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_001A91A0	9_2_001A91A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_002173F0	9_2_002173F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0028646A	9_2_0028646A
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_002884A0	9_2_002884A0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00282CE0	9_2_00282CE0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_001A24F0	9_2_001A24F0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_001A8D70	9_2_001A8D70
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00226550	9_2_00226550
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_002255B0	9_2_002255B0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0028BEAF	9_2_0028BEAF
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_001B9F50	9_2_001B9F50
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_0029F771	9_2_0029F771

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: String function: 0027FED0 appears 52 times
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: String function: 0016FED0 appears 52 times

Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_228.exe
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4134077909.0000000004E90000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_228.exe
Source: LisectAVT_2403002A_228.exe	Binary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_228.exe

Source: LisectAVT_2403002A_228.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: LisectAVT_2403002A_228.exe	Static PE information: Section: ZLIB complexity 0.9992069128787879
Source: LisectAVT_2403002A_228.exe	Static PE information: Section: ycahdotv ZLIB complexity 0.9896050219265919
Source: RageMP131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9992069128787879
Source: RageMP131.exe.0.dr	Static PE information: Section: ycahdotv ZLIB complexity 0.9896050219265919
Source: MPGPH131.exe.0.dr	Static PE information: Section: ZLIB complexity 0.9992069128787879
Source: MPGPH131.exe.0.dr	Static PE information: Section: ycahdotv ZLIB complexity 0.9896050219265919

Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: AT;.CMD;.VBS;.VBpg

Source: classification engine

Classification label: mal100.troj.evad.winEXE@11/5@0/1

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

File created: C:\Users\user\AppData\Local\RageMP131

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5888:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

File created: C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Command line argument: nIv	0_2_007648C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Command line argument: nI*	7_2_002A48C0
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Command line argument: nI*	9_2_002A48C0

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');

Source: LisectAVT_2403002A_228.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: MPGPH131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application
Source: RageMP131.exe	String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

File read: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe "C:\Users\user\Desktop\LisectAVT_2403002A_228.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: unknown	Process created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Section loaded: devobj.dll	Jump to behavior

Source: LisectAVT_2403002A_228.exe

Static file information: File size 2337286 > 1048576

Source: LisectAVT_2403002A_228.exe

Static PE information: Raw size of ycahdotv is bigger than: 0x100000 < 0x1a8000

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Unpacked PE file: 0.2.LisectAVT_2403002A_228.exe.660000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 5.2.MPGPH131.exe.90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Unpacked PE file: 6.2.MPGPH131.exe.90000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 7.2.RageMP131.exe.1a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Unpacked PE file: 9.2.RageMP131.exe.1a0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW; vs :ER;.rsrc:W;.idata :W; :EW;ycahdotv:EW;urypsrur:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: urypsrur

Source: RageMP131.exe.0.dr	Static PE information: real checksum: 0x24412a should be: 0x244130
Source: MPGPH131.exe.0.dr	Static PE information: real checksum: 0x24412a should be: 0x244130
Source: LisectAVT_2403002A_228.exe	Static PE information: real checksum: 0x24412a should be: 0x244130

Source: LisectAVT_2403002A_228.exe	Static PE information: section name:
Source: LisectAVT_2403002A_228.exe	Static PE information: section name: .idata
Source: LisectAVT_2403002A_228.exe	Static PE information: section name:
Source: LisectAVT_2403002A_228.exe	Static PE information: section name: ycahdotv
Source: LisectAVT_2403002A_228.exe	Static PE information: section name: urypsrur
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: .idata
Source: RageMP131.exe.0.dr	Static PE information: section name:
Source: RageMP131.exe.0.dr	Static PE information: section name: ycahdotv
Source: RageMP131.exe.0.dr	Static PE information: section name: urypsrur
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: .idata
Source: MPGPH131.exe.0.dr	Static PE information: section name:
Source: MPGPH131.exe.0.dr	Static PE information: section name: ycahdotv
Source: MPGPH131.exe.0.dr	Static PE information: section name: urypsrur

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC032 push 5BB0774Eh; mov dword ptr [esp], esi	0_2_00BFC0D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC032 push 1E266FA6h; mov dword ptr [esp], ebx	0_2_00BFC0E7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC000 push edi; mov dword ptr [esp], 572ECACCh	0_2_00BFC001
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC000 push edi; mov dword ptr [esp], eax	0_2_00BFC00C
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC000 push 5BB0774Eh; mov dword ptr [esp], esi	0_2_00BFC0D4
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC000 push 1E266FA6h; mov dword ptr [esp], ebx	0_2_00BFC0E7
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC181 push 61718D2Ch; mov dword ptr [esp], edx	0_2_00BFC186
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC181 push edx; mov dword ptr [esp], edi	0_2_00BFC19F
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC181 push ebp; mov dword ptr [esp], 778D7D56h	0_2_00BFC1A9
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC181 push 38B89D2Ch; mov dword ptr [esp], edx	0_2_00BFC1F8
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00BFC181 push eax; mov dword ptr [esp], 0A15BB94h	0_2_00BFC26B
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_0073FA97 push ecx; ret	0_2_0073FAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C032 push 5BB0774Eh; mov dword ptr [esp], esi	5_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C032 push 1E266FA6h; mov dword ptr [esp], ebx	5_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C000 push edi; mov dword ptr [esp], 572ECACCh	5_2_0062C001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C000 push edi; mov dword ptr [esp], eax	5_2_0062C00C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C000 push 5BB0774Eh; mov dword ptr [esp], esi	5_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C000 push 1E266FA6h; mov dword ptr [esp], ebx	5_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C181 push 61718D2Ch; mov dword ptr [esp], edx	5_2_0062C186
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C181 push edx; mov dword ptr [esp], edi	5_2_0062C19F
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C181 push ebp; mov dword ptr [esp], 778D7D56h	5_2_0062C1A9
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C181 push 38B89D2Ch; mov dword ptr [esp], edx	5_2_0062C1F8
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0062C181 push eax; mov dword ptr [esp], 0A15BB94h	5_2_0062C26B
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0016FA97 push ecx; ret	5_2_0016FAAA
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0062C032 push 5BB0774Eh; mov dword ptr [esp], esi	6_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0062C032 push 1E266FA6h; mov dword ptr [esp], ebx	6_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0062C000 push edi; mov dword ptr [esp], 572ECACCh	6_2_0062C001
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0062C000 push edi; mov dword ptr [esp], eax	6_2_0062C00C
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0062C000 push 5BB0774Eh; mov dword ptr [esp], esi	6_2_0062C0D4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0062C000 push 1E266FA6h; mov dword ptr [esp], ebx	6_2_0062C0E7
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_0062C181 push 61718D2Ch; mov dword ptr [esp], edx	6_2_0062C186

Source: LisectAVT_2403002A_228.exe	Static PE information: section name: entropy: 7.988928375890931
Source: LisectAVT_2403002A_228.exe	Static PE information: section name: ycahdotv entropy: 7.949088772265462
Source: RageMP131.exe.0.dr	Static PE information: section name: entropy: 7.988928375890931
Source: RageMP131.exe.0.dr	Static PE information: section name: ycahdotv entropy: 7.949088772265462
Source: MPGPH131.exe.0.dr	Static PE information: section name: entropy: 7.988928375890931
Source: MPGPH131.exe.0.dr	Static PE information: section name: ycahdotv entropy: 7.949088772265462

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	File created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe			Jump to dropped file
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	File created: C:\ProgramData\MPGPH131\MPGPH131.exe			Jump to dropped file

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

File created: C:\ProgramData\MPGPH131\MPGPH131.exe

Jump to dropped file

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Regmonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: Filemonclass	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)

Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_5-19795
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_0-19646
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Evasive API call chain: GetPEB, DecisionNodes, Sleep	graph_7-18875

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_CURRENT_USER\Software\Wine	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 7A02DD second address: 7A02E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 7A02E1 second address: 7A02E7 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 79FBA3 second address: 79FBA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8FFD72 second address: 8FFD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 90F517 second address: 90F53C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c jp 00007F33ECB900D6h 0x00000012 jl 00007F33ECB900D6h 0x00000018 popad 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 90F53C second address: 90F549 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 91276E second address: 912772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 912772 second address: 912776 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 912776 second address: 9127D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov esi, dword ptr [ebp+122D2ADDh] 0x0000000f push 00000000h 0x00000011 mov dword ptr [ebp+122D1AEDh], ebx 0x00000017 call 00007F33ECB900D9h 0x0000001c jmp 00007F33ECB900E5h 0x00000021 push eax 0x00000022 jng 00007F33ECB900DEh 0x00000028 mov eax, dword ptr [esp+04h] 0x0000002c ja 00007F33ECB900DEh 0x00000032 mov eax, dword ptr [eax] 0x00000034 push ebx 0x00000035 pushad 0x00000036 pushad 0x00000037 popad 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 912881 second address: 91289B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC496h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 91289B second address: 91289F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 91289F second address: 9128AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push esi 0x0000000c pushad 0x0000000d popad 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9128AE second address: 91292D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F33ECB900E1h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push eax 0x0000000f call 00007F33ECB900D8h 0x00000014 pop eax 0x00000015 mov dword ptr [esp+04h], eax 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc eax 0x00000022 push eax 0x00000023 ret 0x00000024 pop eax 0x00000025 ret 0x00000026 push 00000000h 0x00000028 mov edi, dword ptr [ebp+122D2AB5h] 0x0000002e call 00007F33ECB900D9h 0x00000033 jne 00007F33ECB900E8h 0x00000039 push eax 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d jmp 00007F33ECB900E8h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 91292D second address: 91293C instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push esi 0x0000000c pop esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 91293C second address: 912954 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007F33ECB900E2h 0x00000010 js 00007F33ECB900DCh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 912954 second address: 912963 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, dword ptr [eax] 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F33ECEDC486h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 912963 second address: 912988 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F33ECB900DCh 0x00000016 jnc 00007F33ECB900D6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 924240 second address: 924244 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 924244 second address: 924248 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9331C2 second address: 9331C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9331C7 second address: 9331D3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 ja 00007F33ECB900D6h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 906A00 second address: 906A04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 906A04 second address: 906A14 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007F33ECB900D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931034 second address: 9310A1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F33ECEDC498h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F33ECEDC496h 0x00000011 push edi 0x00000012 pop edi 0x00000013 pop esi 0x00000014 push eax 0x00000015 jne 00007F33ECEDC486h 0x0000001b jmp 00007F33ECEDC499h 0x00000020 pop eax 0x00000021 js 00007F33ECEDC48Eh 0x00000027 push eax 0x00000028 pop eax 0x00000029 jnl 00007F33ECEDC486h 0x0000002f popad 0x00000030 push eax 0x00000031 push edx 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9310A1 second address: 9310A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9310A7 second address: 9310AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931260 second address: 931273 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931273 second address: 931287 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33ECEDC48Eh 0x00000008 pushad 0x00000009 popad 0x0000000a js 00007F33ECEDC486h 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 pop esi 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93140E second address: 931412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931412 second address: 931428 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F33ECEDC486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F33ECEDC486h 0x00000014 push eax 0x00000015 pop eax 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931428 second address: 931438 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DCh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931438 second address: 93144E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jnp 00007F33ECEDC486h 0x0000000f pop eax 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93144E second address: 931454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931454 second address: 931465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jc 00007F33ECEDC48Ch 0x0000000b jne 00007F33ECEDC486h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9315B9 second address: 9315BE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9316E9 second address: 9316EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9316EF second address: 931700 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F33ECB900DCh 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931700 second address: 93171A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F33ECEDC495h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93187A second address: 931883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop ebx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931883 second address: 931897 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Eh 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931897 second address: 9318BB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E5h 0x00000007 jc 00007F33ECB900D6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push edx 0x00000011 pop edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9318BB second address: 9318CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931A1D second address: 931AA5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F33ECB900DBh 0x0000000f jmp 00007F33ECB900E0h 0x00000014 jl 00007F33ECB900D6h 0x0000001a popad 0x0000001b jns 00007F33ECB900DCh 0x00000021 popad 0x00000022 pushad 0x00000023 jnp 00007F33ECB900DAh 0x00000029 pushad 0x0000002a jmp 00007F33ECB900E7h 0x0000002f jmp 00007F33ECB900E3h 0x00000034 pushad 0x00000035 popad 0x00000036 popad 0x00000037 jbe 00007F33ECB900E8h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931C66 second address: 931C6A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931C6A second address: 931C7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F33ECB900DBh 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931DF9 second address: 931E01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 931E01 second address: 931E0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edx 0x00000008 pop edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 932086 second address: 9320B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F33ECEDC486h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 jmp 00007F33ECEDC499h 0x00000018 pop edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9275BC second address: 9275C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9275C0 second address: 9275C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9275C4 second address: 9275CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9275CC second address: 9275F7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33ECEDC488h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F33ECEDC490h 0x00000010 jng 00007F33ECEDC48Ah 0x00000016 push edx 0x00000017 pop edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c push ebx 0x0000001d pop ebx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 932327 second address: 93233D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F33ECB900DEh 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93233D second address: 932347 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 932347 second address: 93234B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93234B second address: 932384 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33ECEDC486h 0x00000008 jmp 00007F33ECEDC498h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jbe 00007F33ECEDC48Ah 0x00000018 push eax 0x00000019 push edx 0x0000001a jnc 00007F33ECEDC486h 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 932384 second address: 932388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 932865 second address: 93286A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93286A second address: 93288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007F33ECB900DBh 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F33ECB900DCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9329FD second address: 932A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 jmp 00007F33ECEDC491h 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 932A18 second address: 932A1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 932D59 second address: 932D63 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 933049 second address: 93304F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93304F second address: 933053 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 937A37 second address: 937A54 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 937EA3 second address: 937EAD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 937EAD second address: 937EC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e jc 00007F33ECB900D6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 937EC2 second address: 937ECD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F33ECEDC486h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 936FE8 second address: 936FEE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8FFD6B second address: 8FFD72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93CDD8 second address: 93CDDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93D201 second address: 93D21C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC494h 0x00000009 push edx 0x0000000a pop edx 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9409E7 second address: 9409F1 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33ECB900D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9409F1 second address: 9409F6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940E51 second address: 940E56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940E56 second address: 940E5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940E5C second address: 940E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007F33ECB900E2h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940E7B second address: 940E80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940E80 second address: 940E85 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940E85 second address: 940E8B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940F98 second address: 940F9E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 941592 second address: 9415C0 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33ECEDC48Ch 0x00000008 jg 00007F33ECEDC486h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 xchg eax, ebx 0x00000011 jmp 00007F33ECEDC493h 0x00000016 nop 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a jp 00007F33ECEDC486h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9415C0 second address: 9415EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E3h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jg 00007F33ECB900D6h 0x00000012 popad 0x00000013 popad 0x00000014 push eax 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 pushad 0x00000019 popad 0x0000001a jnc 00007F33ECB900D6h 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94183F second address: 941843 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 941AFB second address: 941B05 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F33ECB900DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 941B05 second address: 941B13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push esi 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 941B13 second address: 941B18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 941FEA second address: 942003 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 942003 second address: 942007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 942007 second address: 942023 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC498h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 942023 second address: 942029 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 942029 second address: 9420BD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ecx 0x0000000c call 00007F33ECEDC488h 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], ecx 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ecx 0x0000001f push ecx 0x00000020 ret 0x00000021 pop ecx 0x00000022 ret 0x00000023 call 00007F33ECEDC48Eh 0x00000028 or dword ptr [ebp+122D1A84h], ecx 0x0000002e pop esi 0x0000002f mov di, cx 0x00000032 push 00000000h 0x00000034 mov dword ptr [ebp+122D39A9h], ecx 0x0000003a push eax 0x0000003b jmp 00007F33ECEDC495h 0x00000040 pop esi 0x00000041 push 00000000h 0x00000043 push 00000000h 0x00000045 push eax 0x00000046 call 00007F33ECEDC488h 0x0000004b pop eax 0x0000004c mov dword ptr [esp+04h], eax 0x00000050 add dword ptr [esp+04h], 00000019h 0x00000058 inc eax 0x00000059 push eax 0x0000005a ret 0x0000005b pop eax 0x0000005c ret 0x0000005d mov edi, dword ptr [ebp+122D29A9h] 0x00000063 push eax 0x00000064 pushad 0x00000065 push eax 0x00000066 push edx 0x00000067 ja 00007F33ECEDC486h 0x0000006d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 942A13 second address: 942A3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900DFh 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F33ECB900E1h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 942A3C second address: 942A40 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 944B8B second address: 944B91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 944B91 second address: 944BA3 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F33ECEDC486h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 944BA3 second address: 944BA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 944BA7 second address: 944BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F33ECEDC494h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 944BC8 second address: 944BCC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 947C9C second address: 947CA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 947CA0 second address: 947CAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94B81B second address: 94B821 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94D47A second address: 94D47E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94F43A second address: 94F455 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94F455 second address: 94F45B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94E660 second address: 94E664 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94E664 second address: 94E671 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94E671 second address: 94E675 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 950538 second address: 95053C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 95053C second address: 950550 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC490h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 950550 second address: 9505C5 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F33ECB900DCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push ebx 0x0000000e call 00007F33ECB900D8h 0x00000013 pop ebx 0x00000014 mov dword ptr [esp+04h], ebx 0x00000018 add dword ptr [esp+04h], 0000001Dh 0x00000020 inc ebx 0x00000021 push ebx 0x00000022 ret 0x00000023 pop ebx 0x00000024 ret 0x00000025 jns 00007F33ECB900DCh 0x0000002b push 00000000h 0x0000002d sbb ebx, 61CEC8DBh 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push eax 0x00000038 call 00007F33ECB900D8h 0x0000003d pop eax 0x0000003e mov dword ptr [esp+04h], eax 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc eax 0x0000004b push eax 0x0000004c ret 0x0000004d pop eax 0x0000004e ret 0x0000004f add di, 2000h 0x00000054 push eax 0x00000055 push ebx 0x00000056 push eax 0x00000057 push edx 0x00000058 push esi 0x00000059 pop esi 0x0000005a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 95159E second address: 95161E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F33ECEDC490h 0x0000000a popad 0x0000000b push eax 0x0000000c jmp 00007F33ECEDC493h 0x00000011 nop 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007F33ECEDC488h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 00000018h 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c push 00000000h 0x0000002e mov edi, dword ptr [ebp+122D2AD1h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F33ECEDC488h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 push eax 0x00000051 push eax 0x00000052 push edx 0x00000053 push eax 0x00000054 push edx 0x00000055 pushad 0x00000056 popad 0x00000057 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 95161E second address: 951622 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 951622 second address: 951628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 952803 second address: 952807 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9545DB second address: 954616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 nop 0x00000006 sbb ebx, 2BF970A5h 0x0000000c push 00000000h 0x0000000e call 00007F33ECEDC494h 0x00000013 pop edi 0x00000014 sbb ebx, 7342D511h 0x0000001a push 00000000h 0x0000001c mov edi, dword ptr [ebp+122D2B45h] 0x00000022 xchg eax, esi 0x00000023 pushad 0x00000024 je 00007F33ECEDC48Ch 0x0000002a push eax 0x0000002b push edx 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 954616 second address: 954638 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900E6h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 954638 second address: 95464F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9555D2 second address: 9555F5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F33ECB900D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F33ECB900E6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9555F5 second address: 955669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 push edi 0x00000008 call 00007F33ECEDC493h 0x0000000d stc 0x0000000e pop edi 0x0000000f pop edi 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push edx 0x00000015 call 00007F33ECEDC488h 0x0000001a pop edx 0x0000001b mov dword ptr [esp+04h], edx 0x0000001f add dword ptr [esp+04h], 0000001Ah 0x00000027 inc edx 0x00000028 push edx 0x00000029 ret 0x0000002a pop edx 0x0000002b ret 0x0000002c xor dword ptr [ebp+12478329h], edi 0x00000032 add edi, dword ptr [ebp+122D194Bh] 0x00000038 or dword ptr [ebp+124546ECh], edx 0x0000003e push 00000000h 0x00000040 mov edi, dword ptr [ebp+122D2B15h] 0x00000046 xchg eax, esi 0x00000047 jmp 00007F33ECEDC492h 0x0000004c push eax 0x0000004d push edi 0x0000004e pushad 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9557AE second address: 9557CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F33ECB900D6h 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F33ECB900D6h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push esi 0x0000001a ja 00007F33ECB900D6h 0x00000020 pop esi 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9557CF second address: 9557E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC493h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 957661 second address: 957665 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 957665 second address: 957669 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 957669 second address: 9576FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F33ECB900DEh 0x00000012 pop eax 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push edx 0x00000017 call 00007F33ECB900D8h 0x0000001c pop edx 0x0000001d mov dword ptr [esp+04h], edx 0x00000021 add dword ptr [esp+04h], 0000001Dh 0x00000029 inc edx 0x0000002a push edx 0x0000002b ret 0x0000002c pop edx 0x0000002d ret 0x0000002e mov ebx, dword ptr [ebp+122D1A70h] 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push ebx 0x00000039 call 00007F33ECB900D8h 0x0000003e pop ebx 0x0000003f mov dword ptr [esp+04h], ebx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ebx 0x0000004c push ebx 0x0000004d ret 0x0000004e pop ebx 0x0000004f ret 0x00000050 push 00000000h 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 js 00007F33ECB900EEh 0x0000005b jmp 00007F33ECB900E8h 0x00000060 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 95AB18 second address: 95AB25 instructions: 0x00000000 rdtsc 0x00000002 je 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8FC859 second address: 8FC85D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 965D46 second address: 965D4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 965D4A second address: 965D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900DBh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 965D61 second address: 965D86 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECEDC48Ah 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 965D86 second address: 965D8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 903341 second address: 903347 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 965462 second address: 965471 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F33ECB900D8h 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9655E3 second address: 9655F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F33ECEDC486h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9655F2 second address: 9655F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9655F8 second address: 9655FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9655FE second address: 96560E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F33ECB900D6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 96560E second address: 965612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 965758 second address: 96575C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 96575C second address: 96576E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F33ECEDC48Ch 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 96821E second address: 968228 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 968228 second address: 968233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 968233 second address: 96823D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 96823D second address: 96825F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC490h 0x00000009 push esi 0x0000000a pop esi 0x0000000b jo 00007F33ECEDC486h 0x00000011 popad 0x00000012 push ecx 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 96825F second address: 96826C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jl 00007F33ECB900ECh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8F9632 second address: 8F9638 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8F9638 second address: 8F9641 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8F9641 second address: 8F964C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F33ECEDC486h 0x0000000a pop ecx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8F964C second address: 8F9652 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 8F9652 second address: 8F966C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC496h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 96ED38 second address: 96ED3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 973BDB second address: 973C21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F33ECEDC486h 0x0000000a popad 0x0000000b pushad 0x0000000c js 00007F33ECEDC486h 0x00000012 pushad 0x00000013 popad 0x00000014 pushad 0x00000015 popad 0x00000016 jmp 00007F33ECEDC496h 0x0000001b popad 0x0000001c push eax 0x0000001d push edx 0x0000001e jnc 00007F33ECEDC486h 0x00000024 jmp 00007F33ECEDC491h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 973C21 second address: 973C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9428D0 second address: 9428DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 972960 second address: 972966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 972966 second address: 972983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F33ECEDC486h 0x0000000a jmp 00007F33ECEDC492h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 972983 second address: 9729A8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F33ECB900E9h 0x00000008 pop ecx 0x00000009 ja 00007F33ECB900DCh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9729A8 second address: 9729B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9729B3 second address: 9729B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9738E5 second address: 9738EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9738EB second address: 973911 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F33ECB900F0h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 973911 second address: 973917 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 973917 second address: 97391B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97391B second address: 973921 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 978000 second address: 97800B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93F323 second address: 9275BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov edi, dword ptr [ebp+122D2B4Dh] 0x00000011 call dword ptr [ebp+122D1C0Ah] 0x00000017 push eax 0x00000018 push edx 0x00000019 push edi 0x0000001a jmp 00007F33ECEDC499h 0x0000001f pop edi 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FA3B second address: 93FA4A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FA4A second address: 93FA54 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FBA1 second address: 93FBA7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FD55 second address: 93FD5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FD5C second address: 93FD61 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FD61 second address: 93FD67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FD67 second address: 93FD97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push ecx 0x0000000b movzx edi, si 0x0000000e pop ecx 0x0000000f push 00000004h 0x00000011 xor dword ptr [ebp+122D1C05h], eax 0x00000017 nop 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F33ECB900E6h 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FD97 second address: 93FDA1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9401AF second address: 9401C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F33ECB900D6h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 94065C second address: 940677 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33ECEDC491h 0x00000008 jmp 00007F33ECEDC48Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 940677 second address: 94067B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97786F second address: 97787D instructions: 0x00000000 rdtsc 0x00000002 jne 00007F33ECEDC486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97787D second address: 977883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9779B0 second address: 9779BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F33ECEDC486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 977C4E second address: 977C5A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jnp 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 977C5A second address: 977C63 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97A5C7 second address: 97A5CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97F812 second address: 97F838 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F33ECEDC48Fh 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97F838 second address: 97F842 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F33ECB900E8h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97F842 second address: 97F85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC48Ch 0x00000009 push eax 0x0000000a push edx 0x0000000b js 00007F33ECEDC486h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97FDE1 second address: 97FDEB instructions: 0x00000000 rdtsc 0x00000002 jp 00007F33ECB900D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97FDEB second address: 97FE01 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC490h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97FE01 second address: 97FE05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97F35D second address: 97F361 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 97F361 second address: 97F393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jnc 00007F33ECB900D6h 0x00000013 pop edi 0x00000014 push eax 0x00000015 push edx 0x00000016 jp 00007F33ECB900D6h 0x0000001c jmp 00007F33ECB900E6h 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 980389 second address: 98039D instructions: 0x00000000 rdtsc 0x00000002 js 00007F33ECEDC496h 0x00000008 jmp 00007F33ECEDC48Ah 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98039D second address: 9803B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F33ECB900DAh 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98689F second address: 9868C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop esi 0x00000006 pushad 0x00000007 jg 00007F33ECEDC49Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9868C8 second address: 9868EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F33ECB900E7h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98AEE6 second address: 98AEEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98AEEA second address: 98AEEE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98B460 second address: 98B46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98B599 second address: 98B5A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jbe 00007F33ECB900DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98B5A6 second address: 98B5CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F33ECEDC488h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007F33ECEDC48Fh 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 jp 00007F33ECEDC486h 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98B5CD second address: 98B5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98B5D1 second address: 98B5D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98B780 second address: 98B79B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98B940 second address: 98B94E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98BD4D second address: 98BD67 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F33ECB900DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98BD67 second address: 98BD6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98AA31 second address: 98AA62 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E4h 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007F33ECB900D6h 0x0000000f jmp 00007F33ECB900E3h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98AA62 second address: 98AA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98F6B5 second address: 98F6E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DDh 0x00000007 jmp 00007F33ECB900E7h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98F6E3 second address: 98F6E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 98F6E9 second address: 98F70B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DDh 0x00000007 jmp 00007F33ECB900E1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 991C79 second address: 991C7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 998423 second address: 998429 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FF7F second address: 93FF98 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007F33ECEDC490h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 93FF98 second address: 93FFA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 997451 second address: 99746C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99746C second address: 997476 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F33ECB900D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 997476 second address: 9974C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jmp 00007F33ECEDC493h 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop edi 0x0000000f popad 0x00000010 push edx 0x00000011 jmp 00007F33ECEDC496h 0x00000016 push eax 0x00000017 push edx 0x00000018 jc 00007F33ECEDC486h 0x0000001e jmp 00007F33ECEDC48Eh 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9974C1 second address: 9974C7 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9975E1 second address: 997631 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F33ECEDC4A1h 0x0000000c je 00007F33ECEDC486h 0x00000012 jmp 00007F33ECEDC495h 0x00000017 popad 0x00000018 pushad 0x00000019 jmp 00007F33ECEDC497h 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F33ECEDC48Eh 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99AD71 second address: 99AD99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F33ECB900E3h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99AF65 second address: 99AF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A032E second address: 9A034F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 ja 00007F33ECB900D6h 0x0000000c jmp 00007F33ECB900DBh 0x00000011 popad 0x00000012 pushad 0x00000013 js 00007F33ECB900D6h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A034F second address: 9A0358 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A0358 second address: 9A035C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99F62A second address: 99F64B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007F33ECEDC498h 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99F64B second address: 99F66F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jns 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F33ECB900E4h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99F7BB second address: 99F7BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99F90C second address: 99F91B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F33ECB900D6h 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99FA96 second address: 99FAAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F33ECEDC48Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99FAAB second address: 99FAAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99FAAF second address: 99FABA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edi 0x00000008 pop edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99FABA second address: 99FAC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 99FC2A second address: 99FC3B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F33ECEDC48Ah 0x00000008 push edx 0x00000009 pop edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A41F3 second address: 9A41F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A41F9 second address: 9A41FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A41FD second address: 9A4207 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A4207 second address: 9A4211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F33ECEDC486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3B69 second address: 9A3B6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3CB2 second address: 9A3CD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC495h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3CD0 second address: 9A3CDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F33ECB900D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3CDB second address: 9A3CEB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F33ECEDC48Ah 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3CEB second address: 9A3D0A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jng 00007F33ECB900D8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3E59 second address: 9A3E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3E5D second address: 9A3E77 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DAh 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jne 00007F33ECB900D6h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3E77 second address: 9A3E7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3E7B second address: 9A3EB0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 jmp 00007F33ECB900E1h 0x0000000e jmp 00007F33ECB900E9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3EB0 second address: 9A3EBA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3EBA second address: 9A3ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jns 00007F33ECB900D6h 0x0000000d jp 00007F33ECB900D6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A3ECD second address: 9A3EEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007F33ECEDC48Eh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A9A8E second address: 9A9AAC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33ECB900DFh 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A9AAC second address: 9A9AB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A9D88 second address: 9A9D93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F33ECB900D6h 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9A9D93 second address: 9A9D9D instructions: 0x00000000 rdtsc 0x00000002 jl 00007F33ECEDC48Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AAF13 second address: 9AAF3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E4h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F33ECB900DFh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AAF3C second address: 9AAF42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AF66E second address: 9AF674 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AE8EB second address: 9AE8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AE8EF second address: 9AE92B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F33ECB900D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d jno 00007F33ECB900D6h 0x00000013 jmp 00007F33ECB900E5h 0x00000018 pop edi 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F33ECB900DFh 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AED2C second address: 9AED30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AED30 second address: 9AED38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AF070 second address: 9AF074 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AF074 second address: 9AF08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F33ECB900DEh 0x0000000c push esi 0x0000000d pop esi 0x0000000e jl 00007F33ECB900D6h 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9AF332 second address: 9AF336 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BC0D8 second address: 9BC0DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BC240 second address: 9BC249 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BC249 second address: 9BC251 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BC67B second address: 9BC67F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BCC45 second address: 9BCC4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F33ECB900D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BCC4F second address: 9BCC55 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BCDF0 second address: 9BCE05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BCE05 second address: 9BCE3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b je 00007F33ECEDC486h 0x00000011 pop ecx 0x00000012 pushad 0x00000013 jmp 00007F33ECEDC491h 0x00000018 pushad 0x00000019 popad 0x0000001a jmp 00007F33ECEDC492h 0x0000001f popad 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BCE3E second address: 9BCE44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BCE44 second address: 9BCE48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BCFE6 second address: 9BCFFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECB900E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BBCD8 second address: 9BBCF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F33ECEDC494h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BBCF4 second address: 9BBCFC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9BBCFC second address: 9BBD2B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F33ECEDC495h 0x00000008 pop edx 0x00000009 pushad 0x0000000a jmp 00007F33ECEDC493h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9C4269 second address: 9C426F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9D2FA6 second address: 9D2FB2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jns 00007F33ECEDC486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9D5A9C second address: 9D5AA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F33ECB900D6h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9D5AA7 second address: 9D5ABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007F33ECEDC490h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9D7705 second address: 9D7709 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9EC3BC second address: 9EC3C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9EC3C2 second address: 9EC3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9F028B second address: 9F02A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC493h 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9F26E4 second address: 9F26EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F33ECB900D6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9F26EE second address: 9F270B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jo 00007F33ECEDC499h 0x0000000e jmp 00007F33ECEDC48Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FC250 second address: 9FC265 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E0h 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FC265 second address: 9FC273 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop eax 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FC273 second address: 9FC279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FC279 second address: 9FC27D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FC27D second address: 9FC29F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F33ECB900E6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FC29F second address: 9FC2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FBDCB second address: 9FBDD1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FBDD1 second address: 9FBDD6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 9FBDD6 second address: 9FBDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F33ECB900D6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A0AEE5 second address: A0AEF3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 pop edi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A0AD1A second address: A0AD4A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jg 00007F33ECB900D6h 0x00000012 jmp 00007F33ECB900E2h 0x00000017 pushad 0x00000018 popad 0x00000019 popad 0x0000001a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A0AD4A second address: A0AD87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC492h 0x00000007 jmp 00007F33ECEDC48Ah 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f pushad 0x00000010 push edi 0x00000011 pop edi 0x00000012 jmp 00007F33ECEDC493h 0x00000017 push edi 0x00000018 pop edi 0x00000019 popad 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A0AD87 second address: A0AD8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A0AD8F second address: A0ADB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F33ECEDC48Bh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33ECEDC494h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A08BC9 second address: A08BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A1BE15 second address: A1BE29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jbe 00007F33ECEDC486h 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A1BC70 second address: A1BC74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A1E6F7 second address: A1E6FD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A1E6FD second address: A1E73B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E8h 0x00000007 push edi 0x00000008 push edi 0x00000009 pop edi 0x0000000a pop edi 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F33ECB900E9h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A1E73B second address: A1E754 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F33ECEDC48Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A1E754 second address: A1E758 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A41848 second address: A41851 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A4097D second address: A409A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F33ECB900D6h 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 je 00007F33ECB900D6h 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 popad 0x00000019 js 00007F33ECB900E8h 0x0000001f push ecx 0x00000020 jnl 00007F33ECB900D6h 0x00000026 pop ecx 0x00000027 push ebx 0x00000028 push eax 0x00000029 push edx 0x0000002a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A40AC8 second address: A40ACC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A40C31 second address: A40C38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A40C38 second address: A40C40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A40D8F second address: A40D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push edx 0x00000007 pop edx 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A4740A second address: A47427 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC499h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A4A8CA second address: A4A8D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A4A8D0 second address: A4A8D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A4A8D4 second address: A4A8F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F33ECB900DEh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: A4A8F1 second address: A4A90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 jmp 00007F33ECEDC48Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f jnc 00007F33ECEDC486h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50A06FC second address: 50A0700 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50A0700 second address: 50A0706 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50A0706 second address: 50A070C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50A070C second address: 50A072D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f mov dh, 58h 0x00000011 movzx esi, dx 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50A072D second address: 50A074D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ax, bx 0x00000011 mov edx, 624A1B5Ch 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50A074D second address: 50A079D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC492h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov cx, bx 0x00000010 pushfd 0x00000011 jmp 00007F33ECEDC499h 0x00000016 add eax, 319B4516h 0x0000001c jmp 00007F33ECEDC491h 0x00000021 popfd 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060DDF second address: 5060DE5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060DE5 second address: 5060E60 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b mov esi, 4262EA9Dh 0x00000010 call 00007F33ECEDC48Ah 0x00000015 pushfd 0x00000016 jmp 00007F33ECEDC492h 0x0000001b sbb si, 3728h 0x00000020 jmp 00007F33ECEDC48Bh 0x00000025 popfd 0x00000026 pop esi 0x00000027 popad 0x00000028 push eax 0x00000029 pushad 0x0000002a pushfd 0x0000002b jmp 00007F33ECEDC494h 0x00000030 and cx, 6988h 0x00000035 jmp 00007F33ECEDC48Bh 0x0000003a popfd 0x0000003b mov ebx, eax 0x0000003d popad 0x0000003e xchg eax, ebp 0x0000003f push eax 0x00000040 push edx 0x00000041 push eax 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060E60 second address: 5060E64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060E64 second address: 5060E7B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E07A7 second address: 50E07AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E07AD second address: 50E07CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33ECEDC497h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060ACE second address: 5060AEF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, 8Ah 0x0000000f mov edi, 604786EAh 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060AEF second address: 5060B2F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC48Eh 0x00000009 add ch, FFFFFFA8h 0x0000000c jmp 00007F33ECEDC48Bh 0x00000011 popfd 0x00000012 movzx eax, bx 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 xchg eax, ebp 0x00000019 jmp 00007F33ECEDC48Bh 0x0000001e mov ebp, esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov bx, 93C6h 0x00000027 mov ax, dx 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060B2F second address: 5060B36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, B8h 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060B36 second address: 5060B60 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push dword ptr [ebp+04h] 0x0000000a jmp 00007F33ECEDC497h 0x0000000f push dword ptr [ebp+0Ch] 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060B60 second address: 5060B64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060B64 second address: 5060B68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060B68 second address: 5060B6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060B6E second address: 5060BE1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC498h 0x00000009 xor esi, 786FB9F8h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F33ECEDC498h 0x0000001b xor ch, 00000058h 0x0000001e jmp 00007F33ECEDC48Bh 0x00000023 popfd 0x00000024 popad 0x00000025 pop edx 0x00000026 pop eax 0x00000027 push dword ptr [ebp+08h] 0x0000002a push eax 0x0000002b push edx 0x0000002c jmp 00007F33ECEDC495h 0x00000031 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060C18 second address: 5060C1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060C1C second address: 5060C22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060C22 second address: 5060C28 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060C28 second address: 5060C2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5060C2C second address: 5060C42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33ECB900DBh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0C03 second address: 50B0C09 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0C09 second address: 50B0C21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, B693h 0x00000007 mov ax, 28EFh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 push edi 0x00000011 push esi 0x00000012 pop edx 0x00000013 pop ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0C21 second address: 50B0C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0C25 second address: 50B0C35 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0C35 second address: 50B0CCB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC495h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov esi, 3EC0AE53h 0x00000011 pushfd 0x00000012 jmp 00007F33ECEDC498h 0x00000017 and cx, 47D8h 0x0000001c jmp 00007F33ECEDC48Bh 0x00000021 popfd 0x00000022 popad 0x00000023 pop ebp 0x00000024 pushad 0x00000025 push eax 0x00000026 pushfd 0x00000027 jmp 00007F33ECEDC48Bh 0x0000002c adc eax, 01C8FA9Eh 0x00000032 jmp 00007F33ECEDC499h 0x00000037 popfd 0x00000038 pop eax 0x00000039 push eax 0x0000003a push edx 0x0000003b call 00007F33ECEDC497h 0x00000040 pop eax 0x00000041 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 510041A second address: 5100420 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5100420 second address: 510043E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F33ECEDC493h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 510043E second address: 5100444 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5100444 second address: 5100448 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5100448 second address: 510045F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900DAh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0E6B second address: 50E0E6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0E6F second address: 50E0E8C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0E8C second address: 50E0EFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC497h 0x00000009 or al, 0000001Eh 0x0000000c jmp 00007F33ECEDC499h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F33ECEDC490h 0x00000018 adc cl, 00000018h 0x0000001b jmp 00007F33ECEDC48Bh 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 pop ebp 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F33ECEDC495h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5070484 second address: 5070488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5070488 second address: 507048E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 507048E second address: 50704D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F33ECB900E3h 0x00000012 call 00007F33ECB900E8h 0x00000017 pop eax 0x00000018 popad 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50704D4 second address: 50704E5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 movsx edx, ax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50704E5 second address: 50704E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50704E9 second address: 50704ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50704ED second address: 50704F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E05D8 second address: 50E0620 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECEDC498h 0x00000008 or ax, 24F8h 0x0000000d jmp 00007F33ECEDC48Bh 0x00000012 popfd 0x00000013 pop edx 0x00000014 pop eax 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a call 00007F33ECEDC491h 0x0000001f pop eax 0x00000020 mov eax, ebx 0x00000022 popad 0x00000023 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0620 second address: 50E0635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0635 second address: 50E0639 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0639 second address: 50E063F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E063F second address: 50E0653 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov eax, 184EA6F7h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0653 second address: 50E0658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0C5A second address: 50E0C69 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0C69 second address: 50E0C6E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0C6E second address: 50E0C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov eax, ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F33ECEDC493h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0C8D second address: 50E0CD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d mov bx, 653Eh 0x00000011 popad 0x00000012 mov ebp, esp 0x00000014 jmp 00007F33ECB900E5h 0x00000019 mov eax, dword ptr [ebp+08h] 0x0000001c pushad 0x0000001d mov bl, ch 0x0000001f push eax 0x00000020 push edx 0x00000021 movsx edi, si 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0CD5 second address: 50E0CD9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0CD9 second address: 50E0CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 and dword ptr [eax], 00000000h 0x0000000a jmp 00007F33ECB900DCh 0x0000000f and dword ptr [eax+04h], 00000000h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 mov ecx, edi 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0CFB second address: 50E0D64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ebx 0x00000005 pushfd 0x00000006 jmp 00007F33ECEDC48Eh 0x0000000b sub cx, ABC8h 0x00000010 jmp 00007F33ECEDC48Bh 0x00000015 popfd 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pop ebp 0x0000001a pushad 0x0000001b pushad 0x0000001c mov si, 07D1h 0x00000020 pushfd 0x00000021 jmp 00007F33ECEDC48Eh 0x00000026 add ecx, 5CC2AE28h 0x0000002c jmp 00007F33ECEDC48Bh 0x00000031 popfd 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 jmp 00007F33ECEDC496h 0x0000003a rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E0D64 second address: 50E0D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0130 second address: 50F015E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F33ECEDC490h 0x0000000a sbb cx, 4678h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 popad 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F015E second address: 50F0167 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dx, 8C54h 0x00000008 popad 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0167 second address: 50F01AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cx, 5C9Fh 0x00000007 pushfd 0x00000008 jmp 00007F33ECEDC494h 0x0000000d jmp 00007F33ECEDC495h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F33ECEDC48Ch 0x0000001e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F01AB second address: 50F01D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov si, bx 0x00000006 jmp 00007F33ECB900DDh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F33ECB900DDh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F01D1 second address: 50F01E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F01E1 second address: 50F0209 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a jmp 00007F33ECB900E7h 0x0000000f pop ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0209 second address: 50F020D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F020D second address: 50F0228 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50908A2 second address: 50908C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F33ECEDC48Ah 0x0000000a xor ax, 1098h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0E44 second address: 50F0E4A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0E4A second address: 50F0E72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F33ECEDC494h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0E72 second address: 50F0F13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECB900E1h 0x00000009 sub al, FFFFFFC6h 0x0000000c jmp 00007F33ECB900E1h 0x00000011 popfd 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F33ECB900DCh 0x0000001d mov ebp, esp 0x0000001f jmp 00007F33ECB900E0h 0x00000024 xchg eax, ecx 0x00000025 jmp 00007F33ECB900E0h 0x0000002a push eax 0x0000002b pushad 0x0000002c pushfd 0x0000002d jmp 00007F33ECB900E1h 0x00000032 jmp 00007F33ECB900DBh 0x00000037 popfd 0x00000038 push ecx 0x00000039 mov edx, 03527B1Ah 0x0000003e pop edi 0x0000003f popad 0x00000040 xchg eax, ecx 0x00000041 jmp 00007F33ECB900DEh 0x00000046 mov eax, dword ptr [76FB65FCh] 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0F13 second address: 50F0F17 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0F17 second address: 50F0F1D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F02D4 second address: 50F02E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F02E3 second address: 50F0303 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov esi, edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900E3h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0303 second address: 50F0390 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC48Fh 0x00000009 xor eax, 77E1FE0Eh 0x0000000f jmp 00007F33ECEDC499h 0x00000014 popfd 0x00000015 mov ecx, 69DC2717h 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 mov ah, E2h 0x00000023 pushfd 0x00000024 jmp 00007F33ECEDC495h 0x00000029 adc cx, 30F6h 0x0000002e jmp 00007F33ECEDC491h 0x00000033 popfd 0x00000034 popad 0x00000035 mov ebp, esp 0x00000037 push eax 0x00000038 push edx 0x00000039 pushad 0x0000003a movsx ebx, si 0x0000003d call 00007F33ECEDC494h 0x00000042 pop esi 0x00000043 popad 0x00000044 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0390 second address: 50F03AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E7h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B000B second address: 50B0023 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC494h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0023 second address: 50B0039 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0039 second address: 50B003F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B003F second address: 50B004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 mov cx, F853h 0x0000000b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B004A second address: 50B0094 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECEDC498h 0x00000008 sub eax, 134E89D8h 0x0000000e jmp 00007F33ECEDC48Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b call 00007F33ECEDC492h 0x00000020 pop eax 0x00000021 push ebx 0x00000022 pop ecx 0x00000023 popad 0x00000024 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0094 second address: 50B0099 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0099 second address: 50B00AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, al 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f mov si, 49B9h 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B00AD second address: 50B00D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900E5h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B00D9 second address: 50B00DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B00DF second address: 50B00FE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 and esp, FFFFFFF8h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F33ECB900E2h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B00FE second address: 50B0110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Eh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0110 second address: 50B012E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 jmp 00007F33ECB900DCh 0x0000000e mov dword ptr [esp], ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B012E second address: 50B0132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0132 second address: 50B014F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B014F second address: 50B01AB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC497h 0x00000009 and ch, FFFFFFDEh 0x0000000c jmp 00007F33ECEDC499h 0x00000011 popfd 0x00000012 mov esi, 6A3E0BA7h 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebx 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F33ECEDC499h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B01AB second address: 50B01D2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 call 00007F33ECB900DDh 0x0000000a pop eax 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 mov ax, 0F13h 0x00000014 movzx ecx, di 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d pushad 0x0000001e popad 0x0000001f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B01D2 second address: 50B01D8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B01D8 second address: 50B01E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 6198h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B01E1 second address: 50B021E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b push edx 0x0000000c pushfd 0x0000000d jmp 00007F33ECEDC496h 0x00000012 adc si, 8BF8h 0x00000017 jmp 00007F33ECEDC48Bh 0x0000001c popfd 0x0000001d pop esi 0x0000001e popad 0x0000001f push esp 0x00000020 push eax 0x00000021 push edx 0x00000022 pushad 0x00000023 mov eax, edi 0x00000025 popad 0x00000026 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B021E second address: 50B02AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECB900DBh 0x00000009 xor eax, 42A08C6Eh 0x0000000f jmp 00007F33ECB900E9h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F33ECB900E0h 0x0000001b jmp 00007F33ECB900E5h 0x00000020 popfd 0x00000021 popad 0x00000022 pop edx 0x00000023 pop eax 0x00000024 mov dword ptr [esp], esi 0x00000027 pushad 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007F33ECB900E6h 0x0000002f xor eax, 12621578h 0x00000035 jmp 00007F33ECB900DBh 0x0000003a popfd 0x0000003b popad 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B02AA second address: 50B02AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B02AE second address: 50B031C instructions: 0x00000000 rdtsc 0x00000002 mov al, 9Ch 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov esi, dword ptr [ebp+08h] 0x0000000a jmp 00007F33ECB900E7h 0x0000000f xchg eax, edi 0x00000010 pushad 0x00000011 call 00007F33ECB900E4h 0x00000016 movzx eax, bx 0x00000019 pop edi 0x0000001a pushfd 0x0000001b jmp 00007F33ECB900DCh 0x00000020 jmp 00007F33ECB900E5h 0x00000025 popfd 0x00000026 popad 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F33ECB900DCh 0x0000002f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B031C second address: 50B0322 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0322 second address: 50B0326 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0326 second address: 50B037E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, edi 0x00000009 pushad 0x0000000a pushad 0x0000000b call 00007F33ECEDC495h 0x00000010 pop esi 0x00000011 pushfd 0x00000012 jmp 00007F33ECEDC491h 0x00000017 or eax, 3AF34B96h 0x0000001d jmp 00007F33ECEDC491h 0x00000022 popfd 0x00000023 popad 0x00000024 mov eax, 5398F007h 0x00000029 popad 0x0000002a test esi, esi 0x0000002c pushad 0x0000002d pushad 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B037E second address: 50B03E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov bh, 4Ch 0x00000006 popad 0x00000007 popad 0x00000008 je 00007F345EA0E365h 0x0000000e jmp 00007F33ECB900DAh 0x00000013 cmp dword ptr [esi+08h], DDEEDDEEh 0x0000001a jmp 00007F33ECB900E0h 0x0000001f je 00007F345EA0E354h 0x00000025 jmp 00007F33ECB900E0h 0x0000002a mov edx, dword ptr [esi+44h] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 call 00007F33ECB900E8h 0x00000035 pop esi 0x00000036 popad 0x00000037 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B03E3 second address: 50B0401 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, cx 0x00000006 mov esi, 70C9A0F9h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e or edx, dword ptr [ebp+0Ch] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F33ECEDC48Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0401 second address: 50B0407 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B0407 second address: 50B040B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B040B second address: 50B044E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 movzx ecx, di 0x00000014 pushfd 0x00000015 jmp 00007F33ECB900E5h 0x0000001a sub esi, 47162526h 0x00000020 jmp 00007F33ECB900E1h 0x00000025 popfd 0x00000026 popad 0x00000027 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50B044E second address: 50B04A2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC491h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jne 00007F345ED5A6ABh 0x0000000f pushad 0x00000010 mov bh, 88h 0x00000012 popad 0x00000013 test byte ptr [esi+48h], 00000001h 0x00000017 jmp 00007F33ECEDC492h 0x0000001c jne 00007F345ED5A6A4h 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F33ECEDC497h 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0008 second address: 50C000C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C000C second address: 50C0012 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0012 second address: 50C0027 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E1h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0027 second address: 50C002B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C002B second address: 50C003B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push ebx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C003B second address: 50C0040 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0040 second address: 50C0046 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0046 second address: 50C004A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C004A second address: 50C00B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], ebp 0x0000000e jmp 00007F33ECB900E0h 0x00000013 mov ebp, esp 0x00000015 pushad 0x00000016 pushfd 0x00000017 jmp 00007F33ECB900DEh 0x0000001c add eax, 3D7CCC68h 0x00000022 jmp 00007F33ECB900DBh 0x00000027 popfd 0x00000028 mov ebx, esi 0x0000002a popad 0x0000002b and esp, FFFFFFF8h 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F33ECB900E1h 0x00000035 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C00B8 second address: 50C00BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C00BE second address: 50C00C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C00C2 second address: 50C0199 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F33ECEDC494h 0x0000000e mov dword ptr [esp], ebx 0x00000011 pushad 0x00000012 call 00007F33ECEDC48Eh 0x00000017 movzx ecx, dx 0x0000001a pop ebx 0x0000001b mov si, A0B3h 0x0000001f popad 0x00000020 xchg eax, esi 0x00000021 pushad 0x00000022 pushad 0x00000023 call 00007F33ECEDC492h 0x00000028 pop esi 0x00000029 mov dx, 6FF6h 0x0000002d popad 0x0000002e pushfd 0x0000002f jmp 00007F33ECEDC497h 0x00000034 add si, 807Eh 0x00000039 jmp 00007F33ECEDC499h 0x0000003e popfd 0x0000003f popad 0x00000040 push eax 0x00000041 jmp 00007F33ECEDC491h 0x00000046 xchg eax, esi 0x00000047 pushad 0x00000048 mov bx, si 0x0000004b call 00007F33ECEDC498h 0x00000050 mov eax, 044BC531h 0x00000055 pop esi 0x00000056 popad 0x00000057 mov esi, dword ptr [ebp+08h] 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F33ECEDC48Fh 0x00000063 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0199 second address: 50C01B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C01B6 second address: 50C01C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC48Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C01C6 second address: 50C022D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b sub ebx, ebx 0x0000000d pushad 0x0000000e mov edi, 41DDF1C8h 0x00000013 pushad 0x00000014 mov cx, bx 0x00000017 mov bh, 4Bh 0x00000019 popad 0x0000001a popad 0x0000001b test esi, esi 0x0000001d jmp 00007F33ECB900E2h 0x00000022 je 00007F345E9F6269h 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F33ECB900DDh 0x00000031 sbb ax, 3996h 0x00000036 jmp 00007F33ECB900E1h 0x0000003b popfd 0x0000003c mov bx, cx 0x0000003f popad 0x00000040 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C022D second address: 50C0258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 movsx edi, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b cmp dword ptr [esi+08h], DDEEDDEEh 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F33ECEDC497h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0258 second address: 50C025E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C025E second address: 50C0262 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0262 second address: 50C0266 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0266 second address: 50C0278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ecx, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov ah, 37h 0x0000000f mov esi, edx 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0278 second address: 50C02A9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 je 00007F345E9F61EFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F33ECB900E7h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C02A9 second address: 50C02E2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test byte ptr [76FB6968h], 00000002h 0x00000010 pushad 0x00000011 mov eax, 04118B23h 0x00000016 mov edi, ecx 0x00000018 popad 0x00000019 jne 00007F345ED42566h 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C02E2 second address: 50C02E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C02E6 second address: 50C02FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C03F5 second address: 50C03FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C03FB second address: 50C0401 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0401 second address: 50C0405 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5121972 second address: 5121979 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5121979 second address: 51219DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F33ECB900DDh 0x00000013 sub ecx, 002C1926h 0x00000019 jmp 00007F33ECB900E1h 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007F33ECB900E0h 0x00000025 or al, FFFFFFC8h 0x00000028 jmp 00007F33ECB900DBh 0x0000002d popfd 0x0000002e popad 0x0000002f rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 51219DE second address: 5121A18 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC499h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b mov dx, 01BEh 0x0000000f popad 0x00000010 xchg eax, ebp 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 call 00007F33ECEDC48Eh 0x00000019 pop ecx 0x0000001a push edx 0x0000001b pop eax 0x0000001c popad 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5121A18 second address: 5121A5A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov si, 44CDh 0x00000010 pushfd 0x00000011 jmp 00007F33ECB900DAh 0x00000016 sub ecx, 205171E8h 0x0000001c jmp 00007F33ECB900DBh 0x00000021 popfd 0x00000022 popad 0x00000023 push 0000007Fh 0x00000025 pushad 0x00000026 push eax 0x00000027 mov edi, 634CBD56h 0x0000002c pop edx 0x0000002d push eax 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5121AD0 second address: 5121972 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECEDC490h 0x00000008 xor eax, 6004EE98h 0x0000000e jmp 00007F33ECEDC48Bh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 popad 0x00000017 retn 0004h 0x0000001a lea eax, dword ptr [ebp-10h] 0x0000001d push eax 0x0000001e call ebx 0x00000020 mov edi, edi 0x00000022 push eax 0x00000023 push edx 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E09C8 second address: 50E09CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50E09CE second address: 50E09F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ah, E7h 0x00000005 movsx ebx, ax 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c jmp 00007F33ECEDC48Eh 0x00000011 mov ebp, esp 0x00000013 pushad 0x00000014 pushad 0x00000015 mov cx, 0C83h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C0639 second address: 50C063D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C063D second address: 50C064E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C064E second address: 50C065E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900DCh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C065E second address: 50C069E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a mov bx, si 0x0000000d pushfd 0x0000000e jmp 00007F33ECEDC496h 0x00000013 adc eax, 42C7B9D8h 0x00000019 jmp 00007F33ECEDC48Bh 0x0000001e popfd 0x0000001f popad 0x00000020 mov dword ptr [esp], ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 popad 0x00000029 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C069E second address: 50C06A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C06A2 second address: 50C06A8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50C06A8 second address: 50C06AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 51401EC second address: 51401F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 51401F0 second address: 51401F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 51401F6 second address: 514022A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F33ECEDC492h 0x00000009 sub eax, 3A6B92D8h 0x0000000f jmp 00007F33ECEDC48Bh 0x00000014 popfd 0x00000015 movzx ecx, bx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 514022A second address: 514029A instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECB900DAh 0x00000008 adc ecx, 66A95D38h 0x0000000e jmp 00007F33ECB900DBh 0x00000013 popfd 0x00000014 pop edx 0x00000015 pop eax 0x00000016 movzx esi, dx 0x00000019 popad 0x0000001a mov dword ptr [esp], ebp 0x0000001d pushad 0x0000001e pushfd 0x0000001f jmp 00007F33ECB900E1h 0x00000024 xor ax, F3D6h 0x00000029 jmp 00007F33ECB900E1h 0x0000002e popfd 0x0000002f movzx esi, bx 0x00000032 popad 0x00000033 mov ebp, esp 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F33ECB900E6h 0x0000003c rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 514029A second address: 51402CA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push dword ptr [ebp+0Ch] 0x0000000c pushad 0x0000000d pushad 0x0000000e call 00007F33ECEDC492h 0x00000013 pop eax 0x00000014 mov dx, A146h 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov dl, C3h 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 51402CA second address: 51402CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 51402CE second address: 514032B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push dword ptr [ebp+08h] 0x0000000a jmp 00007F33ECEDC492h 0x0000000f push 03AB7B09h 0x00000014 pushad 0x00000015 movsx edx, ax 0x00000018 pushfd 0x00000019 jmp 00007F33ECEDC498h 0x0000001e and cx, 8048h 0x00000023 jmp 00007F33ECEDC48Bh 0x00000028 popfd 0x00000029 popad 0x0000002a xor dword ptr [esp], 03AA7B0Bh 0x00000031 push eax 0x00000032 push edx 0x00000033 push eax 0x00000034 push edx 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 514032B second address: 514032F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 514032F second address: 514034A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC497h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 514034A second address: 5140350 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5140350 second address: 5140354 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5140382 second address: 5140386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 5140386 second address: 514038C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F075F second address: 50F0765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0765 second address: 50F0769 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0769 second address: 50F076D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F076D second address: 50F079C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 jmp 00007F33ECEDC48Ch 0x0000000e mov dword ptr [esp], ebp 0x00000011 jmp 00007F33ECEDC490h 0x00000016 mov ebp, esp 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b mov edi, eax 0x0000001d rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F079C second address: 50F07E7 instructions: 0x00000000 rdtsc 0x00000002 pushfd 0x00000003 jmp 00007F33ECB900E8h 0x00000008 and cl, FFFFFFC8h 0x0000000b jmp 00007F33ECB900DBh 0x00000010 popfd 0x00000011 pop edx 0x00000012 pop eax 0x00000013 popad 0x00000014 and esp, FFFFFFF0h 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F33ECB900E7h 0x00000020 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F07E7 second address: 50F07ED instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F07ED second address: 50F0812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 mov ebx, esi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a sub esp, 44h 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F33ECB900E4h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0812 second address: 50F0821 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0821 second address: 50F0845 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0845 second address: 50F0849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0849 second address: 50F085C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F085C second address: 50F0874 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECEDC494h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0874 second address: 50F0891 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECB900DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d mov al, dl 0x0000000f popad 0x00000010 xchg eax, ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0891 second address: 50F0895 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F0895 second address: 50F089B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F089B second address: 50F08F7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushfd 0x0000000e jmp 00007F33ECEDC48Dh 0x00000013 sub si, 3526h 0x00000018 jmp 00007F33ECEDC491h 0x0000001d popfd 0x0000001e pushfd 0x0000001f jmp 00007F33ECEDC490h 0x00000024 or ah, FFFFFFC8h 0x00000027 jmp 00007F33ECEDC48Bh 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F08F7 second address: 50F090F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F33ECB900E4h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	RDTSC instruction interceptor: First address: 50F090F second address: 50F0937 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F33ECEDC48Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F33ECEDC494h 0x00000013 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Special instruction interceptor: First address: 79FBE1 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Special instruction interceptor: First address: 93F41F instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Special instruction interceptor: First address: 79FAB9 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Special instruction interceptor: First address: 9C5DAD instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 1CFBE1 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 36F41F instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 1CFAB9 instructions caused by: Self-modifying code
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Special instruction interceptor: First address: 3F5DAD instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 2DFBE1 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 47F41F instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 2DFAB9 instructions caused by: Self-modifying code
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Special instruction interceptor: First address: 505DAD instructions caused by: Self-modifying code

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Code function: 0_2_05130A73 rdtsc

0_2_05130A73

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window / User API: threadDelayed 848	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window / User API: threadDelayed 1273	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window / User API: threadDelayed 920	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Window / User API: threadDelayed 352	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1304	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1173	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 764	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1220	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 1121	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Window / User API: threadDelayed 766	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 1171	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 2589	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 2603	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Window / User API: threadDelayed 2609	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6860	Thread sleep time: -30015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6788	Thread sleep count: 848 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6788	Thread sleep time: -1696848s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6736	Thread sleep count: 234 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 5004	Thread sleep count: 238 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6816	Thread sleep count: 1273 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6816	Thread sleep time: -2547273s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6840	Thread sleep count: 920 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6840	Thread sleep time: -1840920s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6792	Thread sleep count: 352 > 30	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe TID: 6792	Thread sleep time: -704352s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6404	Thread sleep count: 87 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6404	Thread sleep time: -174087s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720	Thread sleep count: 132 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6720	Thread sleep time: -264132s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7104	Thread sleep count: 110 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7104	Thread sleep time: -220110s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1744	Thread sleep count: 65 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1744	Thread sleep count: 1304 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1744	Thread sleep time: -131704s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232	Thread sleep count: 1173 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232	Thread sleep count: 764 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7232	Thread sleep time: -76400s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2504	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2504	Thread sleep time: -222111s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5480	Thread sleep count: 119 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5480	Thread sleep time: -238119s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6568	Thread sleep count: 118 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6568	Thread sleep time: -236118s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 792	Thread sleep count: 123 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 792	Thread sleep time: -246123s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6500	Thread sleep count: 78 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6500	Thread sleep time: -156078s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7220	Thread sleep time: -32000s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732	Thread sleep count: 67 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5600	Thread sleep count: 111 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5600	Thread sleep time: -222111s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732	Thread sleep count: 1220 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 732	Thread sleep time: -123220s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228	Thread sleep count: 1121 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228	Thread sleep count: 766 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7228	Thread sleep time: -76600s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4928	Thread sleep count: 101 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 4928	Thread sleep time: -202101s >= -30000s	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7136	Thread sleep count: 138 > 30	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7136	Thread sleep time: -276138s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7300	Thread sleep time: -54027s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7288	Thread sleep count: 1171 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7288	Thread sleep time: -2343171s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7256	Thread sleep count: 249 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7468	Thread sleep count: 240 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7636	Thread sleep count: 72 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7636	Thread sleep time: -144072s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7644	Thread sleep count: 73 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7644	Thread sleep time: -146073s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7640	Thread sleep count: 71 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7640	Thread sleep time: -142071s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7560	Thread sleep count: 104 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7560	Thread sleep count: 237 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep count: 2589 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7620	Thread sleep time: -5180589s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7752	Thread sleep count: 233 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7628	Thread sleep count: 2603 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7628	Thread sleep time: -5208603s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7624	Thread sleep count: 2609 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7624	Thread sleep time: -5220609s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Last function: Thread delayed

Source: RageMP131.exe, RageMP131.exe, 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4130383700.0000000000F3C000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&00
Source: MPGPH131.exe, 00000006.00000002.4130999077.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}f
Source: MPGPH131.exe, 00000005.00000002.4130834437.000000000133D000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}D
Source: RageMP131.exe, 00000009.00000003.1952162624.0000000000E53000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: MPGPH131.exe, 00000006.00000002.4130999077.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}@
Source: MPGPH131.exe, 00000005.00000002.4131028142.000000000144D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}`}9
Source: RageMP131.exe, 00000007.00000002.4130773514.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\
Source: RageMP131.exe, 00000007.00000002.4130773514.0000000000D43000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}EX
Source: RageMP131.exe, 00000009.00000003.1952162624.0000000000E51000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: MPGPH131.exe, 00000005.00000002.4131028142.0000000001494000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78B2A93F
Source: RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}bl
Source: LisectAVT_2403002A_228.exe, 00000000.00000002.4130424315.0000000000FB4000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000005.00000002.4131028142.0000000001482000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4130999077.0000000000D4D000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4130773514.0000000000D43000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Thread information set: HideFromDebugger	Jump to behavior

Potentially malicious time measurement code found

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_05130BA4 Start: 05130DBD End: 05130C04		0_2_05130BA4
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_0557024B Start: 05570281 End: 0557025F		5_2_0557024B

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: regmonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: ollydbg
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: filemonclass
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: NTICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SICE
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Code function: 0_2_05130A73 rdtsc

0_2_05130A73

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006C3A40 mov eax, dword ptr fs:[00000030h]	0_2_006C3A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_006C3A40 mov eax, dword ptr fs:[00000030h]	0_2_006C3A40
Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Code function: 0_2_00674100 mov eax, dword ptr fs:[00000030h]	0_2_00674100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_000F3A40 mov eax, dword ptr fs:[00000030h]	5_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_000F3A40 mov eax, dword ptr fs:[00000030h]	5_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 5_2_000A4100 mov eax, dword ptr fs:[00000030h]	5_2_000A4100
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_000F3A40 mov eax, dword ptr fs:[00000030h]	6_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_000F3A40 mov eax, dword ptr fs:[00000030h]	6_2_000F3A40
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Code function: 6_2_000A4100 mov eax, dword ptr fs:[00000030h]	6_2_000A4100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00203A40 mov eax, dword ptr fs:[00000030h]	7_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_00203A40 mov eax, dword ptr fs:[00000030h]	7_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 7_2_001B4100 mov eax, dword ptr fs:[00000030h]	7_2_001B4100
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00203A40 mov eax, dword ptr fs:[00000030h]	9_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_00203A40 mov eax, dword ptr fs:[00000030h]	9_2_00203A40
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Code function: 9_2_001B4100 mov eax, dword ptr fs:[00000030h]	9_2_001B4100

Source: MPGPH131.exe, MPGPH131.exe, 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, RageMP131.exe, 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmp

Binary or memory string: JProgram Manager

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\ProgramData\MPGPH131\MPGPH131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Code function: 0_2_0073F26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,

0_2_0073F26A

Source: C:\Users\user\Desktop\LisectAVT_2403002A_228.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected RisePro Stealer

Source: Yara match	File source: 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_228.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7556, type: MEMORYSTR

Remote Access Functionality

Yara detected RisePro Stealer

Source: Yara match	File source: 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LisectAVT_2403002A_228.exe PID: 6740, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 4948, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: MPGPH131.exe PID: 344, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7252, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: RageMP131.exe PID: 7556, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	3 Command and Scripting Interpreter	1 Scheduled Task/Job	2 Process Injection	1 Masquerading	OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	1 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	24 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Native API	1 DLL Side-Loading	1 Registry Run Keys / Startup Folder	2 Process Injection	Security Account Manager	24 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Deobfuscate/Decode Files or Information	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	12 Software Packing	Cached Domain Credentials	214 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
LisectAVT_2403002A_228.exe	100%	Avira	TR/Redcap.hkdqs
LisectAVT_2403002A_228.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Avira	TR/Redcap.hkdqs
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Avira	TR/Redcap.hkdqs
C:\Users\user\AppData\Local\RageMP131\RageMP131.exe	100%	Joe Sandbox ML
C:\ProgramData\MPGPH131\MPGPH131.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label
http://www.winimage.com/zLibDll	0%	URL Reputation	safe
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTmJ	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORTHr	0%	Avira URL Cloud	safe
https://t.me/RiseProSUPPORT	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll	LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTmJ	RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll	LisectAVT_2403002A_228.exe, 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_228.exe, 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp	false	URL Reputation: safe	unknown
https://t.me/RiseProSUPPORT	MPGPH131.exe, 00000006.00000002.4130999077.0000000000D2A000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000007.00000002.4130773514.0000000000D0E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000009.00000002.4130699493.0000000000E1B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/RiseProSUPPORTHr	MPGPH131.exe, 00000005.00000002.4131028142.000000000144D000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.233.132.74	unknown	Russian Federation		2895	FREE-NET-ASFREEnetEU	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1482398
Start date and time:	2024-07-25 22:23:01 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 11m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	LisectAVT_2403002A_228.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@11/5@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: LisectAVT_2403002A_228.exe

Simulations

Behavior and APIs

Time	Type	Description
16:24:22	API Interceptor	3830998x Sleep call for process: LisectAVT_2403002A_228.exe modified
16:24:29	API Interceptor	5504x Sleep call for process: MPGPH131.exe modified
16:24:37	API Interceptor	5441613x Sleep call for process: RageMP131.exe modified
21:23:58	Task Scheduler	Run new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
21:23:58	Task Scheduler	Run new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
21:23:58	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
21:24:07	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
193.233.132.74	LisectAVT_2403002A_376.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002B_242.exe	Get hash	malicious	RisePro Stealer	Browse
	LisectAVT_2403002A_224.exe	Get hash	malicious	RisePro Stealer	Browse
	80OrFCsz0u.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	SecuriteInfo.com.Win64.Evo-gen.28136.30716.exe	Get hash	malicious	GCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	RisePro Stealer	Browse
	vGDqFBB1Jz.exe	Get hash	malicious	RisePro Stealer	Browse
	iKV7MCWDJF.exe	Get hash	malicious	RisePro Stealer	Browse
	8TFD6H44Pz.exe	Get hash	malicious	RisePro Stealer	Browse
	uRLTbkeYF7.exe	Get hash	malicious	RisePro Stealer	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
FREE-NET-ASFREEnetEU	LisectAVT_2403002A_30.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002A_33.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002A_376.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74
	LisectAVT_2403002A_389.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002A_419.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.67
	LisectAVT_2403002A_419.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.67
	LisectAVT_2403002A_464.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.109
	LisectAVT_2403002A_464.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.109
	LisectAVT_2403002A_79.exe	Get hash	malicious	Amadey	Browse	193.233.132.56
	LisectAVT_2403002B_242.exe	Get hash	malicious	RisePro Stealer	Browse	193.233.132.74

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_228.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2337286
Entropy (8bit):	7.9651626019668145
Encrypted:	false
SSDEEP:	49152:yb0//IOrbf7t6DpoXoY4huCcvZj8vL23ExBbmbJPJCdTk:ybgIOgDpoLsXij8jIJPJMk
MD5:	CE5A350B93125774AA74515271C6D8AD
SHA1:	4E7F67212BD95ECE241D4914BE2CDBF9D5DC9573
SHA-256:	5DBDCFB4702811E2F7CDAC39BA83DCCDC4A16DFA6B29A02B3879A1A70B3019DD
SHA-512:	CA0DDD1CDC8EEEB7BEEC028F6D4A3EBFE62EB225C46532774BB155EF8A5037DACF9C8A8245047225B4C7D1C68449EA6502BE83F2DF4D27173A9F5534D784896A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0........Y...........@...........................Y.....*A$...@...........................Y.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... ..+..........$..............@...ycahdotv.....@?......&..............@...urypsrur......Y.......#.............@...........................................................................................................................................................................................................................

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_228.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_228.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	2337286
Entropy (8bit):	7.9651626019668145
Encrypted:	false
SSDEEP:	49152:yb0//IOrbf7t6DpoXoY4huCcvZj8vL23ExBbmbJPJCdTk:ybgIOgDpoLsXij8jIJPJMk
MD5:	CE5A350B93125774AA74515271C6D8AD
SHA1:	4E7F67212BD95ECE241D4914BE2CDBF9D5DC9573
SHA-256:	5DBDCFB4702811E2F7CDAC39BA83DCCDC4A16DFA6B29A02B3879A1A70B3019DD
SHA-512:	CA0DDD1CDC8EEEB7BEEC028F6D4A3EBFE62EB225C46532774BB155EF8A5037DACF9C8A8245047225B4C7D1C68449EA6502BE83F2DF4D27173A9F5534D784896A
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100% Antivirus: Joe Sandbox ML, Detection: 100%
Reputation:	low
Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0........Y...........@...........................Y.....*A$...@...........................Y.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... ..+..........$..............@...ycahdotv.....@?......&..............@...urypsrur......Y.......#.............@...........................................................................................................................................................................................................................

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_228.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Download File

Process:	C:\Users\user\Desktop\LisectAVT_2403002A_228.exe
File Type:	ASCII text, with no line terminators
Category:	modified
Size (bytes):	13
Entropy (8bit):	3.085055102756477
Encrypted:	false
SSDEEP:	3:LEC:/
MD5:	4E5C5CB89626FA7D0EDCAF1228F50DA4
SHA1:	22C4A47291C45A696D94D7734F3D9F912C114325
SHA-256:	A17A5239385AA70374295DFE3E1BB1EAAAB1CCBD626A6ABBDED268D5A52EEB2D
SHA-512:	B32FF5F4B011D38228C943C40BD22F29E3904D5A3DC117A533EB23D4E81E991258F72E08100828361E431FD9BB82F7410BEA5AB687A274BC1E49CD58D456A8CC
Malicious:	false
Reputation:	low
Preview:	1721945890305

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.9651626019668145
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	LisectAVT_2403002A_228.exe
File size:	2'337'286 bytes
MD5:	ce5a350b93125774aa74515271c6d8ad
SHA1:	4e7f67212bd95ece241d4914be2cdbf9d5dc9573
SHA256:	5dbdcfb4702811e2f7cdac39ba83dccdc4a16dfa6b29a02b3879a1a70b3019dd
SHA512:	ca0ddd1cdc8eeeb7beec028f6d4a3ebfe62eb225c46532774bb155ef8a5037dacf9c8a8245047225b4c7d1c68449ea6502be83f2df4d27173a9f5534d784896a
SSDEEP:	49152:yb0//IOrbf7t6DpoXoY4huCcvZj8vL23ExBbmbJPJCdTk:ybgIOgDpoLsXij8jIJPJMk
TLSH:	94B533B1DE345312CE1F87751699966E1C942B720434EBFEA5C83E3B3A2F095CF1A258
File Content Preview:	MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.\|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

File Icon


Icon Hash:	c769eccc64f6e2bb

Static PE Info

General

Entrypoint:	0x99c000
Entrypoint Section:	urypsrur
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x65FE94C6 [Sat Mar 23 08:37:26 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
push edi
mov dword ptr [esp], 572ECACCh
mov dword ptr [esp], esi
push edi
mov dword ptr [esp], eax
mov dword ptr [esp], 2DFA528Bh
mov dword ptr [esp], eax
push ebx
push esp
pop ebx
add ebx, 00000004h
sub ebx, 04h
xchg dword ptr [esp], ebx
pop esp
mov dword ptr [esp], ebx
call 00007F33ECE7D786h
int3
push dword ptr [esp]
pop eax
push edx
mov edx, esp
add edx, 00000004h
add edx, 04h
xchg dword ptr [esp], edx
pop esp
push ecx
mov ecx, esp
add ecx, 00000004h
sub ecx, 04h
xchg dword ptr [esp], ecx
pop esp
mov dword ptr [esp], eax
pop ebx
push ecx
mov ecx, FFFFFFFFh
add eax, 7BEFF931h
sub eax, ecx
sub eax, 7BEFF931h
pop ecx
push esi
mov esi, 001A8000h
add eax, 4DD76D87h
sub eax, esi
sub eax, 4DD76D87h
mov esi, dword ptr [esp]
add esp, 00000004h
sub eax, 0DB90032h
add eax, 0DB90000h
cmp byte ptr [ebx], FFFFFFCCh
jne 00007F33ECE7D81Ah
push eax
push ebx
mov bh, 21h
push cx
mov ch, 21h
sub bh, ch
pop cx
mov al, bh
pop ebx
mov byte ptr [ebx], al
pop eax
mov ebx, 3DDF79B0h
inc ebx
push ebx
push ebp
pop ebx
pop ebp
not ebp
xchg ebx, ebp
sub ebx, 4FEDA7B6h
and ebx, 3FDE80A4h

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x5993a8	0x4c	ycahdotv
IMAGE_DIRECTORY_ENTRY_IMPORT	0x13b055	0x69	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x138000	0x2b58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x13b1f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x137000	0x90600	b55b71c2043ab40ff0035bc71a4121e1	False	0.9992069128787879	data	7.988928375890931	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x138000	0x2b58	0xc00	8a37ca7557530049471ab63bec9a1af7	False	0.8401692708333334	data	7.035166645143444	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x13b000	0x1000	0x200	745dea56938759dccaf9e183aa01b020	False	0.146484375	data	0.998472215956371	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x13c000	0x2b8000	0x200	13e3decc9ef08adfec4ff09b3b762cd2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
ycahdotv	0x3f4000	0x1a8000	0x1a8000	b3a315c6f67b8c5d3d3d119b10643342	False	0.9896050219265919	data	7.949088772265462	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
urypsrur	0x59c000	0x1000	0x400	14bc9c4a12da57b8d3c38934d739ab56	False	0.71875	data	5.796848375085057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5993f4	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	Russian	Russia	0.1892116182572614
RT_GROUP_ICON	0x59b99c	0x14	data	Russian	Russia	1.15
RT_VERSION	0x59b9b0	0x2e4	data	Russian	Russia	0.4689189189189189
RT_MANIFEST	0x59bc94	0x17d	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5931758530183727

Imports

DLL	Import
kernel32.dll	lstrcpy

Exports

Name	Ordinal	Address
Start	1	0x466e80

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	Protocol	SID	Signature	Source Port	Dest Port	Source IP	Dest IP
2024-07-25T22:24:05.139725+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49731	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:24.342287+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49740	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:12.593647+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49735	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:15.575871+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49735	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:08.131869+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49731	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:00.403951+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49730	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:08.131731+0200	TCP	2046269	ET MALWARE [ANY.RUN] RisePro TCP (Activity)	49732	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:51.619679+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49741	40.68.123.157	192.168.2.4
2024-07-25T22:23:57.416907+0200	TCP	2049060	ET MALWARE RisePro TCP Heartbeat Packet	49730	58709	192.168.2.4	193.233.132.74
2024-07-25T22:24:13.208194+0200	TCP	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	443	49733	40.68.123.157	192.168.2.4

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jul 25, 2024 22:23:57.389735937 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:23:57.395093918 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 22:23:57.395277977 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:23:57.416907072 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:23:57.421960115 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:00.403950930 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:00.408853054 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:05.113605976 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:05.117317915 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:05.118588924 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:05.118670940 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:05.122208118 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:05.122270107 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:05.139724970 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:05.140465021 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:05.144505024 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:05.145281076 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:08.131731033 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:08.131869078 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:08.137083054 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:08.137151957 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:12.556581020 CEST	49735	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:12.561547041 CEST	58709	49735	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:12.561629057 CEST	49735	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:12.593647003 CEST	49735	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:12.605525970 CEST	58709	49735	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:15.575870991 CEST	49735	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:15.580918074 CEST	58709	49735	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:18.756926060 CEST	58709	49730	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:18.757280111 CEST	49730	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:21.324589014 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:21.333573103 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:21.333697081 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:21.358338118 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:21.363604069 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:24.342287064 CEST	49740	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:24.347750902 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:26.500253916 CEST	58709	49731	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:26.500509024 CEST	49731	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:26.517926931 CEST	58709	49732	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:26.518088102 CEST	49732	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:34.081971884 CEST	58709	49735	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:34.082101107 CEST	49735	58709	192.168.2.4	193.233.132.74
Jul 25, 2024 22:24:42.704160929 CEST	58709	49740	193.233.132.74	192.168.2.4
Jul 25, 2024 22:24:42.704272032 CEST	49740	58709	192.168.2.4	193.233.132.74

Target ID:	0
Start time:	16:23:51
Start date:	25/07/2024
Path:	C:\Users\user\Desktop\LisectAVT_2403002A_228.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\LisectAVT_2403002A_228.exe"
Imagebase:	0x660000
File size:	2'337'286 bytes
MD5 hash:	CE5A350B93125774AA74515271C6D8AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.1692149200.0000000004E90000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	1
Start time:	16:23:56
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
Imagebase:	0x590000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	16:23:56
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	16:23:56
Start date:	25/07/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
Imagebase:	0x590000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	16:23:56
Start date:	25/07/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	16:23:58
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x90000
File size:	2'337'286 bytes
MD5 hash:	CE5A350B93125774AA74515271C6D8AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000005.00000003.1767150400.00000000052C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	16:23:58
Start date:	25/07/2024
Path:	C:\ProgramData\MPGPH131\MPGPH131.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\MPGPH131\MPGPH131.exe
Imagebase:	0x90000
File size:	2'337'286 bytes
MD5 hash:	CE5A350B93125774AA74515271C6D8AD
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.1766573230.0000000004950000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	7
Start time:	16:24:07
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x1a0000
File size:	2'337'286 bytes
MD5 hash:	CE5A350B93125774AA74515271C6D8AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.1846088953.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Avira Detection: 100%, Joe Sandbox ML
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	16:24:15
Start date:	25/07/2024
Path:	C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
Imagebase:	0x1a0000
File size:	2'337'286 bytes
MD5 hash:	CE5A350B93125774AA74515271C6D8AD
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000003.1923737159.0000000004AD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	2.7%
Dynamic/Decrypted Code Coverage:	3%
Signature Coverage:	2.6%
Total number of Nodes:	626
Total number of Limit Nodes:	61

Executed Functions

Function 0067E0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 0067E0CB
socket.WS2_32(?,?,?), ref: 0067E17F
connect.WS2_32(00000000,?,?), ref: 0067E193
closesocket.WS2_32(00000000), ref: 0067E19E

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: f33b47496da6a7008d4213df58c163c01d6bdc89d68335f1b9169eb7e70f1333
Instruction ID: 89591955219a7e0a3c147fa799b6a32b0d4610f0da6cce392adf32b2165a710d
Opcode Fuzzy Hash: f33b47496da6a7008d4213df58c163c01d6bdc89d68335f1b9169eb7e70f1333
Instruction Fuzzy Hash: 8631E6716043009BD7209F25C84976BB7E6EB89334F404F5DF9A8A23D0D33699088BA2

Function 006C3A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,006C3DB6), ref: 006C3B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,006C3DB6), ref: 006C3BBA

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 7c04d1678f462eaccc1a08c27865e273deb3eca2ec26ddf59d4caa4c256e7e40
Instruction ID: 4e563bfb87b1afdb8750f6c397bf936c9b40f99ad7cc0cdf1db5d18d530b1e19
Opcode Fuzzy Hash: 7c04d1678f462eaccc1a08c27865e273deb3eca2ec26ddf59d4caa4c256e7e40
Instruction Fuzzy Hash: CF519935A042299FCB24CF98C8D0FBAB7B2EF55704B29859ED445AB351D731EE05CB80

Function 05130A73 Relevance: 1.7, APIs: 1, Instructions: 240
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(000000F1), ref: 05130AD1

Memory Dump Source

Source File: 00000000.00000002.4135563814.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_LisectAVT_2403002A_228.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fe97e979b03f463a44f515f3302a05003ceaa0abc720f2e0f1c61e25d7b4fc21
Instruction ID: 80d2042075e8ffd1445d0fe3449f05f71a89716c64526fad12801c16fdad85b2
Opcode Fuzzy Hash: fe97e979b03f463a44f515f3302a05003ceaa0abc720f2e0f1c61e25d7b4fc21
Instruction Fuzzy Hash: 9D4180EF54C215BDF22AC1412B7AAF657EFD6DA7307328467F807D650AE3850A4D1031

Function 0073F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0066220E

Strings

`!f, xrefs: 00662216
`!f, xrefs: 006621FC

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f
API String ID: 2659868963-2207376674
Opcode ID: 81946be53899768fa2af59dc3972c378b2fdf8944d93f11835da37dfda107001
Instruction ID: ae7206aee93cba560999233a15bb18bfae0684a265f36f7d04ca412f55f54940
Opcode Fuzzy Hash: 81946be53899768fa2af59dc3972c378b2fdf8944d93f11835da37dfda107001
Instruction Fuzzy Hash: 28012B7540430DEBCB24AF98E80699A77ECAB04360F404439FE19DB692EB74E96487D1

Function 00744942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Ot, xrefs: 00744A93, 00744A61, 00744AAB, 00744AC7

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: Ot
API String ID: 0-3529488939
Opcode ID: afd9d19ac9d7468ba473f79cba0ba898873926be17af783f8231372baea39a40
Instruction ID: 3e5287382474039c4eca1ad66060e10b31c9613e8c9ec1552b8ec1e819e9c1b3
Opcode Fuzzy Hash: afd9d19ac9d7468ba473f79cba0ba898873926be17af783f8231372baea39a40
Instruction Fuzzy Hash: 9051BF70B40208EFDF14CF58CC85BAABBA1EF49364F24C159F8599B252D335AE41EB94

Function 00754623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03aba45fa24f0c7562dbcb0b5d5fb0d5e9b97caf7d08174e5fa37fecce9a5651
Instruction ID: c6f9abca2130b8801e0e7a029977ffbd6b0dc7dd7f0d4361bedb88c0d3b50fd0
Opcode Fuzzy Hash: 03aba45fa24f0c7562dbcb0b5d5fb0d5e9b97caf7d08174e5fa37fecce9a5651
Instruction Fuzzy Hash: 50B10774A04245EFDB11DFA8D845BEEBBB1BF45309F144159EC4097282D7F8AD8ACB60

Function 05130AE0 Relevance: 1.8, APIs: 1, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(000000F1), ref: 05130AD1

Memory Dump Source

Source File: 00000000.00000002.4135563814.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_LisectAVT_2403002A_228.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: cd506555b4c6bafd282a968737027e1e1cd111aa2452c683b7a76e2921f0d773
Instruction ID: 4d229194914ad5b1a94254a67b66dba4d9f5d197b15afda900486f14a32d788f
Opcode Fuzzy Hash: cd506555b4c6bafd282a968737027e1e1cd111aa2452c683b7a76e2921f0d773
Instruction Fuzzy Hash: AB51D7EF54C214AEF32AC1512B7EAF66BEED6DA73033284ABF407D6146E3854A4D4131

Function 05130A81 Relevance: 1.7, APIs: 1, Instructions: 243
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(000000F1), ref: 05130AD1

Memory Dump Source

Source File: 00000000.00000002.4135563814.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_LisectAVT_2403002A_228.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e1c9f7610d27955ab19ee0056127174c0e6488e0379e60663b14bda07382ba7c
Instruction ID: 0d773e6bd12ae92c5011ea1bff979e2d95fb1d5207e1df8ca77e1a2383656b08
Opcode Fuzzy Hash: e1c9f7610d27955ab19ee0056127174c0e6488e0379e60663b14bda07382ba7c
Instruction Fuzzy Hash: 134192EF54C214BDF22AC1412B7AAF69BEFD6DA7303328867F807D6506E7850A4D5031

Function 0066A210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 0066A343

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 57ae2b9fa2849966f2bbd28727f428a203389f7c45c6d2553a1f11ddfb2dcb5b
Instruction ID: b8b7b08a0b98c76c19387d18d546714687046235d3b93ef145c9daf5a01fb430
Opcode Fuzzy Hash: 57ae2b9fa2849966f2bbd28727f428a203389f7c45c6d2553a1f11ddfb2dcb5b
Instruction Fuzzy Hash: 6B710570900204EBDB14DFA8DC49BAEBBE9EF41704F10456DF815EB782D7B99A41CB92

Function 05130AFE Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(000000F1), ref: 05130AD1

Memory Dump Source

Source File: 00000000.00000002.4135563814.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_LisectAVT_2403002A_228.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 716898e054ad46e3b4206f546747739224a25274ba8a7ccc3359168ddea7c8aa
Instruction ID: 6144b0d67c1ba6e4b15f19dc749e9f4a50913306a0cd271819c79e9851515199
Opcode Fuzzy Hash: 716898e054ad46e3b4206f546747739224a25274ba8a7ccc3359168ddea7c8aa
Instruction Fuzzy Hash: C741B0EF14C214ADF22AC1412B7EAF667EEE6DA7303328867F807D650AE3854A4D4031

Function 05130ACC Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(000000F1), ref: 05130AD1

Memory Dump Source

Source File: 00000000.00000002.4135563814.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_LisectAVT_2403002A_228.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 4f47a5db72aa5c3298c2f009d108abd35b437eb8ab2c02ab0c1d24d9e2516469
Instruction ID: b58cae883addbd3ea2d9eb241a37f3c3d7697fcca492b3a36e286184580de29b
Opcode Fuzzy Hash: 4f47a5db72aa5c3298c2f009d108abd35b437eb8ab2c02ab0c1d24d9e2516469
Instruction Fuzzy Hash: 364192EF54C114ADE229C2412B7EAF657EFE6DA7307328866F807D150AE7854A4D5031

Function 0075549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00749087,?,00000000,00000000,00000000,?,00000000,?,0066A3EB,00749087,00000000,0066A3EB,?,?), ref: 00755621

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 8ebcc8919e8121a63f266c60759a6bce6ea63c99926e9c0293f4676e7ae05da0
Instruction ID: 223d123e507414878a49e3ea842199088ccb2039de21be772ae94d09c55c9442
Opcode Fuzzy Hash: 8ebcc8919e8121a63f266c60759a6bce6ea63c99926e9c0293f4676e7ae05da0
Instruction Fuzzy Hash: 2661C271D00559AFDF11DFA8C894EEEBBBAEF09305F140149EC00A7255D7BAD919CBA0

Function 006D0560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 006D06AE

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 56aa59fe3d135c6c610207b554944d21219032208f2f75ca222ea0bcd14b98ed
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: D9410672E00114DBDB15EF68DD806AE7BA6AF89350F1402AAFC05DB346D730DE618BE1

Function 00754B12 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,007549F9,00000000,CF830579,00791140,0000000C,00754AB5,00748BBD,?), ref: 00754B68

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2570f7b5daf07c6b58ee6d5bf1437fd564c1f2d1a9a0d032062a98c76f4340d0
Instruction ID: e8393ca93a46f585e96fbbe29539b5ec131be3dbbd9a71eb960589ccafbd0fa5
Opcode Fuzzy Hash: 2570f7b5daf07c6b58ee6d5bf1437fd564c1f2d1a9a0d032062a98c76f4340d0
Instruction Fuzzy Hash: 3E116B73A4415466D72523346809BFE678ACB827BAF29031DFC048B1C2EEFDDCC94155

Function 0074E05C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,00790DF8,0066A3EB,00000002,0066A3EB,00000000,?,?,?,0074E166,00000000,?,0066A3EB,00000002,00790DF8), ref: 0074E098

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e38227b18c76bab3017228781c5cb66e78586fa020053dcf4cde0a5f1846ca6a
Instruction ID: 9811deaad074255088a3e50390237c8e85042b2a72a8bff32acd2618bcf9a16c
Opcode Fuzzy Hash: e38227b18c76bab3017228781c5cb66e78586fa020053dcf4cde0a5f1846ca6a
Instruction Fuzzy Hash: 7601C432610155AFCF159F59DC09C9E7B69EB81370B340248F8609B2A1E7B5ED518B90

Function 007563F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,007491F7,00000000,?,00755D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0074D244,007489C3,007491F7,00000000), ref: 00756434

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 6576fa4872485cc277949ac1750f32f8fe288b9ecd6d65b3eabb9fd03ca5b6e0
Instruction ID: 7c64d7dee444d5a9956b915c3517c8737170c36c4872c9282bd85e17dd3abddd
Opcode Fuzzy Hash: 6576fa4872485cc277949ac1750f32f8fe288b9ecd6d65b3eabb9fd03ca5b6e0
Instruction Fuzzy Hash: 34F0E031905164A6DB217B669C067DB37496F41773FA58011EC0497090CBF8DE0946F1

Function 00756E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0075D635,4D88C033,?,0075D635,00000220,?,007557EF,4D88C033), ref: 00756E60

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 2b2e66b5d539bebc5225bb130687269fe58df1f338b91a845fa385a27da70166
Instruction ID: c49ff64eef0724dac35613c38eacc2a2fe494828a52e38ed4f0f67b465d85228
Opcode Fuzzy Hash: 2b2e66b5d539bebc5225bb130687269fe58df1f338b91a845fa385a27da70166
Instruction Fuzzy Hash: 78E0ED3A102621A6DA3022A9EC06BDB7648BB927A3F850521EC04930D0CBECCC0881A8

Function 05140259 Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135642819.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_LisectAVT_2403002A_228.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2de2cb8a4d657b6657e10ac9ad74b2572539ddc4c6758f7136d586490ee4645
Instruction ID: df5da9297357dc5fe84cb0d4370537123f6ec2de7ffb21d94fef48a1f887afdd
Opcode Fuzzy Hash: c2de2cb8a4d657b6657e10ac9ad74b2572539ddc4c6758f7136d586490ee4645
Instruction Fuzzy Hash: 1B2192EB14C2107EB216C1922A58EFB6B6EE6DB730332942BF902C9546D39E0A4E5571

Function 051402C0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135642819.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_LisectAVT_2403002A_228.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6de3581bc7a2586adb2f99fb790f337878c016a400b07af1ee6df61e939698f7
Instruction ID: 0258e1f456a499410910e055d9be6f79f2c916c2d38a262668c2aee693372030
Opcode Fuzzy Hash: 6de3581bc7a2586adb2f99fb790f337878c016a400b07af1ee6df61e939698f7
Instruction Fuzzy Hash: E001C9EB148120BD7156D1962B28EFB5B6EE1D6730332C42BF907C5546E3990A4D6431

Function 0514030A Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135642819.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_LisectAVT_2403002A_228.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 871ca6400e2b946d1932c2a553d3382493219656948701a98f171fd392a03d2a
Instruction ID: 6808802a933432dd8f811296515e6472f3a99ad3ab27d65a12469b66a34dc3f2
Opcode Fuzzy Hash: 871ca6400e2b946d1932c2a553d3382493219656948701a98f171fd392a03d2a
Instruction Fuzzy Hash: EFF0C9EB148210BD7156D1923B28EFB6B6EE1C7730331892BF943C5546E3890A4D6432

Function 05140319 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135642819.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_LisectAVT_2403002A_228.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e6f20920947449d5804aba66ea9f6a58ff103af9e27c391ee2b93605f98091
Instruction ID: 72208ee7882de6cc1f0485e6b15bec1acb1ba7f8e8807cc7e6b0520606ec25de
Opcode Fuzzy Hash: 03e6f20920947449d5804aba66ea9f6a58ff103af9e27c391ee2b93605f98091
Instruction Fuzzy Hash: 87F0E7EB148510BDB046D1923F28EFBAB6EE1C6730331C92BF843C5546E3890A4D6432

Function 05140340 Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135642819.0000000005140000.00000040.00001000.00020000.00000000.sdmp, Offset: 05140000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5140000_LisectAVT_2403002A_228.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 336c827f069fb03c9451a009af5dadcf887ba305d19d3f80d3f965e972403a15
Instruction ID: f89e32fb8124fc4504b093f5116bac97ad7a8defbdfb3ccde7a3c1d5c428ff00
Opcode Fuzzy Hash: 336c827f069fb03c9451a009af5dadcf887ba305d19d3f80d3f965e972403a15
Instruction Fuzzy Hash: 09F0D4EB14C1107D7056D1923B29AFAAB2EE1C37343318927F443C1987E3C90A4E6432

Non-executed Functions

Function 00679F50 Relevance: 16.1, Strings: 11, Instructions: 2331COMMON

Download Yara Rule

Strings

,, xrefs: 0067A6AF
$, xrefs: 0067BD6D
,, xrefs: 0067A5D2
., xrefs: 0067AB30
:, xrefs: 0067A097
., xrefs: 0067B0E2
type must be boolean, but is , xrefs: 0067BF3C, 0067BF6D, 0067C02B
%s|%s, xrefs: 0067A198
|Ny, xrefs: 0067A2D3
131, xrefs: 0067A178, 0067A17F, 0067A190
|Ny, xrefs: 0067A321

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: $$%s|%s$,$,$.$.$131$:$type must be boolean, but is $|Ny$|Ny
API String ID: 0-2705838571
Opcode ID: 970d7495ce5e7183850099c7c7e238d663871dd2b22c9f62ed301253becbe355
Instruction ID: ccce78d0e5c7c6bbb6e626dfaa132027ef16bf343f0f5970c0dd62d44db52ae5
Opcode Fuzzy Hash: 970d7495ce5e7183850099c7c7e238d663871dd2b22c9f62ed301253becbe355
Instruction Fuzzy Hash: C623BE70D002588FDB29DF68C858BEDBBB6EF05300F14819DE449AB392DB359A85CF95

Function 006D73F0 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 897COMMON

Download Yara Rule

Strings

unordered_map/set too long, xrefs: 006D78C7

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: unordered_map/set too long
API String ID: 0-306623848
Opcode ID: 672ab6accc8b543953b88e16e7be94248224f42b2ec6020e2d798ed33474600e
Instruction ID: 80abd5362dcb06e26ef6d0c61a066c617d8d92215ffac7fb94bd340a7603dd2a
Opcode Fuzzy Hash: 672ab6accc8b543953b88e16e7be94248224f42b2ec6020e2d798ed33474600e
Instruction Fuzzy Hash: 99626375E046099FCB14DF68C88069DFBB6FF48310F24866AE819AB395E730ED51CB91

Function 007484A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: 44cdc96652ee4aaff86904d06bb62eac9ce26abdd3268507188d13741d24f025
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: 6F024B71E00219DBDF54CFA8C8806AEFBF5FF48314F258269D919E7381DB35A9418B91

Function 006D50B0 Relevance: 5.3, Strings: 4, Instructions: 268COMMON

Download Yara Rule

Strings

/Kim, xrefs: 006D52C2
type must be number, but is , xrefs: 006D5241
type must be string, but is , xrefs: 006D5114
/Kim, xrefs: 006D52A9

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
API String ID: 0-1144537432
Opcode ID: 2f35932d627d7810249d034e8ddf9262c3f5bfde46febbff959a7d24c0a08b35
Instruction ID: f86c3b1d90ba0f0d99b5245bd7247c785cb8684724f866c846ffe1de655b2fb9
Opcode Fuzzy Hash: 2f35932d627d7810249d034e8ddf9262c3f5bfde46febbff959a7d24c0a08b35
Instruction Fuzzy Hash: 88913A71E006089FCB08CF6CD8557DDBBAAEB88310F14826EE81AD7791E7799D05CB84

Function 006691A0 Relevance: 4.9, Strings: 3, Instructions: 1146COMMON

Download Yara Rule

Strings

\, xrefs: 00669528
/, xrefs: 006694E2
/\/, xrefs: 0066956A, 0066959C

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: /$/\/$\
API String ID: 0-1523196992
Opcode ID: 89309097bdbaa7ea50148df00edab1657010fdebc1ce99e8b5130e5c71420afb
Instruction ID: 3d4912c1db68ae60d05a50d80a20bfe33f5f0940d1c62fa5ac7e70f8f958a4bd
Opcode Fuzzy Hash: 89309097bdbaa7ea50148df00edab1657010fdebc1ce99e8b5130e5c71420afb
Instruction Fuzzy Hash: 6A92E571D002499FDF19CFA8C8947EEBBBAEF45314F1442ADD845AB382E7315A46CB60

Function 006624F0 Relevance: 2.7, Strings: 2, Instructions: 221COMMON

Download Yara Rule

Strings

Ly, xrefs: 006626B7
Ly, xrefs: 006625C7

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: Ly$Ly
API String ID: 0-3580214937
Opcode ID: ee8a77dba6692929c6d5299f299a86099af97cb2e76cabd8b0ff328aa87cfffc
Instruction ID: 9e3b0d84c0b450af55212138e44bdd344155704c3bc5892c13e96aa5757c1a7c
Opcode Fuzzy Hash: ee8a77dba6692929c6d5299f299a86099af97cb2e76cabd8b0ff328aa87cfffc
Instruction Fuzzy Hash: C47104B4E009579FDB24CF68C8E1BFEBBB6EB1A300F044169D855E7742C7289906C7A4

Function 00668D70 Relevance: 1.6, Strings: 1, Instructions: 327COMMON

Download Yara Rule

Strings

File, xrefs: 00668F73

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: File
API String ID: 0-749574446
Opcode ID: 151b0fd3bcd8bc3407a2bce97c4b3aa6a7af9e7e62e4b29fdce6e1605946ba58
Instruction ID: d57a591ac6cd46c03471cd0344b04c4e7aae02ca947780a1438270fdfe64043f
Opcode Fuzzy Hash: 151b0fd3bcd8bc3407a2bce97c4b3aa6a7af9e7e62e4b29fdce6e1605946ba58
Instruction Fuzzy Hash: 62C1A070D00259DEEF24DFA4DC89BEEBBBAEF05300F10406DE905AB282DB759945CB65

Function 0074BEAF Relevance: 1.5, Strings: 1, Instructions: 293COMMON

Download Yara Rule

Strings

0, xrefs: 0074C01F

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID: 0
API String ID: 0-4108050209
Opcode ID: 27a96bdb271f713a54386b53d44c1276f4ac72084652c4e8980b347f6e86fcf1
Instruction ID: 08c8597568fe12275b3798a60f2a775b87b0b25ae2efee73bed789f3bc4d361b
Opcode Fuzzy Hash: 27a96bdb271f713a54386b53d44c1276f4ac72084652c4e8980b347f6e86fcf1
Instruction Fuzzy Hash: 6DB1E07490164ACFDB66CF68C884ABAB7B1FF05300F244619D966A72A2D739EC49CF50

Function 0073F26A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetSystemTimePreciseAsFileTime.KERNEL32(?,?,0073EC78,?,?,?,?,006740EB,?,006C3C2E), ref: 0073F283

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: Time$FilePreciseSystem
String ID:
API String ID: 1802150274-0
Opcode ID: d4435c7a3ca9ac868bafe16c3ab436576b5e7f93abc14c5b36183659fff3fb0e
Instruction ID: 3a38f9c8c9e86396ec43d8685d67e94fb7ae017105777ab0deea7f311bccd121
Opcode Fuzzy Hash: d4435c7a3ca9ac868bafe16c3ab436576b5e7f93abc14c5b36183659fff3fb0e
Instruction Fuzzy Hash: B2D02233A02238D38A112BE0BC048AEBB18AA0AB907008136E80593214CA595C008BC8

Function 006E9880 Relevance: .7, Instructions: 748COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8dcc571f79b35ef6cd7f08b26c96ad0db8e33a125f218d9c6022d3c9f2b1f570
Instruction ID: 76413b926acdb1ffc65afe597c536cf8a8d895ee461e243a178a83726e10271a
Opcode Fuzzy Hash: 8dcc571f79b35ef6cd7f08b26c96ad0db8e33a125f218d9c6022d3c9f2b1f570
Instruction Fuzzy Hash: FA6272B0E013959FDB18CF9AC5846AEBBF2AF84304F2881ADD9049B346D735D946CF91

Function 0075F771 Relevance: .3, Instructions: 327COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c46cfed599879c375c2c797383806fca9c83e9d6604b1bef404a39cc82ff05a2
Instruction ID: ca7f37eac12162a10251d0a9c788abd63d8ec83626679d2853cffc573daae264
Opcode Fuzzy Hash: c46cfed599879c375c2c797383806fca9c83e9d6604b1bef404a39cc82ff05a2
Instruction Fuzzy Hash: F1B1E6355007459BDB389B24CC96BFBB3A8EB44309F14853DED86C6584EBB9B989CB10

Function 00759824 Relevance: .3, Instructions: 270COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb23b8ddaa471d251d08b6590ab980283731e32d47a4e3105af6b710b9890f3a
Instruction ID: 3add0e4de080667e3fb3d3714a84eef98c5924213f655ad4ac93746b6196c136
Opcode Fuzzy Hash: fb23b8ddaa471d251d08b6590ab980283731e32d47a4e3105af6b710b9890f3a
Instruction Fuzzy Hash: F5B13B31610608DFD715CF28C48ABA57BE0FF45365F29865CEA99CF2A1C379E985CB40

Function 006E6550 Relevance: .2, Instructions: 189COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc17075128a27b10b3ffac6d6e6daeb165f4f5d837751deddc5f0ade846d8e44
Instruction ID: 9645cdb875993d5c0a7bc9b50516a2f3902ae81a3bcd497e0a1db5179f58be60
Opcode Fuzzy Hash: dc17075128a27b10b3ffac6d6e6daeb165f4f5d837751deddc5f0ade846d8e44
Instruction Fuzzy Hash: 56618371710164CFD718CF1EECC45267352A78E389386822AEAC4D73A6C739F966C7A4

Function 006E55B0 Relevance: .2, Instructions: 187COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3dcc942d13e219507d254f669ef22d5292c4626908e3ffe0ed8eaab9a81111d5
Instruction ID: 64178cdce18b8182cde741d5f940ab639f30a74ebe6397acb8cc25fa467c1257
Opcode Fuzzy Hash: 3dcc942d13e219507d254f669ef22d5292c4626908e3ffe0ed8eaab9a81111d5
Instruction Fuzzy Hash: A88171B082439C9EDF18CF95D445AEEBFB9EF05304F50809ED452AB651D378520ACB66

Function 05130BA4 Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4135563814.0000000005130000.00000040.00001000.00020000.00000000.sdmp, Offset: 05130000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5130000_LisectAVT_2403002A_228.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbcd339b71423bb4878a59a3a4d7b209a506ffaaa171e6143115522b1257148a
Instruction ID: 708072deef65c0e6132dac18aefb0a3863a115eed3fee7504a40c7c40fb8caa0
Opcode Fuzzy Hash: dbcd339b71423bb4878a59a3a4d7b209a506ffaaa171e6143115522b1257148a
Instruction Fuzzy Hash: 44318FEF14C214BDF22AC1412B7AAFA97EFE6CA7307328867F807D551AE3854A4D5031

Function 00674100 Relevance: .2, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7df0d1ee623b98582a278c67bdfe5ccf561c0fef8c70a1484dbd265bbf7dd47
Instruction ID: 7d6a65f49f5ccb50ebb0a55e4f5122bc058fdef13adf4ada52ba571f33d826ef
Opcode Fuzzy Hash: a7df0d1ee623b98582a278c67bdfe5ccf561c0fef8c70a1484dbd265bbf7dd47
Instruction Fuzzy Hash: 9751AE71E002099FCB14DF98D885AEEBBB6FF48310F54856DE429A7341DB35AE44CBA4

Function 0074646A Relevance: .2, Instructions: 156COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction ID: a2527096350bd766bddc75a54a4e7f9389034632327bef679d52c1fbccb5a1ec
Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
Instruction Fuzzy Hash: 9B519072E00219EFDF14CF98C941AEEBBB2FF89310F198458E915AB201D7389A50DB91

Function 00742CE0 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction ID: c7d805c1eeace01661115665858e54d265479593f5292e97be250404f6ceedcd
Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
Instruction Fuzzy Hash: 44112BB7B4408243D6148A3DD8B46B7A395EFC93207ED437AF0428B75AD32AD9679D10

Function 006CF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006CF833
std::_Lockit::_Lockit.LIBCPMT ref: 006CF855
std::_Lockit::~_Lockit.LIBCPMT ref: 006CF875
std::_Lockit::~_Lockit.LIBCPMT ref: 006CF89F
std::_Lockit::_Lockit.LIBCPMT ref: 006CF90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 006CF959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 006CF973
std::_Lockit::~_Lockit.LIBCPMT ref: 006CFA08
std::_Facet_Register.LIBCPMT ref: 006CFA15

Strings

"x, xrefs: 006CF96B, 006CF972
bad locale name, xrefs: 006CFA2F

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$"x
API String ID: 3375549084-3017787300
Opcode ID: 4397eedbca1d9260b8e538af95577fef4480a908f106e802977e9f362727d48b
Instruction ID: 77e395a9f3a236bbc606c0fc4682dc2ffd9686bdaca01fdfa62aeb1e68878d5b
Opcode Fuzzy Hash: 4397eedbca1d9260b8e538af95577fef4480a908f106e802977e9f362727d48b
Instruction Fuzzy Hash: 01616CB1D00248DBEF20DFA4D889BAEBBB6EF14310F144169E815A7342DB78A905CB91

Function 00663D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00663E7F

Strings

ios_base::badbit set, xrefs: 00663E17
ios_base::failbit set, xrefs: 00663D32
@3f, xrefs: 00663E84
@3f, xrefs: 00663DBE, 00663E9B
ios_base::eofbit set, xrefs: 00663E41, 00663E63
`!f, xrefs: 00663E70
G>f, xrefs: 00663DB8
G>f, xrefs: 00663D2B, 00663D67, 00663D6A

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3f$@3f$G>f$G>f$`!f$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-894825180
Opcode ID: 369998465c4d1a8cc7736f7b58e6d8bbf80e3c7f29420f8fc7faa0e0e6760832
Instruction ID: 320c36b54b090b10a29e6031f889b452628063637cdefe86080acd69aa5da6ec
Opcode Fuzzy Hash: 369998465c4d1a8cc7736f7b58e6d8bbf80e3c7f29420f8fc7faa0e0e6760832
Instruction Fuzzy Hash: BF41D2B2900218AFCB04DF68D845BEEBBF9EF49310F14852EF915D7741E774AA118BA4

Function 00742E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00742E47
___except_validate_context_record.LIBVCRUNTIME ref: 00742E4F
_ValidateLocalCookies.LIBCMT ref: 00742ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00742F03
_ValidateLocalCookies.LIBCMT ref: 00742F58

Strings

iy, xrefs: 00742F78
csm, xrefs: 00742EED

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: iy$csm
API String ID: 1170836740-1503127939
Opcode ID: e7afa8a886569c2e2a8fea078c934d148998f372dc0d6720f398279d6d30095b
Instruction ID: 56c2dc7abcb8535f9c6750c0a19d654dfcc65dd64dab95040d5a65e7eeba7a7f
Opcode Fuzzy Hash: e7afa8a886569c2e2a8fea078c934d148998f372dc0d6720f398279d6d30095b
Instruction Fuzzy Hash: DC41C730A00219EBCF10DF68D889A9EBBB5AF44314F548155F8189B353D73ADE66CB90

Function 00663DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00663E7F

Strings

ios_base::badbit set, xrefs: 00663E17
ios_base::failbit set, xrefs: 00663D32, 00663E1E
@3f, xrefs: 00663E84
@3f, xrefs: 00663DBE, 00663E9B
ios_base::eofbit set, xrefs: 00663E28, 00663E41, 00663E63
`!f, xrefs: 00663E70

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3f$@3f$`!f$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1762149872
Opcode ID: 9fb90eeb6974f268d49e2bdfe2f7a1f5bbf58f9d5c3f6bb31686e8c633a69be6
Instruction ID: 51b85e3ac239f2ae03652da08bd240d2428622f0c663520eab430e633a2159af
Opcode Fuzzy Hash: 9fb90eeb6974f268d49e2bdfe2f7a1f5bbf58f9d5c3f6bb31686e8c633a69be6
Instruction Fuzzy Hash: CD2108B29007156FC714EF58D805B96B7D9AF04310F18883AFA6987742E775EA218BE1

Function 00664C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00664F72
___std_exception_destroy.LIBVCRUNTIME ref: 00664FFF
___std_exception_copy.LIBVCRUNTIME ref: 006650C8

Strings

@3f, xrefs: 006650CD
`!f, xrefs: 00664F6B, 00664FF8, 006650B9
recursive_directory_iterator::operator++, xrefs: 0066504C

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: @3f$`!f$recursive_directory_iterator::operator++
API String ID: 1206660477-3008882262
Opcode ID: d7729e0805e1cd0d40f4cc0ec177d391c5dcdf64f7f22f8f03b15b68b4ee7e17
Instruction ID: 16130382592a6580ef39a5e1df88a79b9e97abd588e622540aab377444b8f638
Opcode Fuzzy Hash: d7729e0805e1cd0d40f4cc0ec177d391c5dcdf64f7f22f8f03b15b68b4ee7e17
Instruction Fuzzy Hash: 4FE104B19006049FDB28DF68D845BAEF7FAFF44300F148A2DE45693B81DB75A904CBA5

Function 00667820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0066799A
___std_exception_copy.LIBVCRUNTIME ref: 00667B75

Strings

type_error, xrefs: 0066784A
`!f, xrefs: 006679A5, 00667B80
`!f, xrefs: 00667985, 00667B60
out_of_range, xrefs: 00667A27

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f$out_of_range$type_error
API String ID: 2659868963-2465812000
Opcode ID: 3ae5a2597eef9a40229b0fcd6710ba98d337426617aeb9a3d31b9cbffc9641f9
Instruction ID: c32f8e34a05569827d8c099ab3513182cc0b56726d3086eec570abfc8710742c
Opcode Fuzzy Hash: 3ae5a2597eef9a40229b0fcd6710ba98d337426617aeb9a3d31b9cbffc9641f9
Instruction Fuzzy Hash: C0C149B1D002089FDB18CFA8D88479DBBF6FF48314F148669E419EB752E7789981CB54

Function 00663190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 006632C6
___std_exception_destroy.LIBVCRUNTIME ref: 00663350

Strings

+4f, xrefs: 00663190
@3f, xrefs: 00663316
`!f, xrefs: 006632D1
`!f, xrefs: 006632AD, 00663349

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: +4f$@3f$`!f$`!f
API String ID: 2970364248-2676833062
Opcode ID: 93e1f843086a9c41d0cd6aa4ab61881ec1b41e5bd63b910551a12e11e66eb1f2
Instruction ID: 87eaf995a0c427e6c2c447a3f482a028279f70e8538b24f3bafc78c5fb3a1442
Opcode Fuzzy Hash: 93e1f843086a9c41d0cd6aa4ab61881ec1b41e5bd63b910551a12e11e66eb1f2
Instruction Fuzzy Hash: 52518F719002589FDB08CF98D895BEEBBFAFF49300F14812EE815A7391D7749A41CB91

Function 006639F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00663A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00663AA4
__Getctype.LIBCPMT ref: 00663ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00663AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 00663B7B

Strings

bad locale name, xrefs: 00663B96

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: efcf5b3b3d555b56e13ae064c4a28c6365c6f5a659f82e116b68e7fbbe684787
Instruction ID: 97159b7953f53380caaa4460ef3ae901a739fb60cf35f0395be0832169b06520
Opcode Fuzzy Hash: efcf5b3b3d555b56e13ae064c4a28c6365c6f5a659f82e116b68e7fbbe684787
Instruction Fuzzy Hash: EB5132B1D00258DBEF10DFA4D985BDEBBB9AF14310F144069E849AB382E779DA04CB61

Function 006CDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 006CDE93
std::_Lockit::_Lockit.LIBCPMT ref: 006CDEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 006CDED6
std::_Facet_Register.LIBCPMT ref: 006CDF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 006CDF63
Concurrency::cancel_current_task.LIBCPMT ref: 006CDF7B

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 5c248a3a78260ddbcfac89d18bad514499bd810e96f55620e22e8bde90022a5d
Instruction ID: ce762c1d8c957d2855da385ce0a0c07ffddd29ed07312c3afb756d330dc485f7
Opcode Fuzzy Hash: 5c248a3a78260ddbcfac89d18bad514499bd810e96f55620e22e8bde90022a5d
Instruction Fuzzy Hash: AD41CEB1900219DBCB24DF54D885BAEBBB5FB04720F14426DE8259B352D734AD01CBD5

Function 00666F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00667340

Strings

`!f, xrefs: 0066734B
parse_error, xrefs: 00666F8B
`!f, xrefs: 00667328
parse error, xrefs: 00666FFF, 00667018

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f$parse error$parse_error
API String ID: 2659868963-584353518
Opcode ID: 403ec6b04ccbac44431bea8e22b6d6e936ecb98a957b1a0fd2f5eeacb4071ea9
Instruction ID: c8a1dafd9271a0b61ce485625b2cf07c075d8c9d79e3cf262102679418241785
Opcode Fuzzy Hash: 403ec6b04ccbac44431bea8e22b6d6e936ecb98a957b1a0fd2f5eeacb4071ea9
Instruction Fuzzy Hash: B9E15F709042489FDB18CF68C89479DBBB2BF49304F2482ADE419EB792D7749A81CF95

Function 006673B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 006675BE
___std_exception_destroy.LIBVCRUNTIME ref: 006675CD

Strings

at line , xrefs: 006673F7
`!f, xrefs: 006675B6, 006675C6
, column , xrefs: 00667434, 0066744A

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $`!f
API String ID: 4194217158-1819449957
Opcode ID: 7210caea310162375c77960381b8cce653ed08fbef21646031725b03972e44ad
Instruction ID: eaf085709aed2509e68456aed31151a4c04d8234c0f23dc1fc291b78a93d5c68
Opcode Fuzzy Hash: 7210caea310162375c77960381b8cce653ed08fbef21646031725b03972e44ad
Instruction Fuzzy Hash: EE612871A042049FDB08CF68DC88BADBBB6FF44304F24466CF416A7782DB74AA51CB95

Function 00663370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00663190: ___std_exception_copy.LIBVCRUNTIME ref: 006632C6

___std_exception_copy.LIBVCRUNTIME ref: 0066345F

Strings

+4f, xrefs: 006633B3, 00663410
@3f, xrefs: 00663464
@3f, xrefs: 006633F3, 0066347B
`!f, xrefs: 00663450

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4f$@3f$@3f$`!f
API String ID: 2659868963-506372394
Opcode ID: 61e156b2d5306be1661e46d0f193363d525f431851e5a3036cce9bb7350f643c
Instruction ID: 8671e7033bdd2bbc369f861590dc340c20fff519456ce9642b941e838a7aead3
Opcode Fuzzy Hash: 61e156b2d5306be1661e46d0f193363d525f431851e5a3036cce9bb7350f643c
Instruction Fuzzy Hash: 8B3183B19002099FCB18DFA8D845A9DFBF9FF08310F10852AE515E7751E774AA50CBA5

Function 00663410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0066345F

Strings

+4f, xrefs: 006633B3, 00663410
@3f, xrefs: 00663464
@3f, xrefs: 006633F3, 0066347B
`!f, xrefs: 00663450

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4f$@3f$@3f$`!f
API String ID: 2659868963-506372394
Opcode ID: 73334d14d3c747d9ca0c1f6eb0ff4c27fcabc3e8afe4dfc63cbf6f15fd62489e
Instruction ID: 3a5d13ed8d8c6e166310b34afcafcca9939551f3adb8b5ef5aeb2dec38c1364f
Opcode Fuzzy Hash: 73334d14d3c747d9ca0c1f6eb0ff4c27fcabc3e8afe4dfc63cbf6f15fd62489e
Instruction Fuzzy Hash: 1D01FFB6500209AFC704DFA9E445C96FBFDBF49310740843AEA2A97711E7B4E524CBA4

Function 00666C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00666F11
___std_exception_destroy.LIBVCRUNTIME ref: 00666F20

Strings

[json.exception., xrefs: 00666CB8
`!f, xrefs: 00666F09, 00666F19

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.$`!f
API String ID: 4194217158-1755348418
Opcode ID: 5fa05a7ca1bc93ac98af6f96eadf68a4544ea157579b820edd1074dd32c84fbe
Instruction ID: 049d4f888b1c88889992dff279698877ea9fc510252901ab46e160e7d5ddeac5
Opcode Fuzzy Hash: 5fa05a7ca1bc93ac98af6f96eadf68a4544ea157579b820edd1074dd32c84fbe
Instruction Fuzzy Hash: 0591B470A002049FDB18CF68D984B9EBBF6FF45300F20866DF419AB792D775A941CB91

Function 00662270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 00662275

Part of subcall function 0073D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0073D6F5

Strings

Ly, xrefs: 00662427
Ly, xrefs: 00662347
string too long, xrefs: 00662270

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$Ly$Ly
API String ID: 1997705970-3208177595
Opcode ID: 749f7b4b71cd538df4d40f77eea0db4902642b43abf3f14df166b44c7fd736dd
Instruction ID: 85224480f71fde5ea2f3a0e912399aa25a4f28e15469b78413132aa8427566a1
Opcode Fuzzy Hash: 749f7b4b71cd538df4d40f77eea0db4902642b43abf3f14df166b44c7fd736dd
Instruction Fuzzy Hash: B9812675A046869FDB05CF68C460BEEBFF2EF5A300F1841AEC894A7742C7798546C7A0

Function 00667620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 006677B4

Strings

invalid_iterator, xrefs: 00667656
`!f, xrefs: 006677BF
`!f, xrefs: 0066779F

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f$invalid_iterator
API String ID: 2659868963-1141855991
Opcode ID: 71ff0cf9798dbaa2c3ac4fe7988f03101f01666660614e13f3a4498e73ea20ba
Instruction ID: 164c2d1d96048f2335b7fa17fed365a7550f3a262c7218c45cdb37b0def62588
Opcode Fuzzy Hash: 71ff0cf9798dbaa2c3ac4fe7988f03101f01666660614e13f3a4498e73ea20ba
Instruction Fuzzy Hash: 6F5139B09002489FDB18CFA8D89479DFBF2FB48314F14866DE419EB752E7789980CB94

Function 00667BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00667D67

Strings

`!f, xrefs: 00667D72
other_error, xrefs: 00667C0A
`!f, xrefs: 00667D52

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f$other_error
API String ID: 2659868963-3990178052
Opcode ID: b29db21b0998f25e6dfb293927b4f777e66b930e531b8c5adb1ff9a79722c59f
Instruction ID: 2f7ce9bb08b524bc7439f3c03ddd68d9e52dc474ddea23e91442a73fc43306ca
Opcode Fuzzy Hash: b29db21b0998f25e6dfb293927b4f777e66b930e531b8c5adb1ff9a79722c59f
Instruction Fuzzy Hash: C3515CB0D002488FDB18CFA8D8847ADBBF2FF48304F248669E459EB752D7789981CB55

Function 006CD050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 006CD06F
___std_exception_copy.LIBVCRUNTIME ref: 006CD096

Strings

`!f, xrefs: 006CD09B
`!f, xrefs: 006CD060, 006CD085

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f
API String ID: 2659868963-2207376674
Opcode ID: bf5bede58ee9f0301537d68714dde94c7d3dc11bd6d5d6e062eddca5f82d9ba3
Instruction ID: 4a4754b3506ca72f568a64690b5404401f52a96a0d57c271c89bbdd1b8611c16
Opcode Fuzzy Hash: bf5bede58ee9f0301537d68714dde94c7d3dc11bd6d5d6e062eddca5f82d9ba3
Instruction Fuzzy Hash: 2A01A8B6500605AF8704DF59D409882FBF8FB48710301853BE92AC7B11D7B4E528CFA0

Function 006DB3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 006DB3DF
___std_exception_copy.LIBVCRUNTIME ref: 006DB406

Strings

`!f, xrefs: 006DB40E
`!f, xrefs: 006DB3D0, 006DB3F5

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f
API String ID: 2659868963-2207376674
Opcode ID: 3b8fc986330f9440f775df20662fb20d2ad23589f8c88a3ee4da2c8eecbe29f0
Instruction ID: 50fdf3dba2f747abe2c5011f02ad75e458b7653a9139386d1ae666768ed25172
Opcode Fuzzy Hash: 3b8fc986330f9440f775df20662fb20d2ad23589f8c88a3ee4da2c8eecbe29f0
Instruction Fuzzy Hash: 6CF0C9B6500605AF8704DF54E409886BBE8FB44710301853BE52ACBB11E7B4E524CFA4

Function 006DB450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 006DB612

Strings

Pxm, xrefs: 006DB456, 006DB5BA, 006DB5F3, 006DB54A, 006DB4F1
invalid hash bucket count, xrefs: 006DB60D

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: Pxm$invalid hash bucket count
API String ID: 909987262-1747986253
Opcode ID: c9aa73ec7033dbd1eb423bead37d9243106224b7c3463d961b5a1d54ae4257e0
Instruction ID: fe561c73fe0da1906f22cbbd223d8b932fda5e5c2f95bf044f8b8d0742895611
Opcode Fuzzy Hash: c9aa73ec7033dbd1eb423bead37d9243106224b7c3463d961b5a1d54ae4257e0
Instruction Fuzzy Hash: 7571E1B5A00605DFCB14CF49D180869FBF6FF89310725C5AAD8599B359D731EA42CF90

Function 006DE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 006DE491

Strings

type must be boolean, but is , xrefs: 006DE582
type must be string, but is , xrefs: 006DE4F8

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 1eb23897b908e168d79d3607fe00b945f1a50f612181dd00cbc10341e7f65022
Instruction ID: 7ddf8f3d1d2e1a2bd103929b8815c3b1f3788593e1ef82955edcd49037a806ea
Opcode Fuzzy Hash: 1eb23897b908e168d79d3607fe00b945f1a50f612181dd00cbc10341e7f65022
Instruction Fuzzy Hash: E4417EB1D00248AFDB14FBA4D812FAE77AADB00310F14467DF419DB782EB3AA910C395

Function 00663050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00663078

Strings

`!f, xrefs: 00663080
`!f, xrefs: 00663063

Memory Dump Source

Source File: 00000000.00000002.4129219697.0000000000661000.00000040.00000001.01000000.00000003.sdmp, Offset: 00660000, based on PE: true

Associated: 00000000.00000002.4129153779.0000000000660000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129219697.0000000000793000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129423468.0000000000798000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.000000000079C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000918000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A06000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A3D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A46000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4129455815.0000000000A54000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130021296.0000000000A55000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.4130283659.0000000000BFC000.00000040.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_660000_LisectAVT_2403002A_228.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!f$`!f
API String ID: 2659868963-2207376674
Opcode ID: e0cc09a460aede515c02d464330e08a63ee95165a5df9cd0c60ac7e2c85cf0e4
Instruction ID: 60439676527264f8e28e1c3ae8a60a40d90d8d2803c04cf111900cc83c3dca87
Opcode Fuzzy Hash: e0cc09a460aede515c02d464330e08a63ee95165a5df9cd0c60ac7e2c85cf0e4
Instruction Fuzzy Hash: 9FE012B29013089BC710DFA8E8059CAFFF8AB59701F0186BAE949D7301F7B4D9648BD5

Analysis Process: MPGPH131.exePID: 4948, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	2.6%
Dynamic/Decrypted Code Coverage:	0.8%
Signature Coverage:	0%
Total number of Nodes:	612
Total number of Limit Nodes:	61

Executed Functions

Function 000F3A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,000F3DB6), ref: 000F3B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,000F3DB6), ref: 000F3BBA

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: f219dae2e6c8b0f2b98327ddcd71d2fad512c10ac4dae119ae4fe311b8b8a247
Instruction ID: b3e39cc548b63e73fb1b36480fd3abfa39784650e7bc013b68c707b37e66a860
Opcode Fuzzy Hash: f219dae2e6c8b0f2b98327ddcd71d2fad512c10ac4dae119ae4fe311b8b8a247
Instruction Fuzzy Hash: 3151C835A042199FCB24CF48C8E0EBAB3F1FF45724B28449AD645ABB52D731EE45DB80

Function 000AE0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 000AE0CB
socket.WS2_32(?,?,?), ref: 000AE17F
connect.WS2_32(00000000,?,?), ref: 000AE192
closesocket.WS2_32(00000000), ref: 000AE19E

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: bd064e6b59ae72d2492c865ed5204ba742d4cdfbebd424a64dcd73f10acf90cf
Instruction ID: ae71126c9b29429cecfa57858da9ba01f4d22369f7c75808555861bc06546652
Opcode Fuzzy Hash: bd064e6b59ae72d2492c865ed5204ba742d4cdfbebd424a64dcd73f10acf90cf
Instruction Fuzzy Hash: C031C4712053106BD7209F65CC44B6BB7E4EBC6774F104F1DF9A8A62D0D37599048BA2

Function 0016F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0009220E

Strings

`!, xrefs: 00092216
`!, xrefs: 000921FC

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: 8aed841b473b68f9eb65007730c7a68ac4ce50a3379f920c45c457fb712e03d7
Instruction ID: f63029ce59ff315aed0f986e4315aafc3869fedc89a889a500b891b6c5183d56
Opcode Fuzzy Hash: 8aed841b473b68f9eb65007730c7a68ac4ce50a3379f920c45c457fb712e03d7
Instruction Fuzzy Hash: F601F27650030DBBCB18AFA9EC0299977AC9B10320B50843DFA18DB691EB30E9658B91

Function 00184623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4189a1843ddcb18fa91d2d61c7cbc4d402d0da8b0fc2c5c6809ea4f8ccf1cea
Instruction ID: 8b26312458cc7fc49e7d5d69ee179ade576958be4af9200aa931068dc77834c9
Opcode Fuzzy Hash: f4189a1843ddcb18fa91d2d61c7cbc4d402d0da8b0fc2c5c6809ea4f8ccf1cea
Instruction Fuzzy Hash: 95B1E670E0428AAFDF15EFA8D841BBEBBB1AF5A314F144159E44497292CF719E42CF50

Function 055605E4 Relevance: 1.8, APIs: 1, Instructions: 315
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e4213f549673fb68b1deaa2aed35726a9ce040a60839f94da7e7081b34fab3e
Instruction ID: c25afe5ab3e39d2fa87d8b9eefd20ed96fc6e0437c770eec05a4a17999320991
Opcode Fuzzy Hash: 9e4213f549673fb68b1deaa2aed35726a9ce040a60839f94da7e7081b34fab3e
Instruction Fuzzy Hash: 4351B3EB64D191BD7102C1422F68EFB676FF6D6730330882BF407C7592E6984E8A51B2

Function 05560658 Relevance: 1.8, APIs: 1, Instructions: 305
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 575b7574f4d80fd7b4e39822e6d3ab7b6af09ad91af73bd56f8a95c95e2e673e
Instruction ID: 66c40f1923d687bc85e6c9368ff9c09721ebc267f7230c73b567ad04b7f6cb68
Opcode Fuzzy Hash: 575b7574f4d80fd7b4e39822e6d3ab7b6af09ad91af73bd56f8a95c95e2e673e
Instruction Fuzzy Hash: F2519CEB64D1A5BC7512C0822F68AFB176FF2C67703308827F407C7592E6C84E8A51B2

Function 0556068A Relevance: 1.8, APIs: 1, Instructions: 265
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 57dc4235a79af62dca3bedfd70af74602f826ead67381398c34104925a9d568c
Instruction ID: 51274c74405a9de25260a946aa6875ecf22dcc27820832f0018c76365cc26ab6
Opcode Fuzzy Hash: 57dc4235a79af62dca3bedfd70af74602f826ead67381398c34104925a9d568c
Instruction Fuzzy Hash: 0951BFEB64D295BDB202C0422F68AFB176FE6C6730730883BF407C7592E2844E8A51B1

Function 055606F0 Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 745474414f9d7c4168189a7c1f34f211bedcc06254b6feec619d51ac13b064e5
Instruction ID: d32ca8df40edd84c25553d164eaf587355c17c4620d117c59e3264af84cf9ac6
Opcode Fuzzy Hash: 745474414f9d7c4168189a7c1f34f211bedcc06254b6feec619d51ac13b064e5
Instruction Fuzzy Hash: 10419CEB24C295BC7202C5426F68AFB176FF6C6730330882BF407C7192E3944E8A55B1

Function 055606BF Relevance: 1.7, APIs: 1, Instructions: 245
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 708092ee8a8dac674a2d1e0c384a333d0206d75d93ce9b40f78fd1485cb4fc89
Instruction ID: ff2a85a73cb88ae6967a9e95413cb2e0c38406665172deec20f7b477304aadc5
Opcode Fuzzy Hash: 708092ee8a8dac674a2d1e0c384a333d0206d75d93ce9b40f78fd1485cb4fc89
Instruction Fuzzy Hash: F5416DEB64D195BC7152C0822F68AFB176FE6D6B30730C82BF407C7192E2844E8A55B1

Function 0009A210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 0009A343

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 2d8bcc78023e3bf4ce219dbd24609c3c419d8000900797bcdbdb629a0bafd460
Instruction ID: af96c772d48f60447da91faf72e932bdb82a1ef6129dbc2ab01bbdf7dc5fbc8f
Opcode Fuzzy Hash: 2d8bcc78023e3bf4ce219dbd24609c3c419d8000900797bcdbdb629a0bafd460
Instruction Fuzzy Hash: 85710970A00204ABDF14DF68DC49BAEB7F8EF42710F10856DF8199B681D7B59A45C7D2

Function 055606DF Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 6c8db4a3c0b95e7ab54413e1cc490d6374e50633b2bd77ffd66423146ab3a766
Instruction ID: 115020f31a0856f77c6a44a4d29b1e852a21a13625ac8f374a57a1b8cdbb7607
Opcode Fuzzy Hash: 6c8db4a3c0b95e7ab54413e1cc490d6374e50633b2bd77ffd66423146ab3a766
Instruction Fuzzy Hash: CA416AEB64D1A5BC7212C1822F68AFB576FF6D6B307308937F407C7192E2844E8A55B1

Function 05560703 Relevance: 1.7, APIs: 1, Instructions: 220
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c3a4a1d5d67e07288c17ce326776959003a513e820a88629157abd7b9a97806a
Instruction ID: 25a93bf632700b217b891e7c103913137c381baa0d4ebcd7864a774862047760
Opcode Fuzzy Hash: c3a4a1d5d67e07288c17ce326776959003a513e820a88629157abd7b9a97806a
Instruction Fuzzy Hash: 1E416AEB24D165BC7212C1826F68AFB536FE2C6B30730C83BF407C7192E2944E8A55B1

Function 05560718 Relevance: 1.7, APIs: 1, Instructions: 210
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ee2bc9a6c34165f93c62440a270890fbcf6f0dd2fbd447af10cb17fff900df97
Instruction ID: 0f1d6df41310df9b0943f573f79f65ad761b4d86a1193c82b81db4d0f6e0773b
Opcode Fuzzy Hash: ee2bc9a6c34165f93c62440a270890fbcf6f0dd2fbd447af10cb17fff900df97
Instruction Fuzzy Hash: 08417EEB64D165BC7142C0822B68AFB572FE6C6B30330C837F407C7192E2884E8A54B1

Function 0018549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00179087,?,00000000,00000000,00000000,?,00000000,?,0009A3EB,00179087,00000000,0009A3EB,?,?), ref: 00185621

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d2895d000c4c9040be048b26a7f1c91a3b65414baa0270893f8776d6c894eaee
Instruction ID: 64ece53ebfa2df4ea25e281fc97d2076a9a72eeded674c15a774a0462ee4d8c0
Opcode Fuzzy Hash: d2895d000c4c9040be048b26a7f1c91a3b65414baa0270893f8776d6c894eaee
Instruction Fuzzy Hash: 1061A071904519AFDF15EFA8C884EEEBFBBEF19304F640149E804A7216D772DA418FA0

Function 05560754 Relevance: 1.7, APIs: 1, Instructions: 198
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8e181f29355d439349f318232099a381f7e0a37a2347e417420a404f8c22c290
Instruction ID: bbbf45bad139743d79d31258665e076a573afa1149b8f18db5667c27bbee249d
Opcode Fuzzy Hash: 8e181f29355d439349f318232099a381f7e0a37a2347e417420a404f8c22c290
Instruction Fuzzy Hash: 63317CEB64D155BC7202C0412F68AFB572FE6C6B30330CC2BF407C7196E2844E8A55B1

Function 0556079C Relevance: 1.7, APIs: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 122ccfde78c0ef4a63dcce90216a3e77f8f9e477bf967f765a161a119334ff54
Instruction ID: c74f8c93a8fdb17668a7d7abec71b65ab44e6dcb2199413484beb67cbecf4fd5
Opcode Fuzzy Hash: 122ccfde78c0ef4a63dcce90216a3e77f8f9e477bf967f765a161a119334ff54
Instruction Fuzzy Hash: C3318DEB64D1A1BC7202C1522F68AFA576FF6D67303308D2BF407C7596E3894E4A11B2

Function 055607BE Relevance: 1.7, APIs: 1, Instructions: 164COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: ec2dd35f41f494fe2a057b8c77bf29116f1abd5786da18d13cd961e5fd403368
Instruction ID: 0d09de34dd460cc9d711bcb11bd34bbbdf6502c0618032685d308b53ac483442
Opcode Fuzzy Hash: ec2dd35f41f494fe2a057b8c77bf29116f1abd5786da18d13cd961e5fd403368
Instruction Fuzzy Hash: 7F312BEB64D155BC7242C1522F28AFB576FF6D57303308837F407C7596E6884E4A54B1

Function 055607D6 Relevance: 1.7, APIs: 1, Instructions: 160COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d673ebb6a98eb4f7f856c13d17c408a2e525c777c350e724dd67ce011e621e39
Instruction ID: 6e95fe06e88074389c1fd5d63ab7ddb873cee6cb01a9f326757af83746f66f5c
Opcode Fuzzy Hash: d673ebb6a98eb4f7f856c13d17c408a2e525c777c350e724dd67ce011e621e39
Instruction Fuzzy Hash: 6C319FEB64C251BDB252C1412B28AFB636FF6D6730330883BF407C7196E7844E4910B1

Function 00174942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57aee36122b921ed156cdc633340d2435ec300a39f86a74d23d8f5c99af136bc
Instruction ID: be292eba414ef51219a544f0fbbc851f1cb6c86321309a54a2a9c5b221dbc8fa
Opcode Fuzzy Hash: 57aee36122b921ed156cdc633340d2435ec300a39f86a74d23d8f5c99af136bc
Instruction Fuzzy Hash: 1351B374A40108AFDF14CF58C881AAABFB5EF59364F25C158E84E9B252D331DE81CB94

Function 00100560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 001006AE

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 6beaaca6bb28c8514c0a32ef2d91f572dc319fd4b2748e27c46bec4b43867081
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: 0B412772A001149FCB16DF68DC806AE7BA6AF8D340F140169FC45DB382D771DE618BE1

Function 05560809 Relevance: 1.6, APIs: 1, Instructions: 131COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 05560813

Memory Dump Source

Source File: 00000005.00000002.4136334455.0000000005560000.00000040.00001000.00020000.00000000.sdmp, Offset: 05560000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5560000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a27a1d2538ced8e38d18ccf91575321ddee165f34b25b2d954e049f4eb0730c4
Instruction ID: 54da1dadf3533eb899321d67a875e9b1a362490cea3076459b5fc4cb88e8c178
Opcode Fuzzy Hash: a27a1d2538ced8e38d18ccf91575321ddee165f34b25b2d954e049f4eb0730c4
Instruction Fuzzy Hash: 5921AFEB60C291BC7642C1522B68AFA576FF6D57303308927F407C7191E7944E4950F1

Function 00184B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,001849F9,00000000,CF830579,001C1140,0000000C,00184AB5,00178BBD,?), ref: 00184B68

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: 2ea4c3ab0c5a9f01f9177402264d595e11c5ecc71c2e788e27241c6d9913ff71
Instruction ID: aa2a482bfab3cbe730339cc16e1ddd48a3db3a0d95fd27488941155fb1e5525b
Opcode Fuzzy Hash: 2ea4c3ab0c5a9f01f9177402264d595e11c5ecc71c2e788e27241c6d9913ff71
Instruction Fuzzy Hash: A8116B33A411241BD72472746845B7E678A8F92770F39024EF8188B0C2FF22DE814B99

Function 0017E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,001C0DF8,0009A3EB,00000002,0009A3EB,00000000,?,?,?,0017E166,00000000,?,0009A3EB,00000002,001C0DF8), ref: 0017E098

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3e42a9abdbc60188be7d6d3b63f944bf0b1af43b5afed44b99b30fb0a062f125
Instruction ID: 8ad1f1710b3d324c8c99ff9c3184e0f297095a3a01f315962c2ad28bee4d68ac
Opcode Fuzzy Hash: 3e42a9abdbc60188be7d6d3b63f944bf0b1af43b5afed44b99b30fb0a062f125
Instruction Fuzzy Hash: E901C432710155AFCF199F59CC05C9E3BAADB85320B254249F8549B291EBB2ED918BD0

Function 001863F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001791F7,00000000,?,00185D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0017D244,001789C3,001791F7,00000000), ref: 00186435

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: b52e99df5ecb60a1f2d211cd90f06ddd71a664faaf368a0a3655b89d88395e57
Instruction ID: ff54bd6ec092640c0cc13af083eec191f49fcfd96b5adc9ed0e57302bc33ec93
Opcode Fuzzy Hash: b52e99df5ecb60a1f2d211cd90f06ddd71a664faaf368a0a3655b89d88395e57
Instruction Fuzzy Hash: 12F08932505624669B217B629C46B5F3B599F51764F258051BD1897181CF30DA114FF2

Function 00186E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0018D635,4D88C033,?,0018D635,00000220,?,001857EF,4D88C033), ref: 00186E60

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: c033468f09ab7f72ba7add6ab105e7dce0aec344afe24537087e9c255cd3834d
Instruction ID: c4c8f579c9e1117cc838821cdcb0f87de86539b560b72abaa5219998311c77cf
Opcode Fuzzy Hash: c033468f09ab7f72ba7add6ab105e7dce0aec344afe24537087e9c255cd3834d
Instruction Fuzzy Hash: 85E0223A10062566EF30B665DC05B5B7A5DCF927B0F060120FC14960D0DF20CF018FE5

Function 055700B4 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f702d4bc910d0a288ecce8ab49e8b17ea571b3c051c654756375b185b6ca1ebe
Instruction ID: 47ce532a5aada51174d0f7c23d5a536bbdb67650b107447ac9286bc6cf790a5c
Opcode Fuzzy Hash: f702d4bc910d0a288ecce8ab49e8b17ea571b3c051c654756375b185b6ca1ebe
Instruction Fuzzy Hash: 9B11A0EB15D128BC7152D1867F189F6ABAFF1D7730B308827F407D4492E2980F5925B1

Function 055700BD Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd0d81670d7ec3df2d1a7c3ac0bcdafcc7d60e61cd2f78e0f6daf707c848d2d6
Instruction ID: a333f4c6c0b7320406eb1835faf77966acbf2a27eac51ac600e98c7fb6ef7cb5
Opcode Fuzzy Hash: bd0d81670d7ec3df2d1a7c3ac0bcdafcc7d60e61cd2f78e0f6daf707c848d2d6
Instruction Fuzzy Hash: BA11A0EB159128BD7146D5867F189F6ABAFF1D7330B308837F407D4492E2940B5925B1

Function 0557013D Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 484ca1eaf56957b6fcad93b33efdbfbb67e308f29b57ff5487ebab03f3f43741
Instruction ID: 664f876b3b4eef0d81c83a1b542f5af95cd2437e709e2fe0d0aee4bf7e7c1b69
Opcode Fuzzy Hash: 484ca1eaf56957b6fcad93b33efdbfbb67e308f29b57ff5487ebab03f3f43741
Instruction Fuzzy Hash: 7D1157EB448228BD6117C4967F5C9F67FAFF5D2230B304827F407D94A2D1850B4A59B1

Function 055700E7 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a407c12072d084c098d9c5500ba4a1538f0f6bdc608411b54357f4b2bcade6fe
Instruction ID: c122fdcbb70fc6b9b2f2b02151dc78cafa510da6b017cd7e4255a3f4351d05b3
Opcode Fuzzy Hash: a407c12072d084c098d9c5500ba4a1538f0f6bdc608411b54357f4b2bcade6fe
Instruction Fuzzy Hash: F6014CE7048228BE6102D0957F5C9F6ABAFF5E7330B308C27F807E9592C2450B4455B1

Function 0557015B Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb8733808b484f1448df7ba66fd8c61ed42241cbb8255ec202d96c52f5ca796f
Instruction ID: 6e349ade86b11baee52951bb5c9a6b90a83ca5db51c164cb0f2bca30ad0adf45
Opcode Fuzzy Hash: bb8733808b484f1448df7ba66fd8c61ed42241cbb8255ec202d96c52f5ca796f
Instruction Fuzzy Hash: E6F0F9D709D228BC6047D0463F5CAF2ABDFB1D7730B344827F447D8596D1890B8969B2

Function 0557011E Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5cf7a59cec9407c39f9fcfacaa2faf26c79bfbc072ba093e9d0446e985a354b
Instruction ID: 4783754aeefdf011e1cf23d75282c64ca3f7cd0d746092f4a8ad511ba6825ae7
Opcode Fuzzy Hash: f5cf7a59cec9407c39f9fcfacaa2faf26c79bfbc072ba093e9d0446e985a354b
Instruction Fuzzy Hash: 9CF0E2E7098128AD5106D156BF5CAB267DFB1AA731F308C26F047D86A2C5490B44AAE6

Function 0557017F Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebfcc3248819378cbb97d60fe0145bad0b1dc6e2d7311228c6eda2470b98194a
Instruction ID: 0e069ac0cfa37b50955fed62ab5e3b01eece20c8909395b0b1a9780f20ce3e23
Opcode Fuzzy Hash: ebfcc3248819378cbb97d60fe0145bad0b1dc6e2d7311228c6eda2470b98194a
Instruction Fuzzy Hash: A7F027E7099024AC114AD552BE5C5F67BDFB197730B300C27F087D80A2D1490B896AF9

Function 05570130 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4136375922.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_5570000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac73881177c52faf6f37545a627bcba7143032f69e921c52196359654f04137
Instruction ID: a16301daa60ab21160c3a330611724d16f65e3f742b375ab688114816cbaa04f
Opcode Fuzzy Hash: 8ac73881177c52faf6f37545a627bcba7143032f69e921c52196359654f04137
Instruction Fuzzy Hash: C3E0E5E7058128AC5006D1967E5C6F667DF71A7331F304C27F443DC692C2880B492AF6

Non-executed Functions

Function 001784A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: 5f47255837c40a3d706529b2864631ff549768cd2bd3c3258a366bbc38fb01fa
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: E9023C71E412199BDF14CFA9D8846AEFBF1FF48314F258269E519E7380DB31AA41CB90

Function 000FF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000FF833
std::_Lockit::_Lockit.LIBCPMT ref: 000FF855
std::_Lockit::~_Lockit.LIBCPMT ref: 000FF875
std::_Lockit::~_Lockit.LIBCPMT ref: 000FF89F
std::_Lockit::_Lockit.LIBCPMT ref: 000FF90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000FF959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000FF973
std::_Lockit::~_Lockit.LIBCPMT ref: 000FFA08
std::_Facet_Register.LIBCPMT ref: 000FFA15

Strings

Ps, xrefs: 000FF96B, 000FF972
bad locale name, xrefs: 000FFA2F

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$Ps
API String ID: 3375549084-1174896957
Opcode ID: 294444fddf1b518aba4229b468bfd9701cc482618184ed3a113dd1e108a2f08c
Instruction ID: 872a0c3800515b49a2e4b2167c741a8a6c3b3d1479f064bba62044f3cf1949a5
Opcode Fuzzy Hash: 294444fddf1b518aba4229b468bfd9701cc482618184ed3a113dd1e108a2f08c
Instruction Fuzzy Hash: 6961B071E0024D9BDF10DFA4D845BAEBBF4BF14350F144068E908A7781EB75E905CBA2

Function 00093D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00093E7F

Strings

ios_base::failbit set, xrefs: 00093D32
G>, xrefs: 00093D2B, 00093D67, 00093D6A
G>, xrefs: 00093DB8
@3, xrefs: 00093E84
ios_base::badbit set, xrefs: 00093E17
ios_base::eofbit set, xrefs: 00093E41, 00093E63
@3, xrefs: 00093DBE, 00093E9B
`!, xrefs: 00093E70

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3$@3$G>$G>$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1078880228
Opcode ID: 25954e1051915b58708859f561d53b6352cb7b99ef885c255ef7892f58979086
Instruction ID: 8b9dddc28789992660394ca21fd2a173151d3090e8ac1e1f91c698e2f420ca4b
Opcode Fuzzy Hash: 25954e1051915b58708859f561d53b6352cb7b99ef885c255ef7892f58979086
Instruction Fuzzy Hash: C54182B2904204AFCB18DF58D845BAEB7F9EB49310F14852EF919D7681E770AA018FA0

Function 00093DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00093E7F

Strings

ios_base::failbit set, xrefs: 00093D32, 00093E1E
@3, xrefs: 00093E84
ios_base::badbit set, xrefs: 00093E17
ios_base::eofbit set, xrefs: 00093E28, 00093E41, 00093E63
@3, xrefs: 00093DBE, 00093E9B
`!, xrefs: 00093E70

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3$@3$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1863890269
Opcode ID: ff04dc713bc958787fbb90287c2c3ea8d36c4b3d3733c7c902f007e601e7c1fe
Instruction ID: 3ff57f4b4e684199225e5f663cdfcb3c3375dd473981fc117fb08346ed1b42df
Opcode Fuzzy Hash: ff04dc713bc958787fbb90287c2c3ea8d36c4b3d3733c7c902f007e601e7c1fe
Instruction Fuzzy Hash: 26210DB29043046FCB14DF58D805F96B7ECAB18310F18882EFA69DB681E770EA14DF91

Function 00094C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00094F72
___std_exception_destroy.LIBVCRUNTIME ref: 00094FFF
___std_exception_copy.LIBVCRUNTIME ref: 000950C8

Strings

@3, xrefs: 000950CD
recursive_directory_iterator::operator++, xrefs: 0009504C
`!, xrefs: 00094F6B, 00094FF8, 000950B9

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: @3$`!$recursive_directory_iterator::operator++
API String ID: 1206660477-1018949397
Opcode ID: c230f281f2ffae2512521e0559c58af9494e08e4cdd77e9d53d98ef82582593e
Instruction ID: 35ba5fa24e6031213c45de8a998a8abfeeeb7ae21f409fd52b8deb71414c0a0f
Opcode Fuzzy Hash: c230f281f2ffae2512521e0559c58af9494e08e4cdd77e9d53d98ef82582593e
Instruction Fuzzy Hash: 9AE1F4B19002049FDB28DF68D845FAEB7F9FF48300F108A2DE45693B82D774A945CBA1

Function 00097820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0009799A
___std_exception_copy.LIBVCRUNTIME ref: 00097B75

Strings

type_error, xrefs: 0009784A
out_of_range, xrefs: 00097A27
`!, xrefs: 000979A5, 00097B80
`!, xrefs: 00097985, 00097B60

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$out_of_range$type_error
API String ID: 2659868963-2269780633
Opcode ID: 733c27003c7f875e01bd4801a8a3718b1903ee323306203927a1521cd24ef531
Instruction ID: b9e720447f402c97917352a52612a17419401bf12c91cb9d739ef621f70299f3
Opcode Fuzzy Hash: 733c27003c7f875e01bd4801a8a3718b1903ee323306203927a1521cd24ef531
Instruction Fuzzy Hash: BAC169B19002089FDB18CFA8D984B9DFBF1FF49300F148669E419EB791E7749981CB50

Function 00093190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000932C6
___std_exception_destroy.LIBVCRUNTIME ref: 00093350

Strings

`!, xrefs: 000932D1
@3, xrefs: 00093316
+4, xrefs: 00093190
`!, xrefs: 000932AD, 00093349

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: +4$@3$`!$`!
API String ID: 2970364248-4089177709
Opcode ID: 4496339217beb850e6db5146a6d2fbfbd0a1742a65d17a99c7ba2944d2bdab1b
Instruction ID: 54c561783155b2cffa16f25d4bb89f76594856376a9943c45fafe2ae11632ede
Opcode Fuzzy Hash: 4496339217beb850e6db5146a6d2fbfbd0a1742a65d17a99c7ba2944d2bdab1b
Instruction Fuzzy Hash: CF516A71A002189FDF08CF98D885BEEBBF5FF59300F14812AE819A7391D774AA418B91

Function 000939F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00093A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00093AA4
__Getctype.LIBCPMT ref: 00093ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00093AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 00093B7B

Strings

bad locale name, xrefs: 00093B96

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7679ddfe8991f5d297dd776b22a35a1d7859a826e5fbb26496ad6609ff0b8892
Instruction ID: 91eca405778df0a83e7d4c16968b4ebcffff89055093b975e21f38152bd44019
Opcode Fuzzy Hash: 7679ddfe8991f5d297dd776b22a35a1d7859a826e5fbb26496ad6609ff0b8892
Instruction Fuzzy Hash: F55160B5D002089BEF10DFA4DD45B9EBBF8BF14314F148069E909AB341E775DA04CB62

Function 00172E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00172E47
___except_validate_context_record.LIBVCRUNTIME ref: 00172E4F
_ValidateLocalCookies.LIBCMT ref: 00172ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00172F03
_ValidateLocalCookies.LIBCMT ref: 00172F58

Strings

csm, xrefs: 00172EED

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fbe51d52304a8b2cc70b096818ab0fb3221cf4bd7f4df3deb4a69f609919d696
Instruction ID: 40328a8ca2c6ae0524abcdb6a60f687b175440dd8f2eefc36b683b32615fc71c
Opcode Fuzzy Hash: fbe51d52304a8b2cc70b096818ab0fb3221cf4bd7f4df3deb4a69f609919d696
Instruction Fuzzy Hash: 14418235A00209ABCF14DF68C885A9EBBB5FF55324F14C055E81C9B352DB31EE56CB91

Function 000FDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000FDE93
std::_Lockit::_Lockit.LIBCPMT ref: 000FDEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 000FDED6
std::_Facet_Register.LIBCPMT ref: 000FDF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 000FDF63
Concurrency::cancel_current_task.LIBCPMT ref: 000FDF7B

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 92eb7d8c78ae2d44e0a67f0223c843228965a96f6511fc4d0edd75950442899b
Instruction ID: f19d82cbcdd3a5d085039941d63a4f45359b5a8ac17fe51eb4009737f344e909
Opcode Fuzzy Hash: 92eb7d8c78ae2d44e0a67f0223c843228965a96f6511fc4d0edd75950442899b
Instruction Fuzzy Hash: AF41FE71A002199BCB10EF54D884EAEBBB5FB10320F10426AE9059BB52D731ED44CBD1

Function 00096F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00097340

Strings

`!, xrefs: 0009734B
parse_error, xrefs: 00096F8B
`!, xrefs: 00097328
parse error, xrefs: 00096FFF, 00097018

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$parse error$parse_error
API String ID: 2659868963-929550935
Opcode ID: 4ea84be766665424ba6e648cc1001b051c29b5649763ad31d51918cbd9caafbe
Instruction ID: 3a877a7c4a7b9bb6ca1a76da8f8292a2d58292a953724f22a7b570b1b71fe6eb
Opcode Fuzzy Hash: 4ea84be766665424ba6e648cc1001b051c29b5649763ad31d51918cbd9caafbe
Instruction Fuzzy Hash: 79E16D719142088FDB18CF68C884B9DBBB1FF48300F24826DE419EB792D7749A85DF51

Function 000973B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 000975BE
___std_exception_destroy.LIBVCRUNTIME ref: 000975CD

Strings

, column , xrefs: 00097434, 0009744A
at line , xrefs: 000973F7
`!, xrefs: 000975B6, 000975C6

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $`!
API String ID: 4194217158-2977949356
Opcode ID: ccefab20a4e256d7e752f95bcb3527a6a11ff6698df24c53d15fe9fb8e955e0f
Instruction ID: abd381724ff7639ace0674070c801a536b2c520404b57c99aaa03f225627d84a
Opcode Fuzzy Hash: ccefab20a4e256d7e752f95bcb3527a6a11ff6698df24c53d15fe9fb8e955e0f
Instruction Fuzzy Hash: 9B61E671A046049FDF08DF68DC84B9DBBB6FF48300F24862CE419A7782D774AA45DB91

Function 00093370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00093190: ___std_exception_copy.LIBVCRUNTIME ref: 000932C6

___std_exception_copy.LIBVCRUNTIME ref: 0009345F

Strings

@3, xrefs: 000933F3, 0009347B
@3, xrefs: 00093464
+4, xrefs: 000933B3, 00093410
`!, xrefs: 00093450

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4$@3$@3$`!
API String ID: 2659868963-1914207329
Opcode ID: 18422242c34727452c111046a90dab25468ecf9a9569e3188b5def4d947f3fb7
Instruction ID: ebb52e20d4dad782f6203f8f2b0a6965170c1db1052a9511771e10c1dc61c845
Opcode Fuzzy Hash: 18422242c34727452c111046a90dab25468ecf9a9569e3188b5def4d947f3fb7
Instruction Fuzzy Hash: E13183B1900209AFCB18DFA8D941ADEFBF9FB08310F10852AF519E7651E770AA51CB90

Function 00093410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0009345F

Strings

@3, xrefs: 000933F3, 0009347B
@3, xrefs: 00093464
+4, xrefs: 000933B3, 00093410
`!, xrefs: 00093450

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4$@3$@3$`!
API String ID: 2659868963-1914207329
Opcode ID: d69241f37684ee938f35d50bf9a6ba92661c1cb34b16b7a4aa5e3c14b2a9ce8e
Instruction ID: ec154226cbb1ff71b85ee3d87c401b52546654fc404efdbc0a21c2b66ca277f8
Opcode Fuzzy Hash: d69241f37684ee938f35d50bf9a6ba92661c1cb34b16b7a4aa5e3c14b2a9ce8e
Instruction Fuzzy Hash: 7F01FFB6500309AF8B04DFA9D545C96FBFDAF58310700C42AE519D7611EBB0E555CB90

Function 00096C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00096F11
___std_exception_destroy.LIBVCRUNTIME ref: 00096F20

Strings

[json.exception., xrefs: 00096CB8
`!, xrefs: 00096F09, 00096F19

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.$`!
API String ID: 4194217158-3048014091
Opcode ID: 93fe263e7740c341080adc509677843c5347fd3be96d9cc4557db85ec4720a15
Instruction ID: f0a463a16eeb7814293c8d33aba0083093226477beeb8d2eb0bb960d42ad4e9e
Opcode Fuzzy Hash: 93fe263e7740c341080adc509677843c5347fd3be96d9cc4557db85ec4720a15
Instruction Fuzzy Hash: 9891C470A002089FDF18CF68D984B9EBBF6FF59300F20866DE459AB792D775A941CB50

Function 00097620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000977B4

Strings

`!, xrefs: 000977BF
`!, xrefs: 0009779F
invalid_iterator, xrefs: 00097656

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$invalid_iterator
API String ID: 2659868963-3421541259
Opcode ID: 2cc77f91e07c8fd82a595194a78378f539f05fb00e072f7e0a0daf14b777d1b7
Instruction ID: 39f9d503a07cc501bb7851f81c66d33b561f70119edf335cff06732c741a4e83
Opcode Fuzzy Hash: 2cc77f91e07c8fd82a595194a78378f539f05fb00e072f7e0a0daf14b777d1b7
Instruction Fuzzy Hash: 63514AB19042089FDB18CFA8E99479DFBF1FB48300F14866DE419EB792E7749985CB90

Function 00097BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00097D67

Strings

`!, xrefs: 00097D72
other_error, xrefs: 00097C0A
`!, xrefs: 00097D52

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$other_error
API String ID: 2659868963-1899045556
Opcode ID: 21c77acb1f801fbd0beec41b8bab33980a15a57dd3a4f88ed2fe794bd8aad469
Instruction ID: 9279ae0ee39fd7ae06709a1591ce4f8b18d561a1318a597e4864116e1776381d
Opcode Fuzzy Hash: 21c77acb1f801fbd0beec41b8bab33980a15a57dd3a4f88ed2fe794bd8aad469
Instruction Fuzzy Hash: 0B5179B19012488FDB18CFA8D9847ADBBF1FF48300F148669E459EB782E774A985CB50

Function 000FD050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000FD06F
___std_exception_copy.LIBVCRUNTIME ref: 000FD096

Strings

`!, xrefs: 000FD09B
`!, xrefs: 000FD060, 000FD085

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: d495d650bdd2eff5b5051cf6fce93e0b70afad023eb72b12187ea9384c3ac176
Instruction ID: 0dfc8d177f3cc2819fde84c338c0114c1c3b096db9facd992e1ca7700f39e03d
Opcode Fuzzy Hash: d495d650bdd2eff5b5051cf6fce93e0b70afad023eb72b12187ea9384c3ac176
Instruction Fuzzy Hash: 5D01F6B6500706AF8709CF58D504882FBF8FB48310311852FE529CBB00E7B0E529CFA0

Function 0010B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0010B3DF
___std_exception_copy.LIBVCRUNTIME ref: 0010B406

Strings

`!, xrefs: 0010B40E
`!, xrefs: 0010B3D0, 0010B3F5

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: 79f45bbaf531533b79d92ec0e5f7610964a74ec276e040c93bbc8e3dae03d6ed
Instruction ID: def7398e37b161bcdc926fe28cba8fff3afa6048e92668531c086ac312207693
Opcode Fuzzy Hash: 79f45bbaf531533b79d92ec0e5f7610964a74ec276e040c93bbc8e3dae03d6ed
Instruction Fuzzy Hash: 4AF0C4B6500706AF8709DF58D515886BBF8FA48710311852FE52ADBB11E7B0E529CBA0

Function 0010E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0010E491

Strings

type must be boolean, but is , xrefs: 0010E582
type must be string, but is , xrefs: 0010E4F8

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 1da79b95eb64faa4f3999f22417817f74ba354fd4c3d8cdbce15bb513158af50
Instruction ID: 05a260621de4a06789b2a8414e7c775e246362e6797df2d79a539509ed80c81e
Opcode Fuzzy Hash: 1da79b95eb64faa4f3999f22417817f74ba354fd4c3d8cdbce15bb513158af50
Instruction Fuzzy Hash: B6416BB1900248AFDB14EBA4D902BEE77A8DB10310F044978F459D7AC3EB75EA10C791

Function 00093050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00093078

Strings

`!, xrefs: 00093080
`!, xrefs: 00093063

Memory Dump Source

Source File: 00000005.00000002.4129247202.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000005.00000002.4129149941.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129247202.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129552206.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4129615582.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130398355.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.4130736549.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: cdec5676e0b264cfc482e88fc2191b3951f3e2dd796ff4a25c83423a5ed27983
Instruction ID: a90d06c2f6cd3aab028f27cf62c2f2a915659e65671221f9119a2f2049bf97e6
Opcode Fuzzy Hash: cdec5676e0b264cfc482e88fc2191b3951f3e2dd796ff4a25c83423a5ed27983
Instruction Fuzzy Hash: 4BE0EDB2901308ABC711DFA8990598AFBF8AB19701F1186AAE948D7300F7B195558BD1

Analysis Process: MPGPH131.exePID: 344, Parent PID: 1044COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	2.1%
Signature Coverage:	0%
Total number of Nodes:	663
Total number of Limit Nodes:	68

Executed Functions

Function 000F3A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,000F3DB6), ref: 000F3B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,000F3DB6), ref: 000F3BBA

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4b506305717294d5d74707611b31c074e13bf6740377d5a265901e1ef9e6ad7a
Instruction ID: a811a4e20886ff2e81cdb47d13103c210d01b0db4cd875ba52cfbb524817a802
Opcode Fuzzy Hash: 4b506305717294d5d74707611b31c074e13bf6740377d5a265901e1ef9e6ad7a
Instruction Fuzzy Hash: CD51C835A042199FCB24CF48C8E0EBAB3F1FF45724B28449AD645ABB52D731EE45DB80

Function 000AE0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 000AE0CB
socket.WS2_32(?,?,?), ref: 000AE17F
connect.WS2_32(00000000,?,?), ref: 000AE192
closesocket.WS2_32(00000000), ref: 000AE19E

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 56894a1bf25705064c3c42edf62e3a6fb81caf869352bfc3c41a3c814b193780
Instruction ID: a7314e1be920b2b0e8859c0e3859d522dcdcdbc7e662d47eb4d703cc1ab089fd
Opcode Fuzzy Hash: 56894a1bf25705064c3c42edf62e3a6fb81caf869352bfc3c41a3c814b193780
Instruction Fuzzy Hash: BE31C171605310ABE7209F65C848B6BB7E4EBC6774F104F1DF9A8A72D0D37599048BA2

Function 0016F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0009220E

Strings

`!, xrefs: 00092216
`!, xrefs: 000921FC

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: 8aed841b473b68f9eb65007730c7a68ac4ce50a3379f920c45c457fb712e03d7
Instruction ID: f63029ce59ff315aed0f986e4315aafc3869fedc89a889a500b891b6c5183d56
Opcode Fuzzy Hash: 8aed841b473b68f9eb65007730c7a68ac4ce50a3379f920c45c457fb712e03d7
Instruction Fuzzy Hash: F601F27650030DBBCB18AFA9EC0299977AC9B10320B50843DFA18DB691EB30E9658B91

Function 00184623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 305f1b2d47df6fd9b12cb76c45af53217479b53f9cd0033e42cf83b8cac2613d
Instruction ID: 6667b5fec2b65cd0e9c004ef7ae312de3ab06573d82955ada8f8498b32bb38a3
Opcode Fuzzy Hash: 305f1b2d47df6fd9b12cb76c45af53217479b53f9cd0033e42cf83b8cac2613d
Instruction Fuzzy Hash: CEB1E670E0424AAFDF15EFA8D841BAEBBB1AF5A314F154158E444A7292CF719E42CF50

Function 0009A210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 0009A343

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 6d9c4e1c2decaf45e6a333ef326f95fbe75f0b5137f048da65c1568678bdcaf2
Instruction ID: aa6586639a07bcd2b59d07f0790d510f118a2ce192ce12dbfc05b561e2f15205
Opcode Fuzzy Hash: 6d9c4e1c2decaf45e6a333ef326f95fbe75f0b5137f048da65c1568678bdcaf2
Instruction Fuzzy Hash: CE710770A00204ABDF14DF68DC49BAEBBF8EF42710F10856DF8199B682D7B59A45C7D2

Function 0018549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00179087,?,00000000,00000000,00000000,?,00000000,?,0009A3EB,00179087,00000000,0009A3EB,?,?), ref: 00185621

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: a7b56c64c21f87c19ae2313eaf58e96a9766fa7d5e43f1dbc863f83f96711a88
Instruction ID: ecda4757367def6a151651b4e0dc054654501e7d954c5a14f76f46f9e1e4e5d2
Opcode Fuzzy Hash: a7b56c64c21f87c19ae2313eaf58e96a9766fa7d5e43f1dbc863f83f96711a88
Instruction Fuzzy Hash: C861A071904519AFDF15EFA8C884EEEBFBBEF19304F640149E804A7216D772DA418FA0

Function 04BE09D9 Relevance: 1.7, APIs: 1, Instructions: 164
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bb735063fe9e20643e0d862e1602375d229eeba9df5034e393b26f1f9d0d20d3
Instruction ID: f401bf31d61bc8c285a4c392b2591589d9495052aa80c3776e17f68e65079f05
Opcode Fuzzy Hash: bb735063fe9e20643e0d862e1602375d229eeba9df5034e393b26f1f9d0d20d3
Instruction Fuzzy Hash: FC3162E770C1397CB211A1962B14EFB56ADE6D5734B3194B7B807D2106F3D45A4A7031

Function 04BE09F4 Relevance: 1.7, APIs: 1, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 32fd6b93a02fb6320eaba3427a6285abb445b027f4800a2efa5265f714bef749
Instruction ID: 775d54b6589ad224ae01ad1c231470e935e8496f80ece11fb8a1e8519e636c8c
Opcode Fuzzy Hash: 32fd6b93a02fb6320eaba3427a6285abb445b027f4800a2efa5265f714bef749
Instruction Fuzzy Hash: 14318EE760C2797DB212A1922B10AFB67AEE6D673473194B7F807D2106E3C45A8A7131

Function 00174942 Relevance: 1.7, APIs: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57aee36122b921ed156cdc633340d2435ec300a39f86a74d23d8f5c99af136bc
Instruction ID: be292eba414ef51219a544f0fbbc851f1cb6c86321309a54a2a9c5b221dbc8fa
Opcode Fuzzy Hash: 57aee36122b921ed156cdc633340d2435ec300a39f86a74d23d8f5c99af136bc
Instruction Fuzzy Hash: 1351B374A40108AFDF14CF58C881AAABFB5EF59364F25C158E84E9B252D331DE81CB94

Function 04BE0997 Relevance: 1.6, APIs: 1, Instructions: 148
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: e763638447417b52d097242a1e0d0d82c2db14ec2ebe1fa8f4451f04d660f851
Instruction ID: d4288b6074fe00b8c875b8b8539cb4a1b85c944066a57f8e1fc1d8d1edacdfd4
Opcode Fuzzy Hash: e763638447417b52d097242a1e0d0d82c2db14ec2ebe1fa8f4451f04d660f851
Instruction Fuzzy Hash: 97317EA760C2297CB212E5966B50AFB67AEE6D633473194B7F803D2106F3D45A8A7031

Function 04BE0A18 Relevance: 1.6, APIs: 1, Instructions: 142
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: a369725acf6037104ed15888e0b4d0214f3c562201a412c95dfaac9aaecf24f1
Instruction ID: 6662bd379dd4b78fc8fbdda45aa2e7ce1b39d88b5f7c7986182f89e24582b278
Opcode Fuzzy Hash: a369725acf6037104ed15888e0b4d0214f3c562201a412c95dfaac9aaecf24f1
Instruction Fuzzy Hash: 1821D1E770C2357CB212A1962B50EFB67AEE6D673473094B7B803D2106F3C45A8A7131

Function 00100560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 001006AE

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 6beaaca6bb28c8514c0a32ef2d91f572dc319fd4b2748e27c46bec4b43867081
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: 0B412772A001149FCB16DF68DC806AE7BA6AF8D340F140169FC45DB382D771DE618BE1

Function 04BE0A44 Relevance: 1.6, APIs: 1, Instructions: 133
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 672293f14d8a0a0eaf3ad8df0529b48df24d07214f357c6a9074c3ae5983ee1d
Instruction ID: f967253135f33ccc41053e064ae1b18575d2e5b371c4cf4020be3fde59028066
Opcode Fuzzy Hash: 672293f14d8a0a0eaf3ad8df0529b48df24d07214f357c6a9074c3ae5983ee1d
Instruction Fuzzy Hash: 5121B1E770C2257CB211A1962B14EFB66AEF6D6734B3084B6F803D2106F3C45A4A3031

Function 04BE0A57 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 0de182615a52a06b3d6b2a6b2a12eeb823aef191a58413b0104f105ca756eb53
Instruction ID: 6f66a4ba79a0255995ff403eae5fc85cb9ba333a4b2ea61c24ca37a84099ad15
Opcode Fuzzy Hash: 0de182615a52a06b3d6b2a6b2a12eeb823aef191a58413b0104f105ca756eb53
Instruction Fuzzy Hash: A6217CE760C2297DB212A5962F50EFBA7AEE5D673073184BAF803D2106F3C45A4A2131

Function 04BE0A73 Relevance: 1.6, APIs: 1, Instructions: 126
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: decb8bc7f6353365c7942d8cab2c8d16f9865c24a0f418c79e9a74d2ae927e52
Instruction ID: 136a44b052bf41194d7353c1ccfc2773e39adbc1eb2b17e6ed72d77443cb67d6
Opcode Fuzzy Hash: decb8bc7f6353365c7942d8cab2c8d16f9865c24a0f418c79e9a74d2ae927e52
Instruction Fuzzy Hash: 37216DE760C2257CB212A1962F54EFBA7AEE5D673473184B7F803D2106F3C45A4A2031

Function 04BE0A8A Relevance: 1.6, APIs: 1, Instructions: 124COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bdbda248f36e808bae8f204e9ec4fec09f930039d7267ff4d413a11fe10852a5
Instruction ID: 0936958588c45848fdd31e03052474eef5f089a5cc112349911e94dbb7c4303f
Opcode Fuzzy Hash: bdbda248f36e808bae8f204e9ec4fec09f930039d7267ff4d413a11fe10852a5
Instruction Fuzzy Hash: FF218EF760C2257CB212A1962F10EFBA7AEE6D673473188B7F803D2106F3C45A4A2031

Function 04BE0B01 Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 35367ac84892877ff61bafc6148222534830dba727c7fb1a54a73fc0eb6a9818
Instruction ID: 4c24d99255e1196df04fb67bebe40310805ffc4ebeb19333f0d678c4d990dd88
Opcode Fuzzy Hash: 35367ac84892877ff61bafc6148222534830dba727c7fb1a54a73fc0eb6a9818
Instruction Fuzzy Hash: 79216DE770C2257CB212A1962B50AFBA6AEE6D673473188B6F803D6106F3C45A4A3071

Function 04BE0A66 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 433cc9494d19aef21058ab493755ae48e8f1f8c19f321c5f4365d683c24ea48e
Instruction ID: 7680e41aafce3385b6da4c4947b3492aada6f3f7b6bf9d5ede8b13e3de70638d
Opcode Fuzzy Hash: 433cc9494d19aef21058ab493755ae48e8f1f8c19f321c5f4365d683c24ea48e
Instruction Fuzzy Hash: A521A1E760C1257DB212A1922F10EF7A7BEF6D673473084BAF803D6106F3D45A496131

Function 04BE0AAE Relevance: 1.6, APIs: 1, Instructions: 105COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c50fb17d866f45d90b5547b9430bdcb4ade90bdcafca7e2b0107abd756343b6b
Instruction ID: e5280e93bdaaf8a526bd6c6d75cc984699bc167bd56dc638d7f4dc372a3504d2
Opcode Fuzzy Hash: c50fb17d866f45d90b5547b9430bdcb4ade90bdcafca7e2b0107abd756343b6b
Instruction Fuzzy Hash: 611190E760C2257DB212A2926F14AF7A6AEF6D673473188BAF803D2106F3D45A496131

Function 04BE0ACC Relevance: 1.6, APIs: 1, Instructions: 102COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04BE0AE7

Memory Dump Source

Source File: 00000006.00000002.4135970016.0000000004BE0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4be0000_MPGPH131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 56f66508da9269ed7ee5063e27d2fb611840fe5f6f27049f8681900d890f00c0
Instruction ID: b0fccd263491a6fb3628c78d4ee14c59bc38a8b0a07142fdc662ae708063553c
Opcode Fuzzy Hash: 56f66508da9269ed7ee5063e27d2fb611840fe5f6f27049f8681900d890f00c0
Instruction Fuzzy Hash: 86115EE760C2257DB212A2A22F54AFB67BEF5D673473184B6F803D6106F3C45A4A6131

Function 00184B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,001849F9,00000000,CF830579,001C1140,0000000C,00184AB5,00178BBD,?), ref: 00184B68

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c32b50201dd9f89adaaafa23109c41b409feb64185c00069089ccb365cfa1dbc
Instruction ID: 73d3d34e3de03ffaf564354971dea81f9225f5ac7fca61646874092725ba489a
Opcode Fuzzy Hash: c32b50201dd9f89adaaafa23109c41b409feb64185c00069089ccb365cfa1dbc
Instruction Fuzzy Hash: 4B116B33A4122517E72472346841F7E678A8F92774F39024AF8089B1C2FF22DE814B99

Function 0017E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,001C0DF8,0009A3EB,00000002,0009A3EB,00000000,?,?,?,0017E166,00000000,?,0009A3EB,00000002,001C0DF8), ref: 0017E098

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c67fa6529d8dedb37b61504b01e24b8cd7123e1d0cd9907e069b2f71aa65c841
Instruction ID: 7277388b4852e3dd2045fbde643beef6402a85615539b4668d9a4d7154798ee7
Opcode Fuzzy Hash: c67fa6529d8dedb37b61504b01e24b8cd7123e1d0cd9907e069b2f71aa65c841
Instruction Fuzzy Hash: B9010432610149AFCF099F58CC01C9E3BBADB85324B244288F8509B291EBB2ED918BD0

Function 001863F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,001791F7,00000000,?,00185D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0017D244,001789C3,001791F7,00000000), ref: 00186434

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 66dea444254da7f7aeb2c0becc002235a8622622ebf3a4975bf0306049238b2f
Instruction ID: 0827c58f10c4c73ecd8524fd2c643e0fcecf3a052e6ca9641065fc009517761d
Opcode Fuzzy Hash: 66dea444254da7f7aeb2c0becc002235a8622622ebf3a4975bf0306049238b2f
Instruction Fuzzy Hash: E4F0E93250612466DB217B629C42B5F3B599F41B60F258021BC04A7181CF30DE114FF2

Function 00186E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0018D635,4D88C033,?,0018D635,00000220,?,001857EF,4D88C033), ref: 00186E60

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 55e2ffd965edd1e3d95fdcaa6a57d854565e586ee26a4c92a5ce2f03e884d97d
Instruction ID: c4c8f579c9e1117cc838821cdcb0f87de86539b560b72abaa5219998311c77cf
Opcode Fuzzy Hash: 55e2ffd965edd1e3d95fdcaa6a57d854565e586ee26a4c92a5ce2f03e884d97d
Instruction Fuzzy Hash: 85E0223A10062566EF30B665DC05B5B7A5DCF927B0F060120FC14960D0DF20CF018FE5

Function 04BF0223 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4136048248.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bf0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4f91aa9620fca5262902e3b472f4a24e62109e182d3af21189fb852012e848de
Instruction ID: e5b5310b47aa7f85023545b5ee4b61bb91aa8275f03cbce2576e805c53eb588d
Opcode Fuzzy Hash: 4f91aa9620fca5262902e3b472f4a24e62109e182d3af21189fb852012e848de
Instruction Fuzzy Hash: 26113BEB24C110BDA842B6D16E547FA7B2EF6D673073084A6F60F92523B2D92B4D7031

Function 04BF01C8 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4136048248.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bf0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4618580ea2b804709b7e29658f0cd97f4e1b3574c4cb5845a18fe25495e6b436
Instruction ID: c8e57bc358119b15a00630a66aabd45fcc9073abbefd03bba5f2138b5b4f50c1
Opcode Fuzzy Hash: 4618580ea2b804709b7e29658f0cd97f4e1b3574c4cb5845a18fe25495e6b436
Instruction Fuzzy Hash: F11129EB24C110BDA84261D56F547FAAB2DE6D673073085A6F60FC2553F2D8274D7031

Function 04BF0250 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4136048248.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bf0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e7aa726637ba7d6bf55e3e9259d75111ee141d2da34b94acac8168c041f15856
Instruction ID: dd7e10f01ab32903bb0f018fef8a1c026d605fa7424b9410d346a8a4a567d730
Opcode Fuzzy Hash: e7aa726637ba7d6bf55e3e9259d75111ee141d2da34b94acac8168c041f15856
Instruction Fuzzy Hash: 6E1129DB24C120ADDC82A2E56D447F56F2AB69B6307304497E64F96563B1486A4EA130

Function 04BF020F Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4136048248.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bf0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77c89405f0a798d7422b57b3e6181b4e102fa5c2e7d3b88a05e66328dec13745
Instruction ID: a67385afe42c04607809715e39bffe32eceabb870ca4a5e7e3afec4a8d94471d
Opcode Fuzzy Hash: 77c89405f0a798d7422b57b3e6181b4e102fa5c2e7d3b88a05e66328dec13745
Instruction Fuzzy Hash: F9F0D69B34C121AD9881A1C52F446FAAA6EF5EB73073080A7B60FD1563B288674D7031

Function 04BF0242 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4136048248.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bf0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef844a111be671a81818d91412711476d65616f42fe7288b34622e3bfa68b3c4
Instruction ID: 104d50c1f743c9eaedab93719f046f0a2eb3932aaec402d0fdbc74102f6cf1c7
Opcode Fuzzy Hash: ef844a111be671a81818d91412711476d65616f42fe7288b34622e3bfa68b3c4
Instruction Fuzzy Hash: 1CF0BB9B34C110ED9441B1C52F449BAAA6EF4EB73077081A7B60FD1563B298674D7131

Function 04BF027D Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4136048248.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bf0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95b1b3723fa6445a26f44c13d7659940922adb18a8bbadb6609fe062cdbfc599
Instruction ID: 6407c8e939e578776a28007cf9347325933043306549989574a31e2aeb09bdc6
Opcode Fuzzy Hash: 95b1b3723fa6445a26f44c13d7659940922adb18a8bbadb6609fe062cdbfc599
Instruction Fuzzy Hash: 40F0A0AB34C120ED9442B2DA6E459B9BF6AF59F33033041A7A20B829A37294275C7131

Function 04BF0288 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4136048248.0000000004BF0000.00000040.00001000.00020000.00000000.sdmp, Offset: 04BF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_4bf0000_MPGPH131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bed4e25b0a0935c3a9d98af3c429b97fde97a15bac9fd27a1c4b3a65bf49e3f7
Instruction ID: 648ddec31cc30d523d311cbb4d8c3d3f8e653a4736602b9f039fc3b35bda0733
Opcode Fuzzy Hash: bed4e25b0a0935c3a9d98af3c429b97fde97a15bac9fd27a1c4b3a65bf49e3f7
Instruction Fuzzy Hash: 28E022AB34C120AD9042B2DA2E455B97F5EE49F73233041A3E24FC4AA3B184261D7231

Non-executed Functions

Function 001784A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: 5f47255837c40a3d706529b2864631ff549768cd2bd3c3258a366bbc38fb01fa
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: E9023C71E412199BDF14CFA9D8846AEFBF1FF48314F258269E519E7380DB31AA41CB90

Function 000FF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000FF833
std::_Lockit::_Lockit.LIBCPMT ref: 000FF855
std::_Lockit::~_Lockit.LIBCPMT ref: 000FF875
std::_Lockit::~_Lockit.LIBCPMT ref: 000FF89F
std::_Lockit::_Lockit.LIBCPMT ref: 000FF90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000FF959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 000FF973
std::_Lockit::~_Lockit.LIBCPMT ref: 000FFA08
std::_Facet_Register.LIBCPMT ref: 000FFA15

Strings

bad locale name, xrefs: 000FFA2F
Ps, xrefs: 000FF96B, 000FF972

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$Ps
API String ID: 3375549084-1174896957
Opcode ID: 294444fddf1b518aba4229b468bfd9701cc482618184ed3a113dd1e108a2f08c
Instruction ID: 872a0c3800515b49a2e4b2167c741a8a6c3b3d1479f064bba62044f3cf1949a5
Opcode Fuzzy Hash: 294444fddf1b518aba4229b468bfd9701cc482618184ed3a113dd1e108a2f08c
Instruction Fuzzy Hash: 6961B071E0024D9BDF10DFA4D845BAEBBF4BF14350F144068E908A7781EB75E905CBA2

Function 00093D10 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00093E7F

Strings

@3, xrefs: 00093E84
ios_base::failbit set, xrefs: 00093D32
`!, xrefs: 00093E70
ios_base::eofbit set, xrefs: 00093E41, 00093E63
G>, xrefs: 00093DB8
@3, xrefs: 00093DBE, 00093E9B
G>, xrefs: 00093D2B, 00093D67, 00093D6A
ios_base::badbit set, xrefs: 00093E17

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3$@3$G>$G>$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1078880228
Opcode ID: 25954e1051915b58708859f561d53b6352cb7b99ef885c255ef7892f58979086
Instruction ID: 8b9dddc28789992660394ca21fd2a173151d3090e8ac1e1f91c698e2f420ca4b
Opcode Fuzzy Hash: 25954e1051915b58708859f561d53b6352cb7b99ef885c255ef7892f58979086
Instruction Fuzzy Hash: C54182B2904204AFCB18DF58D845BAEB7F9EB49310F14852EF919D7681E770AA018FA0

Function 00093DE0 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00093E7F

Strings

@3, xrefs: 00093E84
ios_base::failbit set, xrefs: 00093D32, 00093E1E
`!, xrefs: 00093E70
ios_base::eofbit set, xrefs: 00093E28, 00093E41, 00093E63
@3, xrefs: 00093DBE, 00093E9B
ios_base::badbit set, xrefs: 00093E17

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: @3$@3$`!$ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1863890269
Opcode ID: ff04dc713bc958787fbb90287c2c3ea8d36c4b3d3733c7c902f007e601e7c1fe
Instruction ID: 3ff57f4b4e684199225e5f663cdfcb3c3375dd473981fc117fb08346ed1b42df
Opcode Fuzzy Hash: ff04dc713bc958787fbb90287c2c3ea8d36c4b3d3733c7c902f007e601e7c1fe
Instruction Fuzzy Hash: 26210DB29043046FCB14DF58D805F96B7ECAB18310F18882EFA69DB681E770EA14DF91

Function 00094C50 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00094F72
___std_exception_destroy.LIBVCRUNTIME ref: 00094FFF
___std_exception_copy.LIBVCRUNTIME ref: 000950C8

Strings

@3, xrefs: 000950CD
`!, xrefs: 00094F6B, 00094FF8, 000950B9
recursive_directory_iterator::operator++, xrefs: 0009504C

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: @3$`!$recursive_directory_iterator::operator++
API String ID: 1206660477-1018949397
Opcode ID: c230f281f2ffae2512521e0559c58af9494e08e4cdd77e9d53d98ef82582593e
Instruction ID: 35ba5fa24e6031213c45de8a998a8abfeeeb7ae21f409fd52b8deb71414c0a0f
Opcode Fuzzy Hash: c230f281f2ffae2512521e0559c58af9494e08e4cdd77e9d53d98ef82582593e
Instruction Fuzzy Hash: 9AE1F4B19002049FDB28DF68D845FAEB7F9FF48300F108A2DE45693B82D774A945CBA1

Function 00097820 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0009799A
___std_exception_copy.LIBVCRUNTIME ref: 00097B75

Strings

`!, xrefs: 00097985, 00097B60
out_of_range, xrefs: 00097A27
type_error, xrefs: 0009784A
`!, xrefs: 000979A5, 00097B80

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$out_of_range$type_error
API String ID: 2659868963-2269780633
Opcode ID: 733c27003c7f875e01bd4801a8a3718b1903ee323306203927a1521cd24ef531
Instruction ID: b9e720447f402c97917352a52612a17419401bf12c91cb9d739ef621f70299f3
Opcode Fuzzy Hash: 733c27003c7f875e01bd4801a8a3718b1903ee323306203927a1521cd24ef531
Instruction Fuzzy Hash: BAC169B19002089FDB18CFA8D984B9DFBF1FF49300F148669E419EB791E7749981CB50

Function 00093190 Relevance: 10.7, APIs: 2, Strings: 4, Instructions: 170COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000932C6
___std_exception_destroy.LIBVCRUNTIME ref: 00093350

Strings

@3, xrefs: 00093316
`!, xrefs: 000932AD, 00093349
+4, xrefs: 00093190
`!, xrefs: 000932D1

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy___std_exception_destroy
String ID: +4$@3$`!$`!
API String ID: 2970364248-4089177709
Opcode ID: 4496339217beb850e6db5146a6d2fbfbd0a1742a65d17a99c7ba2944d2bdab1b
Instruction ID: 54c561783155b2cffa16f25d4bb89f76594856376a9943c45fafe2ae11632ede
Opcode Fuzzy Hash: 4496339217beb850e6db5146a6d2fbfbd0a1742a65d17a99c7ba2944d2bdab1b
Instruction Fuzzy Hash: CF516A71A002189FDF08CF98D885BEEBBF5FF59300F14812AE819A7391D774AA418B91

Function 000939F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 00093A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00093AA4
__Getctype.LIBCPMT ref: 00093ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00093AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 00093B7B

Strings

bad locale name, xrefs: 00093B96

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7679ddfe8991f5d297dd776b22a35a1d7859a826e5fbb26496ad6609ff0b8892
Instruction ID: 91eca405778df0a83e7d4c16968b4ebcffff89055093b975e21f38152bd44019
Opcode Fuzzy Hash: 7679ddfe8991f5d297dd776b22a35a1d7859a826e5fbb26496ad6609ff0b8892
Instruction Fuzzy Hash: F55160B5D002089BEF10DFA4DD45B9EBBF8BF14314F148069E909AB341E775DA04CB62

Function 00172E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00172E47
___except_validate_context_record.LIBVCRUNTIME ref: 00172E4F
_ValidateLocalCookies.LIBCMT ref: 00172ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00172F03
_ValidateLocalCookies.LIBCMT ref: 00172F58

Strings

csm, xrefs: 00172EED

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: fbe51d52304a8b2cc70b096818ab0fb3221cf4bd7f4df3deb4a69f609919d696
Instruction ID: 40328a8ca2c6ae0524abcdb6a60f687b175440dd8f2eefc36b683b32615fc71c
Opcode Fuzzy Hash: fbe51d52304a8b2cc70b096818ab0fb3221cf4bd7f4df3deb4a69f609919d696
Instruction Fuzzy Hash: 14418235A00209ABCF14DF68C885A9EBBB5FF55324F14C055E81C9B352DB31EE56CB91

Function 000FDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 000FDE93
std::_Lockit::_Lockit.LIBCPMT ref: 000FDEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 000FDED6
std::_Facet_Register.LIBCPMT ref: 000FDF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 000FDF63
Concurrency::cancel_current_task.LIBCPMT ref: 000FDF7B

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 92eb7d8c78ae2d44e0a67f0223c843228965a96f6511fc4d0edd75950442899b
Instruction ID: f19d82cbcdd3a5d085039941d63a4f45359b5a8ac17fe51eb4009737f344e909
Opcode Fuzzy Hash: 92eb7d8c78ae2d44e0a67f0223c843228965a96f6511fc4d0edd75950442899b
Instruction Fuzzy Hash: AF41FE71A002199BCB10EF54D884EAEBBB5FB10320F10426AE9059BB52D731ED44CBD1

Function 00096F40 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00097340

Strings

`!, xrefs: 00097328
parse_error, xrefs: 00096F8B
parse error, xrefs: 00096FFF, 00097018
`!, xrefs: 0009734B

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$parse error$parse_error
API String ID: 2659868963-929550935
Opcode ID: 4ea84be766665424ba6e648cc1001b051c29b5649763ad31d51918cbd9caafbe
Instruction ID: 3a877a7c4a7b9bb6ca1a76da8f8292a2d58292a953724f22a7b570b1b71fe6eb
Opcode Fuzzy Hash: 4ea84be766665424ba6e648cc1001b051c29b5649763ad31d51918cbd9caafbe
Instruction Fuzzy Hash: 79E16D719142088FDB18CF68C884B9DBBB1FF48300F24826DE419EB792D7749A85DF51

Function 000973B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 000975BE
___std_exception_destroy.LIBVCRUNTIME ref: 000975CD

Strings

`!, xrefs: 000975B6, 000975C6
, column , xrefs: 00097434, 0009744A
at line , xrefs: 000973F7

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column $`!
API String ID: 4194217158-2977949356
Opcode ID: ccefab20a4e256d7e752f95bcb3527a6a11ff6698df24c53d15fe9fb8e955e0f
Instruction ID: abd381724ff7639ace0674070c801a536b2c520404b57c99aaa03f225627d84a
Opcode Fuzzy Hash: ccefab20a4e256d7e752f95bcb3527a6a11ff6698df24c53d15fe9fb8e955e0f
Instruction Fuzzy Hash: 9B61E671A046049FDF08DF68DC84B9DBBB6FF48300F24862CE419A7782D774AA45DB91

Function 00093370 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 103COMMON

Download Yara Rule

APIs

Part of subcall function 00093190: ___std_exception_copy.LIBVCRUNTIME ref: 000932C6

___std_exception_copy.LIBVCRUNTIME ref: 0009345F

Strings

@3, xrefs: 00093464
`!, xrefs: 00093450
+4, xrefs: 000933B3, 00093410
@3, xrefs: 000933F3, 0009347B

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4$@3$@3$`!
API String ID: 2659868963-1914207329
Opcode ID: 18422242c34727452c111046a90dab25468ecf9a9569e3188b5def4d947f3fb7
Instruction ID: ebb52e20d4dad782f6203f8f2b0a6965170c1db1052a9511771e10c1dc61c845
Opcode Fuzzy Hash: 18422242c34727452c111046a90dab25468ecf9a9569e3188b5def4d947f3fb7
Instruction Fuzzy Hash: E13183B1900209AFCB18DFA8D941ADEFBF9FB08310F10852AF519E7651E770AA51CB90

Function 00093410 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 47COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0009345F

Strings

@3, xrefs: 00093464
`!, xrefs: 00093450
+4, xrefs: 000933B3, 00093410
@3, xrefs: 000933F3, 0009347B

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: +4$@3$@3$`!
API String ID: 2659868963-1914207329
Opcode ID: d69241f37684ee938f35d50bf9a6ba92661c1cb34b16b7a4aa5e3c14b2a9ce8e
Instruction ID: ec154226cbb1ff71b85ee3d87c401b52546654fc404efdbc0a21c2b66ca277f8
Opcode Fuzzy Hash: d69241f37684ee938f35d50bf9a6ba92661c1cb34b16b7a4aa5e3c14b2a9ce8e
Instruction Fuzzy Hash: 7F01FFB6500309AF8B04DFA9D545C96FBFDAF58310700C42AE519D7611EBB0E555CB90

Function 00096C60 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 00096F11
___std_exception_destroy.LIBVCRUNTIME ref: 00096F20

Strings

`!, xrefs: 00096F09, 00096F19
[json.exception., xrefs: 00096CB8

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.$`!
API String ID: 4194217158-3048014091
Opcode ID: 93fe263e7740c341080adc509677843c5347fd3be96d9cc4557db85ec4720a15
Instruction ID: f0a463a16eeb7814293c8d33aba0083093226477beeb8d2eb0bb960d42ad4e9e
Opcode Fuzzy Hash: 93fe263e7740c341080adc509677843c5347fd3be96d9cc4557db85ec4720a15
Instruction Fuzzy Hash: 9891C470A002089FDF18CF68D984B9EBBF6FF59300F20866DE459AB792D775A941CB50

Function 00097620 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 167COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000977B4

Strings

`!, xrefs: 0009779F
invalid_iterator, xrefs: 00097656
`!, xrefs: 000977BF

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$invalid_iterator
API String ID: 2659868963-3421541259
Opcode ID: 2cc77f91e07c8fd82a595194a78378f539f05fb00e072f7e0a0daf14b777d1b7
Instruction ID: 39f9d503a07cc501bb7851f81c66d33b561f70119edf335cff06732c741a4e83
Opcode Fuzzy Hash: 2cc77f91e07c8fd82a595194a78378f539f05fb00e072f7e0a0daf14b777d1b7
Instruction Fuzzy Hash: 63514AB19042089FDB18CFA8E99479DFBF1FB48300F14866DE419EB792E7749985CB90

Function 00097BE0 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 156COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00097D67

Strings

`!, xrefs: 00097D52
other_error, xrefs: 00097C0A
`!, xrefs: 00097D72

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!$other_error
API String ID: 2659868963-1899045556
Opcode ID: 21c77acb1f801fbd0beec41b8bab33980a15a57dd3a4f88ed2fe794bd8aad469
Instruction ID: 9279ae0ee39fd7ae06709a1591ce4f8b18d561a1318a597e4864116e1776381d
Opcode Fuzzy Hash: 21c77acb1f801fbd0beec41b8bab33980a15a57dd3a4f88ed2fe794bd8aad469
Instruction Fuzzy Hash: 0B5179B19012488FDB18CFA8D9847ADBBF1FF48300F148669E459EB782E774A985CB50

Function 000FD050 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 000FD06F
___std_exception_copy.LIBVCRUNTIME ref: 000FD096

Strings

`!, xrefs: 000FD060, 000FD085
`!, xrefs: 000FD09B

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: d495d650bdd2eff5b5051cf6fce93e0b70afad023eb72b12187ea9384c3ac176
Instruction ID: 0dfc8d177f3cc2819fde84c338c0114c1c3b096db9facd992e1ca7700f39e03d
Opcode Fuzzy Hash: d495d650bdd2eff5b5051cf6fce93e0b70afad023eb72b12187ea9384c3ac176
Instruction Fuzzy Hash: 5D01F6B6500706AF8709CF58D504882FBF8FB48310311852FE529CBB00E7B0E529CFA0

Function 0010B3C0 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 0010B3DF
___std_exception_copy.LIBVCRUNTIME ref: 0010B406

Strings

`!, xrefs: 0010B3D0, 0010B3F5
`!, xrefs: 0010B40E

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: 79f45bbaf531533b79d92ec0e5f7610964a74ec276e040c93bbc8e3dae03d6ed
Instruction ID: def7398e37b161bcdc926fe28cba8fff3afa6048e92668531c086ac312207693
Opcode Fuzzy Hash: 79f45bbaf531533b79d92ec0e5f7610964a74ec276e040c93bbc8e3dae03d6ed
Instruction Fuzzy Hash: 4AF0C4B6500706AF8709DF58D515886BBF8FA48710311852FE52ADBB11E7B0E529CBA0

Function 0010E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0010E491

Strings

type must be string, but is , xrefs: 0010E4F8
type must be boolean, but is , xrefs: 0010E582

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: 1da79b95eb64faa4f3999f22417817f74ba354fd4c3d8cdbce15bb513158af50
Instruction ID: 05a260621de4a06789b2a8414e7c775e246362e6797df2d79a539509ed80c81e
Opcode Fuzzy Hash: 1da79b95eb64faa4f3999f22417817f74ba354fd4c3d8cdbce15bb513158af50
Instruction Fuzzy Hash: B6416BB1900248AFDB14EBA4D902BEE77A8DB10310F044978F459D7AC3EB75EA10C791

Function 00093050 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 00093078

Strings

`!, xrefs: 00093063
`!, xrefs: 00093080

Memory Dump Source

Source File: 00000006.00000002.4129248250.0000000000091000.00000040.00000001.01000000.00000005.sdmp, Offset: 00090000, based on PE: true

Associated: 00000006.00000002.4129151147.0000000000090000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129248250.00000000001C3000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129557648.00000000001C8000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.00000000001CC000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000348000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000436000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.000000000046D000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000476000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4129613958.0000000000484000.00000040.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130326696.0000000000485000.00000080.00000001.01000000.00000005.sdmpDownload File
Associated: 00000006.00000002.4130608914.000000000062C000.00000040.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_6_2_90000_MPGPH131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: `!$`!
API String ID: 2659868963-1174305143
Opcode ID: cdec5676e0b264cfc482e88fc2191b3951f3e2dd796ff4a25c83423a5ed27983
Instruction ID: a90d06c2f6cd3aab028f27cf62c2f2a915659e65671221f9119a2f2049bf97e6
Opcode Fuzzy Hash: cdec5676e0b264cfc482e88fc2191b3951f3e2dd796ff4a25c83423a5ed27983
Instruction Fuzzy Hash: 4BE0EDB2901308ABC711DFA8990598AFBF8AB19701F1186AAE948D7300F7B195558BD1

Analysis Process: RageMP131.exePID: 7252, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	3.6%
Signature Coverage:	0%
Total number of Nodes:	548
Total number of Limit Nodes:	65

Executed Functions

Function 00203A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00203DB6), ref: 00203B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00203DB6), ref: 00203BBA

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 08746c17b49043d6b0427710afc2ded3d397faa28ce77ed6911be22268f038fc
Instruction ID: 689e0a05f7175626304ea922439172732abf8639b299bf3a107af8264350ce8c
Opcode Fuzzy Hash: 08746c17b49043d6b0427710afc2ded3d397faa28ce77ed6911be22268f038fc
Instruction Fuzzy Hash: 6951BB35A14216CFCB24CF58C8D0EAAB3B9FF49708B29459AD445AF392D731EE15CB80

Function 001BE0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 001BE0CA
socket.WS2_32(?,?,?), ref: 001BE17F
connect.WS2_32(00000000,?,?), ref: 001BE193
closesocket.WS2_32(00000000), ref: 001BE19E

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 443327ca00a20d343898c7d88f547ec996e3049b2fff4439273980c82c42b959
Instruction ID: 84366b7b12188b8188ad669b8931a057a8fa2555998bc31a13e9ec5a42fe3d6f
Opcode Fuzzy Hash: 443327ca00a20d343898c7d88f547ec996e3049b2fff4439273980c82c42b959
Instruction Fuzzy Hash: D031C471605310ABD7209F69C8487ABB7E4EF86734F104F1DF9A8A72D0D33599148BA3

Function 00284942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O(, xrefs: 00284A93, 00284A61, 00284AAB, 00284AC7

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: O(
API String ID: 0-2961352692
Opcode ID: de2682b5db8e2563b81c24c700635fd82509e6c6ca500bcdbd72a5da6d0bf684
Instruction ID: f4a823e26f3e85ead8dcb2b2093d541122f88a2ac611247369fe9a0f2a563f87
Opcode Fuzzy Hash: de2682b5db8e2563b81c24c700635fd82509e6c6ca500bcdbd72a5da6d0bf684
Instruction Fuzzy Hash: E2511738A11109AFCF14FF58C895AAABFB1EF45314F248159F8499F292D371EE61CB90

Function 00294623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2367333640a12192248dcd0450e903a78b54d8e9eb241040163adb42adef406
Instruction ID: 3e61b27ff225493ffe0ce53af21ec4153478c37cee5d4c6a6ece48193f12d6e4
Opcode Fuzzy Hash: a2367333640a12192248dcd0450e903a78b54d8e9eb241040163adb42adef406
Instruction Fuzzy Hash: F8B1E174A2424AAFEF15FFA8D844FAEBBB5BF45304F14415AE84097292C7709D62CF60

Function 04E40A20 Relevance: 1.8, APIs: 1, Instructions: 291
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6374a1c70fc023cd01210a1dd204bfde4253bf880992304bf9d2711de9ece24
Instruction ID: 96a1a17f8cf6eb7c0a44b7b9b5c5aa2198869a05c436c03c4930f3c9a3560983
Opcode Fuzzy Hash: b6374a1c70fc023cd01210a1dd204bfde4253bf880992304bf9d2711de9ece24
Instruction Fuzzy Hash: DC51C0EB34C115BDF542C5867B50AF7676EE7C6730730A876FA47C6602F2942A893071

Function 04E409D9 Relevance: 1.8, APIs: 1, Instructions: 281
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bc08cec4a65c76c7fd7503c058fc0fee0d47eff9dcf7b6e0709f6fddb0cfc7ea
Instruction ID: 93ef740f98ce596efbbf3ebfdecc32d185f7a74a585a553335efff803eaeca32
Opcode Fuzzy Hash: bc08cec4a65c76c7fd7503c058fc0fee0d47eff9dcf7b6e0709f6fddb0cfc7ea
Instruction Fuzzy Hash: DA51ADEB34C111BDE142C5467B50AF767AEE7CA730730A476BA0BC6602F2942A893032

Function 04E409EB Relevance: 1.8, APIs: 1, Instructions: 278
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 8bc30502bc1b4e66730ddaaf8e79b8ab98f7161817fa93e255f50431a7da1cdd
Instruction ID: a68f1264f82d355182f861f2c6f89cc14cda8ab2d58ca612680b398bbda22bdd
Opcode Fuzzy Hash: 8bc30502bc1b4e66730ddaaf8e79b8ab98f7161817fa93e255f50431a7da1cdd
Instruction Fuzzy Hash: 5151BFEB34C115BDF142C5467B50AFB67AEE7C6730730A876FA4BC6606F2942A893071

Function 04E40A0C Relevance: 1.8, APIs: 1, Instructions: 268
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: eb40271e89f61e11ce44d9d34f4796eaa46efbe5164cd217993a01cfcf433814
Instruction ID: c0103dce82c2eba70033677a26b9be6795845de000dc24bb0f493468fce19af5
Opcode Fuzzy Hash: eb40271e89f61e11ce44d9d34f4796eaa46efbe5164cd217993a01cfcf433814
Instruction Fuzzy Hash: 4051AEEB34C115BDE142C5467B50AF767AEE7CA730730A476BA4BC6606F3942A893031

Function 04E40A4E Relevance: 1.8, APIs: 1, Instructions: 254
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 18631339fbb7fd05e2e6dea9a4993ccc5379003c72f2906cda7eb6dc25eb12b2
Instruction ID: 1bb1610c83c6bb75964f1f90a302020d18f240910329f12da94c08b7b6fd6c89
Opcode Fuzzy Hash: 18631339fbb7fd05e2e6dea9a4993ccc5379003c72f2906cda7eb6dc25eb12b2
Instruction Fuzzy Hash: E051D0EB30C125BDE25281567B50BFB676EE7C6730730A476BA07C6606F3942A893032

Function 04E40A77 Relevance: 1.7, APIs: 1, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 71c6ee1efd5ac648ab91364b368cc11b8ac340cd8496ed1fce5922eba96dd74e
Instruction ID: e614c69c217b4218c927e950e1b471525b0a85427028463d59cc15f0514999b6
Opcode Fuzzy Hash: 71c6ee1efd5ac648ab91364b368cc11b8ac340cd8496ed1fce5922eba96dd74e
Instruction Fuzzy Hash: 8341BDEB34C125BDF14285467B50AFB676EE7C6730730A476BA0BC6606F3942B893031

Function 001AA210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 001AA343

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 66b7bb8d054d144cdaa87eb0f397ac72cf9d1dc95c696f6370b8bbe1c370954f
Instruction ID: 72d8d495fbeb681758ca1621ade7621968dd818cc9bf6a821d57661f4f7f20cb
Opcode Fuzzy Hash: 66b7bb8d054d144cdaa87eb0f397ac72cf9d1dc95c696f6370b8bbe1c370954f
Instruction Fuzzy Hash: 7F717C74901204AFDF14EF68CC49BAEBBE8EF42700F54856DF8089B282D7B5D944CB92

Function 04E40A90 Relevance: 1.7, APIs: 1, Instructions: 229
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5eee76e3fa954a651c517ee801e59b243a75a40864ed0dd369c7a31e4a40f274
Instruction ID: 1fe8cf7481363d417852e3239d1c7ee2848d7ef26c5d8e3f0f672b82669a7c3f
Opcode Fuzzy Hash: 5eee76e3fa954a651c517ee801e59b243a75a40864ed0dd369c7a31e4a40f274
Instruction Fuzzy Hash: 1641CCEB34C124BDF14285427B50AFB676EE7D6730730A476BA07C2A02F7942B893432

Function 04E40ABA Relevance: 1.7, APIs: 1, Instructions: 217
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 2a149f1796d11f1696cf875b2cd682e0b8807302071c6334c25b880698d4c681
Instruction ID: 4a5fffbd18faf6da0d55027e86dd7e2d7ca8daf52629d02bdc64b38d32280286
Opcode Fuzzy Hash: 2a149f1796d11f1696cf875b2cd682e0b8807302071c6334c25b880698d4c681
Instruction Fuzzy Hash: 6841F0EB34D115BEE24281467B50BF7676EE7C6330730A476BA07C6642F3942B883072

Function 04E40B26 Relevance: 1.7, APIs: 1, Instructions: 212
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c3a0a6926944d0d34efb82ca4a203415d598c895a79cdccad680fa5cec78189a
Instruction ID: 0b475772f924f7cf240a801f5d45862d4e97b58c901a75d4d143b45366487789
Opcode Fuzzy Hash: c3a0a6926944d0d34efb82ca4a203415d598c895a79cdccad680fa5cec78189a
Instruction Fuzzy Hash: 984111EB34C014FDE15281427B50BF6276EE7D6730730A476BA0BD2602F2942B893471

Function 0029549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00289087,?,00000000,00000000,00000000,?,00000000,?,001AA3EB,00289087,00000000,001AA3EB,?,?), ref: 00295621

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: f1659aa925a06e1981b53b961422bc8d8631ef64c115cc4ed93256358a87e252
Instruction ID: 66450b62b2fa6b85c586b7019e2ab8ce0a8122591fa5f82939445b82d3c56ea5
Opcode Fuzzy Hash: f1659aa925a06e1981b53b961422bc8d8631ef64c115cc4ed93256358a87e252
Instruction Fuzzy Hash: 7561C871E2452AAFDF12DFA8C844EEEBBB9EF05304F550149E904A7256D371DD21CBA0

Function 04E40AEB Relevance: 1.7, APIs: 1, Instructions: 195COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 1386a0218fa4b3b31f98609221a246cbbe4e4f2a76d66653c106986268885097
Instruction ID: 36f11265e34da5f54de3ad57ba1079d3f339c03327b65cf9e23c2b19ab7af11b
Opcode Fuzzy Hash: 1386a0218fa4b3b31f98609221a246cbbe4e4f2a76d66653c106986268885097
Instruction Fuzzy Hash: 0941D0EB34C115FDE25285453B50BF6676EE7D6334730A476BA0BC6A02F7942B893431

Function 04E40AFB Relevance: 1.7, APIs: 1, Instructions: 192COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d0ff2f9d0025db7f22c00e20f99be360217bccc465104dd576204cae65b3291b
Instruction ID: 2e4979223a5de410190a36e99d499664b8269513e7e9a7c72b3bd6fa8d337960
Opcode Fuzzy Hash: d0ff2f9d0025db7f22c00e20f99be360217bccc465104dd576204cae65b3291b
Instruction Fuzzy Hash: 9241D2EB34C115FDE65281427B50BF6676EE7D6330730A476BA07C6A06F7942B893431

Function 04E40B3F Relevance: 1.7, APIs: 1, Instructions: 188COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 75902401805f755dad1d71e36825b42c1e96c53fe264c7a1ef6897409def5a9b
Instruction ID: 14a3a47d1a7bb5b8f315a2b793b1bfca1c7244ae0f1b6b3be505d59b05fdc2d8
Opcode Fuzzy Hash: 75902401805f755dad1d71e36825b42c1e96c53fe264c7a1ef6897409def5a9b
Instruction Fuzzy Hash: C5311FEB34C014FEE25285413B40AF7676EE7DA330730A472BA07C6A02F3942B883471

Function 04E40B0C Relevance: 1.7, APIs: 1, Instructions: 186COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 27bb88cddb624ac2f541dadad051b21cfc2ffa0842e810ff3d691cea2f327de7
Instruction ID: b370fd2c064662f54b9b7b3cdba7fcebc926f08df89c4317129f90c1549902dc
Opcode Fuzzy Hash: 27bb88cddb624ac2f541dadad051b21cfc2ffa0842e810ff3d691cea2f327de7
Instruction Fuzzy Hash: A531E0EB34C115FDE69285453B40AF6676EF7CA330730A476BA0BC6A02F7942B893471

Function 04E40B7E Relevance: 1.7, APIs: 1, Instructions: 179COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 902c1291ff64605a5695bff9afbd89eddda8acffd91bfda6f67a97f3827d8ed0
Instruction ID: b1f44cf6b0cd2141df95b9bda27e2ce339803752a53d59819d60a4b64476f683
Opcode Fuzzy Hash: 902c1291ff64605a5695bff9afbd89eddda8acffd91bfda6f67a97f3827d8ed0
Instruction Fuzzy Hash: D74114EB30D114EEE25295557B40AF66B6EBBC623073094B6F607C6A06F7942B493431

Function 04E40B69 Relevance: 1.7, APIs: 1, Instructions: 169COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 736ec75d3280796bdeef9101c84d1ba9bc922b916280a986879ff3d9820e09bc
Instruction ID: fde1af04f327d6695d25a4fa5800f42263264e287728b683c640dd832ccc137b
Opcode Fuzzy Hash: 736ec75d3280796bdeef9101c84d1ba9bc922b916280a986879ff3d9820e09bc
Instruction Fuzzy Hash: CD3112E734C114FEE25281417B80AF6676EF7D6330730A4B6BA0BC6A06F7942B893571

Function 04E40BBF Relevance: 1.7, APIs: 1, Instructions: 155COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: abbc3c1a2df6a95081bb3bcf735bd12ba36801e2ba0d04291e7b2e95ad8eca5f
Instruction ID: 59518962fa399193cbb6df96746c71ad7ebe63d03d07cf5bfcf17cd09b8e6b11
Opcode Fuzzy Hash: abbc3c1a2df6a95081bb3bcf735bd12ba36801e2ba0d04291e7b2e95ad8eca5f
Instruction Fuzzy Hash: DE31E1EB34D114FDE65285453B40AF6676EE7CA330730A476BA0BC6A06F7942B483071

Function 04E40C39 Relevance: 1.6, APIs: 1, Instructions: 148COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 66fa436d6b857a8e5b626a6ae772beb2fa56462ede836ae36aedf774a1226fe7
Instruction ID: 50615bdc7cc22bf4db8d79111ec0372ee3f26c59ad8a205d84dc6a6a06bd4b7e
Opcode Fuzzy Hash: 66fa436d6b857a8e5b626a6ae772beb2fa56462ede836ae36aedf774a1226fe7
Instruction Fuzzy Hash: 5A3145EB74D111EEE61286517B10AF66B6EE7C7330330A4B6F647C6606F3942B4D6231

Function 04E40C5D Relevance: 1.6, APIs: 1, Instructions: 145COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d53e94e7d5faa3c655b278c786bbe0ef56cd72b45759be0e13b53f013d57dd62
Instruction ID: ea3648e52b1a706cddf081a58b29cc4633657437903958f5cd60b331d6bebb41
Opcode Fuzzy Hash: d53e94e7d5faa3c655b278c786bbe0ef56cd72b45759be0e13b53f013d57dd62
Instruction Fuzzy Hash: 6B21DFEB34D021FEE15285457B40AF6676EE7C6630730A476B60BC6A06F7942B893471

Function 00210560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002106AE

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 83076e327057845a717a4ba5b3c097f4bb480b2b394468aa26eb6652e16f7ace
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: F741E572A101149BCB15EF68D98069E7BE9AF95310F144169FC05EB346D7B0DDB08BE1

Function 04E40C89 Relevance: 1.6, APIs: 1, Instructions: 137COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 859de972ee0403962278a154e846cc30d6adbcdccf7adfa81099ea8f63e9bf9b
Instruction ID: 53902b88d8c5f5752f487c8c2bb18e8c6a6a31404fffd174c6081f99c058813b
Opcode Fuzzy Hash: 859de972ee0403962278a154e846cc30d6adbcdccf7adfa81099ea8f63e9bf9b
Instruction Fuzzy Hash: E821B1EB30D011FDE66285553B50AF66B6EE7C6330330A8B6FA0BC6606F7943B492571

Function 04E40C18 Relevance: 1.6, APIs: 1, Instructions: 130COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: d19fa47ef3bb652e4a366b3df43b1e718ed56153161636e96d6462788b4ab126
Instruction ID: d058544a2993ab2241a640950a05894167f05e840226e726aee30c4424d3d799
Opcode Fuzzy Hash: d19fa47ef3bb652e4a366b3df43b1e718ed56153161636e96d6462788b4ab126
Instruction Fuzzy Hash: 4221E0EB30D015FEE55285463B50AF6676EE7CA330730A472BA0BC6A06F7942B4D3071

Function 04E40BD6 Relevance: 1.6, APIs: 1, Instructions: 129COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 5bbe005b54f91412764616b4f5aced885c85b04ce5747afef66839aa3a5b8d3a
Instruction ID: bca1ee38ae2f6c1a8c40e83891c57468099d0b436e48e58eeb6efe7b409d69e8
Opcode Fuzzy Hash: 5bbe005b54f91412764616b4f5aced885c85b04ce5747afef66839aa3a5b8d3a
Instruction Fuzzy Hash: A721B0EB30D015FDE55285463B50AF6576EE7CA330730A476B60BC6A06F7943B493071

Function 04E40C2C Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04E40C53

Memory Dump Source

Source File: 00000007.00000002.4135966249.0000000004E40000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E40000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e40000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: f8df4dc47ade09534a88bfab9bb82e8911b91e9e70d0494567a97bb9698751f4
Instruction ID: cfd93396fbb6f900fc4818287c25f157b10e3c382406ea31b62457b95b3f14fb
Opcode Fuzzy Hash: f8df4dc47ade09534a88bfab9bb82e8911b91e9e70d0494567a97bb9698751f4
Instruction Fuzzy Hash: 7221B0EB30D011EEE55285463B50AF6676EE7C6330730A4B2B60BC6A06F7942B4D3172

Function 00294B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,002949F9,00000000,CF830579,002D1140,0000000C,00294AB5,00288BBD,?), ref: 00294B68

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: c9b7ef385f9ac0f2e93e5b083d1a6123ad63fe55f9e5a805c41e26051a3d96b1
Instruction ID: 4c010bcfcff3dd7f09b83d2808b1c576c59bfcf0207115f444b1fbdb0887b1b5
Opcode Fuzzy Hash: c9b7ef385f9ac0f2e93e5b083d1a6123ad63fe55f9e5a805c41e26051a3d96b1
Instruction Fuzzy Hash: 31114832E7121416DF253A75AC25F7E678D8F9277CF2A020AF9088B0C2EE60EC624195

Function 0028E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,002D0DF8,001AA3EB,00000002,001AA3EB,00000000,?,?,?,0028E166,00000000,?,001AA3EB,00000002,002D0DF8), ref: 0028E098

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9f294ba6162931f66cd0973808806190119cd43709ce5971429d41891b29f9f8
Instruction ID: 4a38f902d686992f4fa14a01fdbfd7dbc3274efcafc2d6f9e35a07b9ccb7dc09
Opcode Fuzzy Hash: 9f294ba6162931f66cd0973808806190119cd43709ce5971429d41891b29f9f8
Instruction Fuzzy Hash: 65012636621215AFCF15AF19CC05C9E3B6ADB81334B250249F851AB2D1E6B2ED618BD0

Function 0027F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A220E

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 0066a1e10b838dc2517601967adab8722ae9df092e045c2984987d96b19a8257
Instruction ID: 7ec0627b89d2b1a4731f947e5883af93e13595e5f035cd1909d73d709955e1f9
Opcode Fuzzy Hash: 0066a1e10b838dc2517601967adab8722ae9df092e045c2984987d96b19a8257
Instruction Fuzzy Hash: D7012B3951430DABCB14FFA8E80299977AC9E01320B408436FE1CDB991EB70E9748BD0

Function 002963F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,002891F7,00000000,?,00295D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0028D244,002889C3,002891F7,00000000), ref: 00296435

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 545ce9f5ac8b66467ddf3152798a5470cb66b59cb1f795be01dd233cdeb0931f
Instruction ID: 185e181de97f036ee12829bc50a2a7cdbda2f42e8ee39505ac21cd2e9662c056
Opcode Fuzzy Hash: 545ce9f5ac8b66467ddf3152798a5470cb66b59cb1f795be01dd233cdeb0931f
Instruction Fuzzy Hash: 49F0893157512666DF317FE29C0EB6B7BC99F417A4F15A011AC08A65C0DB70DC3146F1

Function 00296E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0029D635,4D88C033,?,0029D635,00000220,?,002957EF,4D88C033), ref: 00296E5F

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 07b7971b70c9b9995811d15f40eaf88af7cdd985f674bf7546a569346954184a
Instruction ID: 301a10e5a3c9fcfb197585e662ecc9d7dfdccfd8ec4807124bfe958cfe1beb6c
Opcode Fuzzy Hash: 07b7971b70c9b9995811d15f40eaf88af7cdd985f674bf7546a569346954184a
Instruction Fuzzy Hash: 75E0ED3E172A2766DE303EA6DD09F5B77C88F817A0F150121AC84A24E2CB60CC3085A4

Function 04E50448 Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc4a0bd117c5c5f337c3e4a7b844a839d026db706ce196e4709155332ac9746f
Instruction ID: 5a2a764af507803bc91366a6280da9730178443ab2fd36d38ab96ff913d5ad20
Opcode Fuzzy Hash: dc4a0bd117c5c5f337c3e4a7b844a839d026db706ce196e4709155332ac9746f
Instruction Fuzzy Hash: E72109EB6881107DB25292816B18AFAAB7EF6D37303309826F842C5423F2D85F4E6131

Function 04E5042D Relevance: .1, Instructions: 117COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95663d70ffff63ba306b9f79e3befda40ede459afba0eb95d89ae622de558e7f
Instruction ID: 95c5f6c25fe1e2961eb52367d1084ef010910b86c9e4d258f3b840702a8294a3
Opcode Fuzzy Hash: 95663d70ffff63ba306b9f79e3befda40ede459afba0eb95d89ae622de558e7f
Instruction Fuzzy Hash: 212160EB6880107DF25181906B18AF66B7EF6D3730370E826FC42C5423F288AA4E6131

Function 04E50433 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53c41c4cb0728582050c691fee02f5abfaecbd6daa9d5eefcb36bc0a1d3dd16c
Instruction ID: 21c39bd4a5ef676a85fefc19ac6f4f411dd893fe7c19bb5335cb31ab951aa70a
Opcode Fuzzy Hash: 53c41c4cb0728582050c691fee02f5abfaecbd6daa9d5eefcb36bc0a1d3dd16c
Instruction Fuzzy Hash: 6D1149EB68C0107DB25282816B18AF66B7EE6D3730331A82AFC42C5423F2895A0E6131

Function 04E50458 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2512e08cccbca70c8d41a730daa459016e34ea9bf3155a6bc78a7f717f5729b3
Instruction ID: 58b340c0256f9188212f66e4209c691e9117afe191d3f690f98cc8be5aa2aa9b
Opcode Fuzzy Hash: 2512e08cccbca70c8d41a730daa459016e34ea9bf3155a6bc78a7f717f5729b3
Instruction Fuzzy Hash: BB118FEB2881107DF25296816B18AF6AB7EF6D3330370A436F842D4423F2D81B4E6131

Function 04E5047B Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebc85509d6373921b34ab959d431fb1b3f1e83962544ef6fc13c879c4d884a31
Instruction ID: 59408b615e9abf7605d53f1c97a8cb5f40e1c6948ad4fac7e33eb7e8d777ac0d
Opcode Fuzzy Hash: ebc85509d6373921b34ab959d431fb1b3f1e83962544ef6fc13c879c4d884a31
Instruction Fuzzy Hash: A50184EF68C1207DB15282852B28AFAAB7EF6C27313309437F802D5412F2D85B5D6131

Function 04E504B0 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c72191560adcd2a3399e202544d417de532682ffe0ffd25e3fb5051ed1c3683c
Instruction ID: 2db0ce3eb719d930cae3eff2678fd5d79018933b6e1dc801bb7fe740b6047e20
Opcode Fuzzy Hash: c72191560adcd2a3399e202544d417de532682ffe0ffd25e3fb5051ed1c3683c
Instruction Fuzzy Hash: 1001BBEF6881247DB16192952B1CAF7A77EF6D3730370943AF802D0816F6C85B5D6131

Function 04E50497 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09bef79e3943062e49fd1f0c5c8d4d4cd41c03152a1e39b970dbc6f2800d89ca
Instruction ID: d0f50d166c4eda12ec0fa5cb51f59172585d12b4ed28532663b6c41419875398
Opcode Fuzzy Hash: 09bef79e3943062e49fd1f0c5c8d4d4cd41c03152a1e39b970dbc6f2800d89ca
Instruction Fuzzy Hash: DA01A4EB68D1247CB15281812B19AFAAB7EF1D37313749936F802D0813F2C85B5E6131

Function 04E504E2 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6149b5788fc314bb08b7f3a0ad911687881df53bd75f8c94304486d0a626529
Instruction ID: 9bee84b7fbd31d7e11f69a449e6d0521a0bf9ce50b9fb92d8cbf6b134bb1d55a
Opcode Fuzzy Hash: e6149b5788fc314bb08b7f3a0ad911687881df53bd75f8c94304486d0a626529
Instruction Fuzzy Hash: 55F098AF6880157CF16196862B18AFAA73DF2D37313709837F842D0422F6C85B1D6530

Function 04E504F6 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4136042782.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_4e50000_RageMP131.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 465940cb43fb34a3ddf8421d539d0905c84d288c627f451af6d376da65cecdf2
Instruction ID: 1f480ac6e30360d57b2a57e8e6964b4bb54e6dd9d5c3b3d6150d5c66426a1cd4
Opcode Fuzzy Hash: 465940cb43fb34a3ddf8421d539d0905c84d288c627f451af6d376da65cecdf2
Instruction Fuzzy Hash: DAE04EEF68C0147DB05192823B1CAFAA77DF2D37303709836F842D0412A2D84B5E6131

Non-executed Functions

Function 002884A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: 5fb4f5a3a4908dbe5290cbef44e4eafe06387f307f4eedee9eec334ca4fec437
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: 04025C75E1121A9BDF14DFA8C9806AEFBF5FF48314F648269D519E7380DB31A911CB80

Function 0020F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0020F833
std::_Lockit::_Lockit.LIBCPMT ref: 0020F855
std::_Lockit::~_Lockit.LIBCPMT ref: 0020F875
std::_Lockit::~_Lockit.LIBCPMT ref: 0020F89F
std::_Lockit::_Lockit.LIBCPMT ref: 0020F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0020F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0020F973
std::_Lockit::~_Lockit.LIBCPMT ref: 0020FA08
std::_Facet_Register.LIBCPMT ref: 0020FA15

Strings

bad locale name, xrefs: 0020FA2F
",, xrefs: 0020F96B, 0020F972

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$",
API String ID: 3375549084-3755561545
Opcode ID: cecd18cddc7d977882cbd031f8cb2cc2a14f86a64e21ee874b6869aaad957f8b
Instruction ID: d04c1b24472785ddd9c1385b38f81989888a257ca44e054184537d95b69c61c6
Opcode Fuzzy Hash: cecd18cddc7d977882cbd031f8cb2cc2a14f86a64e21ee874b6869aaad957f8b
Instruction Fuzzy Hash: 6561C071D203499FDF60DFA4D945B9EBBB4AF14310F188069E809A7782E774ED14CBA1

Function 00282E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00282E47
___except_validate_context_record.LIBVCRUNTIME ref: 00282E4F
_ValidateLocalCookies.LIBCMT ref: 00282ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00282F03
_ValidateLocalCookies.LIBCMT ref: 00282F58

Strings

csm, xrefs: 00282EED
i-, xrefs: 00282F78

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: i-$csm
API String ID: 1170836740-2298156223
Opcode ID: 0dc54f098738b74930305181f827d2f0d72f7a3bb389a8c0e83d59535f8f7d77
Instruction ID: 84fa196245cf84de9666bbdb9f5b61385e6ff3b69b748a8a1c407435376074a2
Opcode Fuzzy Hash: 0dc54f098738b74930305181f827d2f0d72f7a3bb389a8c0e83d59535f8f7d77
Instruction Fuzzy Hash: 3841E738A21209EBCF10EF58C884A9EBBB5EF45314F148055E9149B7D2D731EE69CF91

Function 001A39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001A3A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001A3AA4
__Getctype.LIBCPMT ref: 001A3ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001A3AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 001A3B7B

Strings

bad locale name, xrefs: 001A3B96

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7153a208c8cd81cf15f60fa35d5dea86d6e515c8d394b11491c60756dc85158e
Instruction ID: b33b5804003c8c0a7e14425f4787b52261e7e08ec48ee0eaaed0840de7c69070
Opcode Fuzzy Hash: 7153a208c8cd81cf15f60fa35d5dea86d6e515c8d394b11491c60756dc85158e
Instruction Fuzzy Hash: 575161B5D112489FEF10DFA4D845B9EBBB8AF15310F148069F819EB381E774EA18CB61

Function 0020DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0020DE93
std::_Lockit::_Lockit.LIBCPMT ref: 0020DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 0020DED6
std::_Facet_Register.LIBCPMT ref: 0020DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0020DF63
Concurrency::cancel_current_task.LIBCPMT ref: 0020DF7B

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 28010c4433b1799a2708157f0aa6e8af048628cbf18a2258e16ef1aa60b026db
Instruction ID: abc922409c2b9162dff1b04a7c0e6bb79938d816a0dc2226ce8fd56c20db88a0
Opcode Fuzzy Hash: 28010c4433b1799a2708157f0aa6e8af048628cbf18a2258e16ef1aa60b026db
Instruction Fuzzy Hash: 5B41F271D212169FCB14DF94D849B6EBBB4FB15710F148269E815AB392DB30AD20CBD1

Function 001A4C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 001A4F72
___std_exception_destroy.LIBVCRUNTIME ref: 001A4FFF
___std_exception_copy.LIBVCRUNTIME ref: 001A50C8

Strings

recursive_directory_iterator::operator++, xrefs: 001A504C

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: a443f62dd7dfacc0e5adefae7553184b7239d4262ea5ec2c9954f7302da83185
Instruction ID: d560f6a0a2c713b3bc322d100e5bff48b78f38337fc5f5326152e361011fbdeb
Opcode Fuzzy Hash: a443f62dd7dfacc0e5adefae7553184b7239d4262ea5ec2c9954f7302da83185
Instruction Fuzzy Hash: 29E105759102049FCB28DF68D845BAEF7F9FF45300F108A2DE45693B82E7B4A954CBA1

Function 001A7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A799A
___std_exception_copy.LIBVCRUNTIME ref: 001A7B75

Strings

type_error, xrefs: 001A784A
out_of_range, xrefs: 001A7A27

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: 5716541bf7f5768026a5e876e3a836ec32d912b639eae1924417e410436ff793
Instruction ID: acf8353ace8d719e32bc2758f357b777ee5565d60fa2c352e7417adfd0466c76
Opcode Fuzzy Hash: 5716541bf7f5768026a5e876e3a836ec32d912b639eae1924417e410436ff793
Instruction Fuzzy Hash: E4C169B59002089FDB58CFA8D984B9EFBF1FF49310F14866AE419E7781E7749984CB50

Function 001A2270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001A2275

Part of subcall function 0027D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0027D6F5

Strings

L-, xrefs: 001A2347
L-, xrefs: 001A2427
string too long, xrefs: 001A2270

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$L-$L-
API String ID: 1997705970-77905906
Opcode ID: 3f9d0107efebf2c8a2d638cf5fbd2a6d9e44408e8ffb90de447d386557371334
Instruction ID: d5106d7899414a2951c7f8a7d676449398fc533cd44c2b86b104e1744eaf9e6a
Opcode Fuzzy Hash: 3f9d0107efebf2c8a2d638cf5fbd2a6d9e44408e8ffb90de447d386557371334
Instruction Fuzzy Hash: BC81E179A052859FDB16CF6CC4507EEBFB1BF6B300F18416AC894A7782C3758945CBA1

Function 001A73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 001A75BE
___std_exception_destroy.LIBVCRUNTIME ref: 001A75CD

Strings

, column , xrefs: 001A7434, 001A744A
at line , xrefs: 001A73F7

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 9a84bfe0e15f032864443f45a48a9de5e0389ff3f1321ab3cf2e4d200c56592b
Instruction ID: 393c97ca0ca969a67e8906d07de29f0a6c8cbd87fda570dfb866191df20fc186
Opcode Fuzzy Hash: 9a84bfe0e15f032864443f45a48a9de5e0389ff3f1321ab3cf2e4d200c56592b
Instruction Fuzzy Hash: 58611575A142049FDB08DF68DC94BADBBB6FF4A300F24862CE415A77C2D774AA54CB90

Function 001A3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A3E7F

Strings

ios_base::failbit set, xrefs: 001A3D32
ios_base::badbit set, xrefs: 001A3E17
ios_base::eofbit set, xrefs: 001A3E41, 001A3E63

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 1ae429c783331f9702656d6ee4c88d096cdbb38a98c73b2c3991691858bd806f
Instruction ID: 46fd0018d7484f8135ae9d7b1fb94a06feebda05d87e9bb7e8ab6faf24f2ac1b
Opcode Fuzzy Hash: 1ae429c783331f9702656d6ee4c88d096cdbb38a98c73b2c3991691858bd806f
Instruction Fuzzy Hash: 8241D5B6910204AFCB04DF98C845BAEF7F8EF4A310F14852AF925D7741E774AA148BA0

Function 001A3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A3E7F

Strings

ios_base::failbit set, xrefs: 001A3D32, 001A3E1E
ios_base::badbit set, xrefs: 001A3E17
ios_base::eofbit set, xrefs: 001A3E28, 001A3E41, 001A3E63

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: e13fc2a0d315f8db1c656ddf6c0421f390534240a35697569b21f6b5483df2ab
Instruction ID: e107e710da847a439edb641cb9f1e0042d6ebd2fb9dcdb5afeece9078fba2ccb
Opcode Fuzzy Hash: e13fc2a0d315f8db1c656ddf6c0421f390534240a35697569b21f6b5483df2ab
Instruction Fuzzy Hash: 90212BB6910304AFC714DF98D801F96F7DCAB06310F08886AFA78C7641E774EA24CB90

Function 001A6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A7340

Strings

parse_error, xrefs: 001A6F8B
parse error, xrefs: 001A6FFF, 001A7018

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: b8bd574dec8177d7dc99ad8e8e9f4f5f4e475482575eb34bb5e76c07e2391e1e
Instruction ID: 92c8c26d2d2200a94325f05c741cded6e65d05bcd43fd7a2e24b40372ece7a61
Opcode Fuzzy Hash: b8bd574dec8177d7dc99ad8e8e9f4f5f4e475482575eb34bb5e76c07e2391e1e
Instruction Fuzzy Hash: BEE17C749042488FDB18CF68CD94BADBBB1FF49300F248269E418EB792D7749A85CF90

Function 001A6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 001A6F11
___std_exception_destroy.LIBVCRUNTIME ref: 001A6F20

Strings

[json.exception., xrefs: 001A6CB8

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 111e496ef94ea28fb43651af2e5fd20a98fd81b2947c6c7c46d64bacafb70551
Instruction ID: d2c0a6da5da8981e7dd2b487033fc4868bb653cff16d5d10b090bea5d415a861
Opcode Fuzzy Hash: 111e496ef94ea28fb43651af2e5fd20a98fd81b2947c6c7c46d64bacafb70551
Instruction Fuzzy Hash: B391E474A002049FDB18CF68C994BAEFBF6FF46300F24866CE419AB791D771A985CB50

Function 0021B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0021B612

Strings

invalid hash bucket count, xrefs: 0021B60D
Px!, xrefs: 0021B456, 0021B5BA, 0021B5F3, 0021B54A, 0021B4F1

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: Px!$invalid hash bucket count
API String ID: 909987262-1766863255
Opcode ID: bebad3da1a5ae37abf669b7b5f8ce494fdb8838e7aa2be20a3331b2f1a8cefbb
Instruction ID: 96a57ff71c40646cba73a34b1504f72fbc244bbfd1fc4b10332717b31c32295b
Opcode Fuzzy Hash: bebad3da1a5ae37abf669b7b5f8ce494fdb8838e7aa2be20a3331b2f1a8cefbb
Instruction Fuzzy Hash: 227133B4A10605EFCB15CF48C1808AAFBFAFF98300764C5AAD8199B315D731EA91CF90

Function 0021E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0021E491

Strings

type must be boolean, but is , xrefs: 0021E582
type must be string, but is , xrefs: 0021E4F8

Memory Dump Source

Source File: 00000007.00000002.4129278379.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000007.00000002.4129166018.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129278379.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129579639.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4129609409.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130178335.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000007.00000002.4130462840.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: dd57cf8771039f6da5c4db4436e9afccc9ecb3256ec21fcfda4d51c5a516ce6d
Instruction ID: 807f83b116ce08602a82da5c397a1371a26fbed58aa9945632879e5ef5bf4cde
Opcode Fuzzy Hash: dd57cf8771039f6da5c4db4436e9afccc9ecb3256ec21fcfda4d51c5a516ce6d
Instruction Fuzzy Hash: 98415DB5910248AFCF14EFA4DC02B9E77A8DB24310F144679F815D7AC2EB35E964C791

Analysis Process: RageMP131.exePID: 7556, Parent PID: 2580COMMON

Execution Graph

Execution Coverage:	2.9%
Dynamic/Decrypted Code Coverage:	2.3%
Signature Coverage:	0%
Total number of Nodes:	748
Total number of Limit Nodes:	75

Executed Functions

Function 00203A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00203DB6), ref: 00203B08
Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00203DB6), ref: 00203BBA

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 1a5272b4ba7d49ffa1925e747fb1e444fc6a87c69a9d2553073cafbea26b176b
Instruction ID: 8fd2e1a1556ca1373933fc46cbc0bad6408363a15c14d2d8a529bddbc7136485
Opcode Fuzzy Hash: 1a5272b4ba7d49ffa1925e747fb1e444fc6a87c69a9d2553073cafbea26b176b
Instruction Fuzzy Hash: AF51BC35A14216CFCB24CF58C4D0EA9B3B9FF45708B29459AD445AF392D731EE15CB80

Function 001BE0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32 ref: 001BE0CB
socket.WS2_32(?,?,?), ref: 001BE17E
connect.WS2_32(00000000,?,?), ref: 001BE193
closesocket.WS2_32(00000000), ref: 001BE19E

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Startupclosesocketconnectsocket
String ID:
API String ID: 3098855095-0
Opcode ID: 81e4e1ad59f69988ad2564c654c950568246b17d7c7052cc3b4e399ca1faf427
Instruction ID: f19356d7d9bbc3089a7452c5890340ce7519545eeea1e194fb08d3a6fb9dba0d
Opcode Fuzzy Hash: 81e4e1ad59f69988ad2564c654c950568246b17d7c7052cc3b4e399ca1faf427
Instruction Fuzzy Hash: 79319271605310ABD7209F39C848BABB7E4EF85764F104F1DF9A8A62D0D37599148AA2

Function 00284942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

O(, xrefs: 00284A93, 00284A61, 00284AAB, 00284AC7

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID: O(
API String ID: 0-2961352692
Opcode ID: de2682b5db8e2563b81c24c700635fd82509e6c6ca500bcdbd72a5da6d0bf684
Instruction ID: f4a823e26f3e85ead8dcb2b2093d541122f88a2ac611247369fe9a0f2a563f87
Opcode Fuzzy Hash: de2682b5db8e2563b81c24c700635fd82509e6c6ca500bcdbd72a5da6d0bf684
Instruction Fuzzy Hash: E2511738A11109AFCF14FF58C895AAABFB1EF45314F248159F8499F292D371EE61CB90

Function 00294623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6160038fdca57b9904698820e89c8124165ead298d79ea393b05522b1ceaa316
Instruction ID: e93ff6114757ae591a98bfc6cb6f576bf3bb2d54ef33197bdd6b53925ba4f5fa
Opcode Fuzzy Hash: 6160038fdca57b9904698820e89c8124165ead298d79ea393b05522b1ceaa316
Instruction Fuzzy Hash: 9EB1F174A20246ABEF15BFA8D844FAEBBB1BF45304F14415AE84097282C7709D62CF60

Function 04D80181 Relevance: 1.9, APIs: 1, Instructions: 423
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000009.00000002.4135929384.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 26c743e5359bfdf36859432415dff8ab2d1e00a6d0c01d7989ce8b2912644df9
Instruction ID: 51480288e8fcb5f89ea0430e62398390a1e4f0870e2b17bd9f147bf6aa3f3022
Opcode Fuzzy Hash: 26c743e5359bfdf36859432415dff8ab2d1e00a6d0c01d7989ce8b2912644df9
Instruction Fuzzy Hash: AC819BEB34C110BEB603A1866B54EFB676DE6C6730732846FF887D5506F294AA8D2031

Function 04D803B3 Relevance: 1.8, APIs: 1, Instructions: 334
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D8044C

Memory Dump Source

Source File: 00000009.00000002.4135929384.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: fd8790526849a086cac4f3c353c1242da2c63823e2bc2c9e2330062199dee3a0
Instruction ID: d50104125261a878c75c5b1ae7932fe4fe03ccdedd21d7be9719595374b65a8c
Opcode Fuzzy Hash: fd8790526849a086cac4f3c353c1242da2c63823e2bc2c9e2330062199dee3a0
Instruction Fuzzy Hash: 1C5181EB34C110BDB613A1466F55EFB672DE6C6B30332846FF887D5506F284AA8E2431

Function 04D803A3 Relevance: 1.8, APIs: 1, Instructions: 299
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D8044C

Memory Dump Source

Source File: 00000009.00000002.4135929384.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: b8f985d9d7c59db7b0bc0d2f7062ca86010378a8946f30cde1120ecab5eb8133
Instruction ID: 3e94bdf0d9f4928e74da1d088b25f93191935c4abea48f29a0a2e8bd83dd718f
Opcode Fuzzy Hash: b8f985d9d7c59db7b0bc0d2f7062ca86010378a8946f30cde1120ecab5eb8133
Instruction Fuzzy Hash: 47513DEB34C114BDB153A1462F55EFB672DE2C6730732846BF887D5546F284AE8E2431

Function 04D803E4 Relevance: 1.8, APIs: 1, Instructions: 271
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D8044C

Memory Dump Source

Source File: 00000009.00000002.4135929384.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 39b964908f762c68dadb46d523cae50b1026cd9161b7acb0a23d84d743b71eff
Instruction ID: c927c08e103aeca41a15baff6f2233c5d5a4e8a0169523d8dd62e093a77ed85d
Opcode Fuzzy Hash: 39b964908f762c68dadb46d523cae50b1026cd9161b7acb0a23d84d743b71eff
Instruction Fuzzy Hash: 7A515EEB34C110BD7153A1462F54EFB672EE2D6730332846FF887D5506F288AA8E2431

Function 04D803FB Relevance: 1.8, APIs: 1, Instructions: 267
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D8044C

Memory Dump Source

Source File: 00000009.00000002.4135929384.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: c2fef618934c3584cc8bb1ede4d3fd65c1f5c65355d1cbb178a7c754b50ec1e4
Instruction ID: 3872d657f0c53a1650d5d3b599dc9e3bb856b6cb645e5078c2ae2fe34ca694c3
Opcode Fuzzy Hash: c2fef618934c3584cc8bb1ede4d3fd65c1f5c65355d1cbb178a7c754b50ec1e4
Instruction Fuzzy Hash: 82513DEB34C111BDB253A1462F54EFB672EE2D6730732846BF887D5546F384AA8E2431

Function 04D80418 Relevance: 1.8, APIs: 1, Instructions: 260
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D8044C

Memory Dump Source

Source File: 00000009.00000002.4135929384.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: 07e6110c8d2b73d11b1c707b9fb3f490abfce34d162fde4f68c3a19219f6b945
Instruction ID: 40684f6a5ac999e502611fffd05714916b44512f871013ee3a1207cd7f9b6af3
Opcode Fuzzy Hash: 07e6110c8d2b73d11b1c707b9fb3f490abfce34d162fde4f68c3a19219f6b945
Instruction Fuzzy Hash: DA516DEB34C120BDB243A1562F55EFB672DE6D6730732846FF887D1506F284AA8E2531

Function 04D8043E Relevance: 1.7, APIs: 1, Instructions: 249
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 04D8044C

Memory Dump Source

Source File: 00000009.00000002.4135929384.0000000004D80000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_4d80000_RageMP131.jbxd

Similarity

API ID: CurrentProfile
String ID:
API String ID: 2104809126-0
Opcode ID: bf2be4495c3fa03136b1f471875278ac6ad3109daeec50da859d98562e45d361
Instruction ID: dd084c13dd62572cd8509a7f3dc194a5e9f31a96caf2ed857bf98f8fa218e136
Opcode Fuzzy Hash: bf2be4495c3fa03136b1f471875278ac6ad3109daeec50da859d98562e45d361
Instruction Fuzzy Hash: 42414CEB34C121BDB253A1462F54EFB672DE6D6730732846BF887D1506F394AA8E2431

Function 001AA210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__fread_nolock.LIBCMT ref: 001AA343

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: __fread_nolock
String ID:
API String ID: 2638373210-0
Opcode ID: 6933a1ccea3cb2208017e7263a422f6394436289d78137a05792a89832d6d0b4
Instruction ID: c97a7cfd2831d7d138dee1ded1b36d9e05549537124de91c70d521a1206af472
Opcode Fuzzy Hash: 6933a1ccea3cb2208017e7263a422f6394436289d78137a05792a89832d6d0b4
Instruction Fuzzy Hash: 7C717B74901204AFDF14EF68CC49BAEBBE8EF42300F54856DF8089B282D7B5D944CB92

Function 0029549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WriteFile.KERNELBASE(?,00000000,00289087,?,00000000,00000000,00000000,?,00000000,?,001AA3EB,00289087,00000000,001AA3EB,?,?), ref: 00295621

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: b1a5ed08a6b84192d3bf8bf03d8bc68a154fbb182acdbe0e9551eb21a8018e69
Instruction ID: bc6e0ea886450dc1ade7e0ef5e3ce2b50038854450efa8ac75a0af6180b74507
Opcode Fuzzy Hash: b1a5ed08a6b84192d3bf8bf03d8bc68a154fbb182acdbe0e9551eb21a8018e69
Instruction Fuzzy Hash: 7961D971E2452AAFDF12DFA8C844EEEBFB9AF05304F550149E904A7256D371DD21CBA0

Function 002106C0 Relevance: 1.7, APIs: 1, Instructions: 156
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 00210807

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 72ae2a14724d4e83691c0531f3cf1eefdbecef984361d26ffcaed67d00a3d962
Instruction ID: 10bd9799b05915a0ac675ff8a5ed57cfb7532a6f72d6144a8d78c9cd0bb5e08e
Opcode Fuzzy Hash: 72ae2a14724d4e83691c0531f3cf1eefdbecef984361d26ffcaed67d00a3d962
Instruction Fuzzy Hash: 4D4157769101189BCB04EF68DDC069EB7E5EF54350F1042A9FC05D7285DBB0ADB18BD1

Function 00210560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 002106AE

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID:
API String ID: 118556049-0
Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction ID: 83076e327057845a717a4ba5b3c097f4bb480b2b394468aa26eb6652e16f7ace
Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
Instruction Fuzzy Hash: F741E572A101149BCB15EF68D98069E7BE9AF95310F144169FC05EB346D7B0DDB08BE1

Function 00294B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,002949F9,00000000,CF830579,002D1140,0000000C,00294AB5,00288BBD,?), ref: 00294B68

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ChangeCloseFindNotification
String ID:
API String ID: 2591292051-0
Opcode ID: db5523cd8147b2c636344ee494e916018787653a50ef6acbd66c43ecb7cc3f16
Instruction ID: 268c009c9285076848e8cb2f79dc5e2a22d67f79d0d745b3f8f0fa584bed552e
Opcode Fuzzy Hash: db5523cd8147b2c636344ee494e916018787653a50ef6acbd66c43ecb7cc3f16
Instruction Fuzzy Hash: 39114C33E7521416DE143A756C25F7D578D8F927BCF2A024AF918870C2EE60DC625195

Function 0028E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE

Download Yara Rule

APIs

SetFilePointerEx.KERNELBASE(00000000,00000000,002D0DF8,001AA3EB,00000002,001AA3EB,00000000,?,?,?,0028E166,00000000,?,001AA3EB,00000002,002D0DF8), ref: 0028E098

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: db549fbffc427a0b09a5a4492872e4821874e02315510deb13146a9092323c9b
Instruction ID: 9c9efdf1d76443ab59abd77633ac3810dbb672a5ec474fd9c2e4a60283b8e3ed
Opcode Fuzzy Hash: db549fbffc427a0b09a5a4492872e4821874e02315510deb13146a9092323c9b
Instruction Fuzzy Hash: 0A014936621115AFDF05AF19CC05C9E3B6ADF81334F250249FC50AB2D1E6B2ED618BD0

Function 0027F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A220E

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID:
API String ID: 2659868963-0
Opcode ID: 0066a1e10b838dc2517601967adab8722ae9df092e045c2984987d96b19a8257
Instruction ID: 7ec0627b89d2b1a4731f947e5883af93e13595e5f035cd1909d73d709955e1f9
Opcode Fuzzy Hash: 0066a1e10b838dc2517601967adab8722ae9df092e045c2984987d96b19a8257
Instruction Fuzzy Hash: D7012B3951430DABCB14FFA8E80299977AC9E01320B408436FE1CDB991EB70E9748BD0

Function 002963F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,002891F7,00000000,?,00295D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,0028D244,002889C3,002891F7,00000000), ref: 00296435

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 545ce9f5ac8b66467ddf3152798a5470cb66b59cb1f795be01dd233cdeb0931f
Instruction ID: 185e181de97f036ee12829bc50a2a7cdbda2f42e8ee39505ac21cd2e9662c056
Opcode Fuzzy Hash: 545ce9f5ac8b66467ddf3152798a5470cb66b59cb1f795be01dd233cdeb0931f
Instruction Fuzzy Hash: 49F0893157512666DF317FE29C0EB6B7BC99F417A4F15A011AC08A65C0DB70DC3146F1

Function 00296E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000000,0029D635,4D88C033,?,0029D635,00000220,?,002957EF,4D88C033), ref: 00296E60

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: d473450625e253d461a9ff0d660f66d49befc86e2be1e3f0a3b029f57d15cfda
Instruction ID: 20287079a56181d003b602466e32515aed4510e3a1d67ff987e41364490cbf36
Opcode Fuzzy Hash: d473450625e253d461a9ff0d660f66d49befc86e2be1e3f0a3b029f57d15cfda
Instruction Fuzzy Hash: 89E0ED3D131A2766DE303EA6DD08F6B77C88F823A1F050121AC84924D2DB60CC3085A4

Non-executed Functions

Function 002884A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction ID: 5fb4f5a3a4908dbe5290cbef44e4eafe06387f307f4eedee9eec334ca4fec437
Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
Instruction Fuzzy Hash: 04025C75E1121A9BDF14DFA8C9806AEFBF5FF48314F648269D519E7380DB31A911CB80

Function 0020F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0020F833
std::_Lockit::_Lockit.LIBCPMT ref: 0020F855
std::_Lockit::~_Lockit.LIBCPMT ref: 0020F875
std::_Lockit::~_Lockit.LIBCPMT ref: 0020F89F
std::_Lockit::_Lockit.LIBCPMT ref: 0020F90D
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0020F959
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 0020F973
std::_Lockit::~_Lockit.LIBCPMT ref: 0020FA08
std::_Facet_Register.LIBCPMT ref: 0020FA15

Strings

",, xrefs: 0020F96B, 0020F972
bad locale name, xrefs: 0020FA2F

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
String ID: bad locale name$",
API String ID: 3375549084-3755561545
Opcode ID: cecd18cddc7d977882cbd031f8cb2cc2a14f86a64e21ee874b6869aaad957f8b
Instruction ID: d04c1b24472785ddd9c1385b38f81989888a257ca44e054184537d95b69c61c6
Opcode Fuzzy Hash: cecd18cddc7d977882cbd031f8cb2cc2a14f86a64e21ee874b6869aaad957f8b
Instruction Fuzzy Hash: 6561C071D203499FDF60DFA4D945B9EBBB4AF14310F188069E809A7782E774ED14CBA1

Function 00282E10 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 132COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00282E47
___except_validate_context_record.LIBVCRUNTIME ref: 00282E4F
_ValidateLocalCookies.LIBCMT ref: 00282ED8
__IsNonwritableInCurrentImage.LIBCMT ref: 00282F03
_ValidateLocalCookies.LIBCMT ref: 00282F58

Strings

csm, xrefs: 00282EED
i-, xrefs: 00282F78

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: i-$csm
API String ID: 1170836740-2298156223
Opcode ID: 0dc54f098738b74930305181f827d2f0d72f7a3bb389a8c0e83d59535f8f7d77
Instruction ID: 84fa196245cf84de9666bbdb9f5b61385e6ff3b69b748a8a1c407435376074a2
Opcode Fuzzy Hash: 0dc54f098738b74930305181f827d2f0d72f7a3bb389a8c0e83d59535f8f7d77
Instruction Fuzzy Hash: 3841E738A21209EBCF10EF58C884A9EBBB5EF45314F148055E9149B7D2D731EE69CF91

Function 001A39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 001A3A58
std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 001A3AA4
__Getctype.LIBCPMT ref: 001A3ABA
std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 001A3AE6
std::_Lockit::~_Lockit.LIBCPMT ref: 001A3B7B

Strings

bad locale name, xrefs: 001A3B96

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
String ID: bad locale name
API String ID: 1840309910-1405518554
Opcode ID: 7153a208c8cd81cf15f60fa35d5dea86d6e515c8d394b11491c60756dc85158e
Instruction ID: b33b5804003c8c0a7e14425f4787b52261e7e08ec48ee0eaaed0840de7c69070
Opcode Fuzzy Hash: 7153a208c8cd81cf15f60fa35d5dea86d6e515c8d394b11491c60756dc85158e
Instruction Fuzzy Hash: 575161B5D112489FEF10DFA4D845B9EBBB8AF15310F148069F819EB381E774EA18CB61

Function 0020DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON

Download Yara Rule

APIs

std::_Lockit::_Lockit.LIBCPMT ref: 0020DE93
std::_Lockit::_Lockit.LIBCPMT ref: 0020DEB6
std::_Lockit::~_Lockit.LIBCPMT ref: 0020DED6
std::_Facet_Register.LIBCPMT ref: 0020DF4B
std::_Lockit::~_Lockit.LIBCPMT ref: 0020DF63
Concurrency::cancel_current_task.LIBCPMT ref: 0020DF7B

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
String ID:
API String ID: 2081738530-0
Opcode ID: 28010c4433b1799a2708157f0aa6e8af048628cbf18a2258e16ef1aa60b026db
Instruction ID: abc922409c2b9162dff1b04a7c0e6bb79938d816a0dc2226ce8fd56c20db88a0
Opcode Fuzzy Hash: 28010c4433b1799a2708157f0aa6e8af048628cbf18a2258e16ef1aa60b026db
Instruction Fuzzy Hash: 5B41F271D212169FCB14DF94D849B6EBBB4FB15710F148269E815AB392DB30AD20CBD1

Function 001A4C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 001A4F72
___std_exception_destroy.LIBVCRUNTIME ref: 001A4FFF
___std_exception_copy.LIBVCRUNTIME ref: 001A50C8

Strings

recursive_directory_iterator::operator++, xrefs: 001A504C

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy$___std_exception_copy
String ID: recursive_directory_iterator::operator++
API String ID: 1206660477-953255998
Opcode ID: ef4976efbcc0c0ab99e25f55510a3355889f9b2cf5487f1be8d31684b5b27b02
Instruction ID: d560f6a0a2c713b3bc322d100e5bff48b78f38337fc5f5326152e361011fbdeb
Opcode Fuzzy Hash: ef4976efbcc0c0ab99e25f55510a3355889f9b2cf5487f1be8d31684b5b27b02
Instruction Fuzzy Hash: 29E105759102049FCB28DF68D845BAEF7F9FF45300F108A2DE45693B82E7B4A954CBA1

Function 001A7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A799A
___std_exception_copy.LIBVCRUNTIME ref: 001A7B75

Strings

out_of_range, xrefs: 001A7A27
type_error, xrefs: 001A784A

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: out_of_range$type_error
API String ID: 2659868963-3702451861
Opcode ID: 5716541bf7f5768026a5e876e3a836ec32d912b639eae1924417e410436ff793
Instruction ID: acf8353ace8d719e32bc2758f357b777ee5565d60fa2c352e7417adfd0466c76
Opcode Fuzzy Hash: 5716541bf7f5768026a5e876e3a836ec32d912b639eae1924417e410436ff793
Instruction Fuzzy Hash: E4C169B59002089FDB58CFA8D984B9EFBF1FF49310F14866AE419E7781E7749984CB50

Function 001A2270 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 218COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 001A2275

Part of subcall function 0027D6E9: std::invalid_argument::invalid_argument.LIBCONCRT ref: 0027D6F5

Strings

L-, xrefs: 001A2427
L-, xrefs: 001A2347
string too long, xrefs: 001A2270

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_std::invalid_argument::invalid_argument
String ID: string too long$L-$L-
API String ID: 1997705970-77905906
Opcode ID: 3f9d0107efebf2c8a2d638cf5fbd2a6d9e44408e8ffb90de447d386557371334
Instruction ID: d5106d7899414a2951c7f8a7d676449398fc533cd44c2b86b104e1744eaf9e6a
Opcode Fuzzy Hash: 3f9d0107efebf2c8a2d638cf5fbd2a6d9e44408e8ffb90de447d386557371334
Instruction Fuzzy Hash: BC81E179A052859FDB16CF6CC4507EEBFB1BF6B300F18416AC894A7782C3758945CBA1

Function 001A73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 001A75BE
___std_exception_destroy.LIBVCRUNTIME ref: 001A75CD

Strings

at line , xrefs: 001A73F7
, column , xrefs: 001A7434, 001A744A

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: at line $, column
API String ID: 4194217158-191570568
Opcode ID: 5b6f82af69b4ade8b3770209dd007584e2a5ff049cce845e6450eee9e0e2a926
Instruction ID: 393c97ca0ca969a67e8906d07de29f0a6c8cbd87fda570dfb866191df20fc186
Opcode Fuzzy Hash: 5b6f82af69b4ade8b3770209dd007584e2a5ff049cce845e6450eee9e0e2a926
Instruction Fuzzy Hash: 58611575A142049FDB08DF68DC94BADBBB6FF4A300F24862CE415A77C2D774AA54CB90

Function 001A3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A3E7F

Strings

ios_base::eofbit set, xrefs: 001A3E41, 001A3E63
ios_base::failbit set, xrefs: 001A3D32
ios_base::badbit set, xrefs: 001A3E17

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: 1ae429c783331f9702656d6ee4c88d096cdbb38a98c73b2c3991691858bd806f
Instruction ID: 46fd0018d7484f8135ae9d7b1fb94a06feebda05d87e9bb7e8ab6faf24f2ac1b
Opcode Fuzzy Hash: 1ae429c783331f9702656d6ee4c88d096cdbb38a98c73b2c3991691858bd806f
Instruction Fuzzy Hash: 8241D5B6910204AFCB04DF98C845BAEF7F8EF4A310F14852AF925D7741E774AA148BA0

Function 001A3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A3E7F

Strings

ios_base::eofbit set, xrefs: 001A3E28, 001A3E41, 001A3E63
ios_base::failbit set, xrefs: 001A3D32, 001A3E1E
ios_base::badbit set, xrefs: 001A3E17

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
API String ID: 2659868963-1866435925
Opcode ID: e13fc2a0d315f8db1c656ddf6c0421f390534240a35697569b21f6b5483df2ab
Instruction ID: e107e710da847a439edb641cb9f1e0042d6ebd2fb9dcdb5afeece9078fba2ccb
Opcode Fuzzy Hash: e13fc2a0d315f8db1c656ddf6c0421f390534240a35697569b21f6b5483df2ab
Instruction Fuzzy Hash: 90212BB6910304AFC714DF98D801F96F7DCAB06310F08886AFA78C7641E774EA24CB90

Function 001A6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON

Download Yara Rule

APIs

___std_exception_copy.LIBVCRUNTIME ref: 001A7340

Strings

parse error, xrefs: 001A6FFF, 001A7018
parse_error, xrefs: 001A6F8B

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_copy
String ID: parse error$parse_error
API String ID: 2659868963-1820534363
Opcode ID: 434132c2db87bbbb940706ce3a25ad810c6ccb68916a08e538ca1fde04d734bd
Instruction ID: 92c8c26d2d2200a94325f05c741cded6e65d05bcd43fd7a2e24b40372ece7a61
Opcode Fuzzy Hash: 434132c2db87bbbb940706ce3a25ad810c6ccb68916a08e538ca1fde04d734bd
Instruction Fuzzy Hash: BEE17C749042488FDB18CF68CD94BADBBB1FF49300F248269E418EB792D7749A85CF90

Function 001A6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON

Download Yara Rule

APIs

___std_exception_destroy.LIBVCRUNTIME ref: 001A6F11
___std_exception_destroy.LIBVCRUNTIME ref: 001A6F20

Strings

[json.exception., xrefs: 001A6CB8

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: ___std_exception_destroy
String ID: [json.exception.
API String ID: 4194217158-791563284
Opcode ID: 7b16c5c16b842a3c4a4cc06fe1c1784e050ba9f00a49a61a7c512b78953ac08f
Instruction ID: d2c0a6da5da8981e7dd2b487033fc4868bb653cff16d5d10b090bea5d415a861
Opcode Fuzzy Hash: 7b16c5c16b842a3c4a4cc06fe1c1784e050ba9f00a49a61a7c512b78953ac08f
Instruction Fuzzy Hash: B391E474A002049FDB18CF68C994BAEFBF6FF46300F24866CE419AB791D771A985CB50

Function 0021B450 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 190COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 0021B612

Strings

Px!, xrefs: 0021B456, 0021B5BA, 0021B5F3, 0021B54A, 0021B4F1
invalid hash bucket count, xrefs: 0021B60D

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Xinvalid_argumentstd::_
String ID: Px!$invalid hash bucket count
API String ID: 909987262-1766863255
Opcode ID: bebad3da1a5ae37abf669b7b5f8ce494fdb8838e7aa2be20a3331b2f1a8cefbb
Instruction ID: 96a57ff71c40646cba73a34b1504f72fbc244bbfd1fc4b10332717b31c32295b
Opcode Fuzzy Hash: bebad3da1a5ae37abf669b7b5f8ce494fdb8838e7aa2be20a3331b2f1a8cefbb
Instruction Fuzzy Hash: 227133B4A10605EFCB15CF48C1808AAFBFAFF98300764C5AAD8199B315D731EA91CF90

Function 0021E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON

Download Yara Rule

APIs

Concurrency::cancel_current_task.LIBCPMT ref: 0021E491

Strings

type must be string, but is , xrefs: 0021E4F8
type must be boolean, but is , xrefs: 0021E582

Memory Dump Source

Source File: 00000009.00000002.4129261086.00000000001A1000.00000040.00000001.01000000.00000006.sdmp, Offset: 001A0000, based on PE: true

Associated: 00000009.00000002.4129182772.00000000001A0000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129261086.00000000002D3000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129453751.00000000002D8000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.00000000002DC000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000458000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000546000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.000000000057D000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000586000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4129486258.0000000000594000.00000040.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130054809.0000000000595000.00000080.00000001.01000000.00000006.sdmpDownload File
Associated: 00000009.00000002.4130367278.000000000073C000.00000040.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1a0000_RageMP131.jbxd

Yara matches

Similarity

API ID: Concurrency::cancel_current_task
String ID: type must be boolean, but is $type must be string, but is
API String ID: 118556049-436076039
Opcode ID: dd57cf8771039f6da5c4db4436e9afccc9ecb3256ec21fcfda4d51c5a516ce6d
Instruction ID: 807f83b116ce08602a82da5c397a1371a26fbed58aa9945632879e5ef5bf4cde
Opcode Fuzzy Hash: dd57cf8771039f6da5c4db4436e9afccc9ecb3256ec21fcfda4d51c5a516ce6d
Instruction Fuzzy Hash: 98415DB5910248AFCF14EFA4DC02B9E77A8DB24310F144679F815D7AC2EB35E964C791

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report LisectAVT_2403002A_228.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\MPGPH131\MPGPH131.exe

C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

C:\Users\user\AppData\Local\Temp\rage131MP.tmp

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Exports

Possible Origin

Network Behavior

Suricata IDS Alerts

Windows Analysis Report
LisectAVT_2403002A_228.exe

Function 0067E0A0 Relevance: 6.1, APIs: 4, Instructions: 100
networkCOMMON

Function 006C3A40 Relevance: 2.7, APIs: 2, Instructions: 157
sleepCOMMON

Function 05130A73 Relevance: 1.7, APIs: 1, Instructions: 240
COMMON

Function 0073F290 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 51
COMMONLIBRARYCODE

Function 00744942 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 157
COMMON

Function 00754623 Relevance: 3.3, APIs: 2, Instructions: 297
COMMONLIBRARYCODE

Function 05130AE0 Relevance: 1.8, APIs: 1, Instructions: 261
COMMON

Function 05130A81 Relevance: 1.7, APIs: 1, Instructions: 243
COMMON

Function 0066A210 Relevance: 1.7, APIs: 1, Instructions: 231
COMMON

Function 05130AFE Relevance: 1.7, APIs: 1, Instructions: 227
COMMON

Function 05130ACC Relevance: 1.7, APIs: 1, Instructions: 205
COMMON

Function 0075549C Relevance: 1.7, APIs: 1, Instructions: 198
fileCOMMON

Function 006D0560 Relevance: 1.6, APIs: 1, Instructions: 138
COMMON

Function 00754B12 Relevance: 1.6, APIs: 1, Instructions: 65
COMMON

Function 0074E05C Relevance: 1.6, APIs: 1, Instructions: 54
COMMONLIBRARYCODE