Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
LisectAVT_2403002A_218.exe

Overview

General Information

Sample name:LisectAVT_2403002A_218.exe
Analysis ID:1482410
MD5:6b79ebbf323bc3f77fb55112e9110f12
SHA1:764f8ef62fcbae36f7aa89e7766c171a2cb0d658
SHA256:b0f736a2ff992a8adc9fe5186368ef213b16cdf26acde6de7a6ec7dd9efa14fd
Tags:exe
Infos:

Detection

RisePro Stealer
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected unpacking (changes PE section rights)
Yara detected RisePro Stealer
AI detected suspicious sample
Connects to many ports of the same IP (likely port scanning)
Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
Hides threads from debuggers
Machine Learning detection for dropped file
Machine Learning detection for sample
PE file contains section with special chars
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Uses schtasks.exe or at.exe to add and modify task schedules
Abnormal high CPU Usage
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality for execution timing, often used to detect debuggers
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Entry point lies outside standard sections
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • LisectAVT_2403002A_218.exe (PID: 3596 cmdline: "C:\Users\user\Desktop\LisectAVT_2403002A_218.exe" MD5: 6B79EBBF323BC3F77FB55112E9110F12)
    • schtasks.exe (PID: 3944 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1632 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 320 cmdline: schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • MPGPH131.exe (PID: 4580 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6B79EBBF323BC3F77FB55112E9110F12)
  • MPGPH131.exe (PID: 2656 cmdline: C:\ProgramData\MPGPH131\MPGPH131.exe MD5: 6B79EBBF323BC3F77FB55112E9110F12)
  • RageMP131.exe (PID: 7324 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6B79EBBF323BC3F77FB55112E9110F12)
  • RageMP131.exe (PID: 7652 cmdline: "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe" MD5: 6B79EBBF323BC3F77FB55112E9110F12)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
    00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
      0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
        00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
          0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RiseProStealerYara detected RisePro StealerJoe Security
            Click to see the 10 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe, ProcessId: 3596, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RageMP131

            Snort Signatures

            No Snort rule has matched

            Suricata Signatures

            Timestamp:2024-07-25T22:35:48.985004+0200
            SID:2022930
            Source Port:443
            Destination Port:49707
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:35:33.898254+0200
            SID:2049060
            Source Port:49704
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:35:58.153768+0200
            SID:2046269
            Source Port:49716
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:35:39.900957+0200
            SID:2049060
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:35:36.888332+0200
            SID:2046269
            Source Port:49704
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:36:27.419925+0200
            SID:2022930
            Source Port:443
            Destination Port:49717
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:35:42.875935+0200
            SID:2046269
            Source Port:49706
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:35:50.981833+0200
            SID:2046269
            Source Port:49709
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected
            Timestamp:2024-07-25T22:35:42.873236+0200
            SID:2046269
            Source Port:49705
            Destination Port:58709
            Protocol:TCP
            Classtype:A Network Trojan was detected

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Antivirus / Scanner detection for submitted sample
            Source: LisectAVT_2403002A_218.exeAvira: detected
            Antivirus detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeAvira: detection malicious, Label: TR/Redcap.iodtu
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeAvira: detection malicious, Label: TR/Redcap.iodtu
            AI detected suspicious sample
            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
            Machine Learning detection for dropped file
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJoe Sandbox ML: detected
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeJoe Sandbox ML: detected
            Machine Learning detection for sample
            Source: LisectAVT_2403002A_218.exeJoe Sandbox ML: detected
            Source: LisectAVT_2403002A_218.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

            Networking

            barindex
            Connects to many ports of the same IP (likely port scanning)
            Source: global trafficTCP traffic: 193.233.132.74 ports 0,5,7,8,58709,9
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 193.233.132.74:58709
            Source: Joe Sandbox ViewIP Address: 193.233.132.74 193.233.132.74
            Source: Joe Sandbox ViewASN Name: FREE-NET-ASFREEnetEU FREE-NET-ASFREEnetEU
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: unknownTCP traffic detected without corresponding DNS query: 193.233.132.74
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_009FE0A0 recv,setsockopt,WSAStartup,closesocket,socket,connect,closesocket,0_2_009FE0A0
            Source: LisectAVT_2403002A_218.exe, 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_218.exe, 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://www.winimage.com/zLibDll
            Source: LisectAVT_2403002A_218.exe, 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_218.exe, 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3306495921.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3308650896.000000000159B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307041255.000000000080E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306406019.000000000070B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORT
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008BE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://t.me/RiseProSUPPORTd

            System Summary

            barindex
            PE file contains section with special chars
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess Stats: CPU usage > 49%
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00A550B00_2_00A550B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00A698800_2_00A69880
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00AD98240_2_00AD9824
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_009E91A00_2_009E91A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00A573F00_2_00A573F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00AC84A00_2_00AC84A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00AC2CE00_2_00AC2CE0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_009E24F00_2_009E24F0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00AC646A0_2_00AC646A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00A655B00_2_00A655B0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_009E8D700_2_009E8D70
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00A665500_2_00A66550
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00ACBEAF0_2_00ACBEAF
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_009F9F500_2_009F9F50
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00ADF7710_2_00ADF771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B350B06_2_00B350B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B498806_2_00B49880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00BB98246_2_00BB9824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AC91A06_2_00AC91A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B373F06_2_00B373F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00BA84A06_2_00BA84A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00BA2CE06_2_00BA2CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AC24F06_2_00AC24F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00BA646A6_2_00BA646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B455B06_2_00B455B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AC8D706_2_00AC8D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B465506_2_00B46550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00BABEAF6_2_00BABEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00BBF7716_2_00BBF771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AD9F506_2_00AD9F50
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00B350B07_2_00B350B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00B498807_2_00B49880
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00BB98247_2_00BB9824
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00AC91A07_2_00AC91A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00B373F07_2_00B373F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00BA84A07_2_00BA84A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00BA2CE07_2_00BA2CE0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00AC24F07_2_00AC24F0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00BA646A7_2_00BA646A
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00B455B07_2_00B455B0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00AC8D707_2_00AC8D70
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00B465507_2_00B46550
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00BABEAF7_2_00BABEAF
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00BBF7717_2_00BBF771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00AD9F507_2_00AD9F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009F98808_2_009F9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009E50B08_2_009E50B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00A698248_2_00A69824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009791A08_2_009791A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009E73F08_2_009E73F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00A584A08_2_00A584A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00A52CE08_2_00A52CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009724F08_2_009724F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00A5646A8_2_00A5646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009F55B08_2_009F55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009F65508_2_009F6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00978D708_2_00978D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00A5BEAF8_2_00A5BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00989F508_2_00989F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00A6F7718_2_00A6F771
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009F988010_2_009F9880
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009E50B010_2_009E50B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00A6982410_2_00A69824
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009791A010_2_009791A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009E73F010_2_009E73F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00A584A010_2_00A584A0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00A52CE010_2_00A52CE0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009724F010_2_009724F0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00A5646A10_2_00A5646A
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009F55B010_2_009F55B0
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009F655010_2_009F6550
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00978D7010_2_00978D70
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00A5BEAF10_2_00A5BEAF
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00989F5010_2_00989F50
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00A6F77110_2_00A6F771
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: String function: 00B9FED0 appears 52 times
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: String function: 00A4FED0 appears 52 times
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3307103873.00000000009D0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_218.exe
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_218.exe
            Source: LisectAVT_2403002A_218.exeBinary or memory string: OriginalFilenamefilezilla.exe4 vs LisectAVT_2403002A_218.exe
            Source: LisectAVT_2403002A_218.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
            Source: LisectAVT_2403002A_218.exeStatic PE information: Section: ZLIB complexity 0.9990462662337662
            Source: LisectAVT_2403002A_218.exeStatic PE information: Section: ixqntyfn ZLIB complexity 0.990290031029671
            Source: RageMP131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9990462662337662
            Source: RageMP131.exe.0.drStatic PE information: Section: ixqntyfn ZLIB complexity 0.990290031029671
            Source: MPGPH131.exe.0.drStatic PE information: Section: ZLIB complexity 0.9990462662337662
            Source: MPGPH131.exe.0.drStatic PE information: Section: ixqntyfn ZLIB complexity 0.990290031029671
            Source: classification engineClassification label: mal100.troj.evad.winEXE@11/5@0/1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile created: C:\Users\user\AppData\Local\RageMP131Jump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1848:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1632:120:WilError_03
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile created: C:\Users\user\AppData\Local\Temp\rage131MP.tmpJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: LisectAVT_2403002A_218.exe, 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_218.exe, 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
            Source: LisectAVT_2403002A_218.exe, 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_218.exe, 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: UPDATE %Q.%s SET sql = sqlite_rename_table(sql, %Q), tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
            Source: LisectAVT_2403002A_218.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: MPGPH131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: RageMP131.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile read: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeJump to behavior
            Source: unknownProcess created: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe "C:\Users\user\Desktop\LisectAVT_2403002A_218.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
            Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\ProgramData\MPGPH131\MPGPH131.exe C:\ProgramData\MPGPH131\MPGPH131.exe
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: unknownProcess created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe "C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHESTJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: rstrtmgr.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ncrypt.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: ntasn1.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: winhttp.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: wininet.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSection loaded: devobj.dllJump to behavior
            Source: LisectAVT_2403002A_218.exeStatic file information: File size 2343431 > 1048576
            Source: LisectAVT_2403002A_218.exeStatic PE information: Raw size of ixqntyfn is bigger than: 0x100000 < 0x1a9800

            Data Obfuscation

            barindex
            Detected unpacking (changes PE section rights)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeUnpacked PE file: 0.2.LisectAVT_2403002A_218.exe.9e0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW; vs :ER;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 6.2.MPGPH131.exe.ac0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW; vs :ER;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW;
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeUnpacked PE file: 7.2.MPGPH131.exe.ac0000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW; vs :ER;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 8.2.RageMP131.exe.970000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW; vs :ER;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW;
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeUnpacked PE file: 10.2.RageMP131.exe.970000.0.unpack :EW;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW; vs :ER;.rsrc:W;.idata :W; :EW;ixqntyfn:EW;fwmicjtz:EW;
            Source: initial sampleStatic PE information: section where entry point is pointing to: fwmicjtz
            Source: LisectAVT_2403002A_218.exeStatic PE information: real checksum: 0x2416ea should be: 0x2416f1
            Source: RageMP131.exe.0.drStatic PE information: real checksum: 0x2416ea should be: 0x2416f1
            Source: MPGPH131.exe.0.drStatic PE information: real checksum: 0x2416ea should be: 0x2416f1
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name: .idata
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name:
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name: ixqntyfn
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name: fwmicjtz
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: .idata
            Source: RageMP131.exe.0.drStatic PE information: section name:
            Source: RageMP131.exe.0.drStatic PE information: section name: ixqntyfn
            Source: RageMP131.exe.0.drStatic PE information: section name: fwmicjtz
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: .idata
            Source: MPGPH131.exe.0.drStatic PE information: section name:
            Source: MPGPH131.exe.0.drStatic PE information: section name: ixqntyfn
            Source: MPGPH131.exe.0.drStatic PE information: section name: fwmicjtz
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A048 push 7E7D5AE6h; mov dword ptr [esp], edx0_2_00F8A071
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A048 push ebp; mov dword ptr [esp], 6B952718h0_2_00F8A07D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A048 push 3196D53Ah; mov dword ptr [esp], esi0_2_00F8A0EC
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A048 push eax; mov dword ptr [esp], 68BEA1A4h0_2_00F8A0FA
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A048 push esi; mov dword ptr [esp], eax0_2_00F8A10C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A048 push edx; mov dword ptr [esp], ebx0_2_00F8A155
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push edx; mov dword ptr [esp], 3FBEF12Ch0_2_00F8A001
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push ecx; mov dword ptr [esp], edx0_2_00F8A02A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push 7E7D5AE6h; mov dword ptr [esp], edx0_2_00F8A071
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push ebp; mov dword ptr [esp], 6B952718h0_2_00F8A07D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push 3196D53Ah; mov dword ptr [esp], esi0_2_00F8A0EC
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push eax; mov dword ptr [esp], 68BEA1A4h0_2_00F8A0FA
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push esi; mov dword ptr [esp], eax0_2_00F8A10C
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A000 push edx; mov dword ptr [esp], ebx0_2_00F8A155
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A185 push ebp; mov dword ptr [esp], ecx0_2_00F8A186
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A185 push 347B5DCCh; mov dword ptr [esp], esp0_2_00F8A1A0
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A185 push 074210AEh; mov dword ptr [esp], ecx0_2_00F8A1B8
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A185 push 6A865140h; mov dword ptr [esp], ebx0_2_00F8A1C3
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A185 push eax; mov dword ptr [esp], edx0_2_00F8A1D1
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A185 push 650C164Dh; mov dword ptr [esp], esi0_2_00F8A1DC
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00F8A185 push 140C8393h; mov dword ptr [esp], ebx0_2_00F8A29D
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00ABFA97 push ecx; ret 0_2_00ABFAAA
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A185 push ebp; mov dword ptr [esp], ecx6_2_0106A186
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A185 push 347B5DCCh; mov dword ptr [esp], esp6_2_0106A1A0
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A185 push 074210AEh; mov dword ptr [esp], ecx6_2_0106A1B8
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A185 push 6A865140h; mov dword ptr [esp], ebx6_2_0106A1C3
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A185 push eax; mov dword ptr [esp], edx6_2_0106A1D1
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A185 push 650C164Dh; mov dword ptr [esp], esi6_2_0106A1DC
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A185 push 140C8393h; mov dword ptr [esp], ebx6_2_0106A29D
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A000 push edx; mov dword ptr [esp], 3FBEF12Ch6_2_0106A001
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_0106A000 push ecx; mov dword ptr [esp], edx6_2_0106A02A
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name: entropy: 7.98579152603459
            Source: LisectAVT_2403002A_218.exeStatic PE information: section name: ixqntyfn entropy: 7.951072598064479
            Source: RageMP131.exe.0.drStatic PE information: section name: entropy: 7.98579152603459
            Source: RageMP131.exe.0.drStatic PE information: section name: ixqntyfn entropy: 7.951072598064479
            Source: MPGPH131.exe.0.drStatic PE information: section name: entropy: 7.98579152603459
            Source: MPGPH131.exe.0.drStatic PE information: section name: ixqntyfn entropy: 7.951072598064479
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile created: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeJump to dropped file
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile created: C:\ProgramData\MPGPH131\MPGPH131.exeJump to dropped file

            Boot Survival

            barindex
            Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonClassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: FilemonclassJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow searched: window name: RegmonclassJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RageMP131Jump to behavior

            Malware Analysis System Evasion

            barindex
            Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_0-19857
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_6-18886
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeEvasive API call chain: GetPEB, DecisionNodes, Sleepgraph_8-19534
            Tries to detect sandboxes / dynamic malware analysis system (registry check)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
            Tries to detect virtualization through RDTSC time measurements
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: B205C5 second address: B205CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: B205CA second address: B205D0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: B205D0 second address: B1FE52 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 mov dword ptr [ebp+122D1D04h], ecx 0x0000000f push dword ptr [ebp+122D03FDh] 0x00000015 sub dword ptr [ebp+122D1D20h], esi 0x0000001b call dword ptr [ebp+122D180Eh] 0x00000021 pushad 0x00000022 jg 00007F6F2C52564Ch 0x00000028 mov dword ptr [ebp+122D1D2Bh], ebx 0x0000002e xor eax, eax 0x00000030 mov dword ptr [ebp+122D1D2Bh], eax 0x00000036 mov edx, dword ptr [esp+28h] 0x0000003a cmc 0x0000003b mov dword ptr [ebp+122D2C46h], eax 0x00000041 pushad 0x00000042 push esi 0x00000043 mov dl, cl 0x00000045 pop edi 0x00000046 movsx ecx, dx 0x00000049 popad 0x0000004a pushad 0x0000004b mov dword ptr [ebp+122D1D2Bh], eax 0x00000051 mov edx, dword ptr [ebp+122D2EE6h] 0x00000057 popad 0x00000058 mov esi, 0000003Ch 0x0000005d pushad 0x0000005e mov esi, dword ptr [ebp+122D2EBAh] 0x00000064 jmp 00007F6F2C52564Bh 0x00000069 popad 0x0000006a add esi, dword ptr [esp+24h] 0x0000006e xor dword ptr [ebp+122D1D2Bh], edx 0x00000074 lodsw 0x00000076 jns 00007F6F2C525658h 0x0000007c jmp 00007F6F2C525652h 0x00000081 add eax, dword ptr [esp+24h] 0x00000085 jnp 00007F6F2C52564Dh 0x0000008b mov ebx, dword ptr [esp+24h] 0x0000008f jnc 00007F6F2C52565Fh 0x00000095 nop 0x00000096 pushad 0x00000097 push ecx 0x00000098 push eax 0x00000099 push edx 0x0000009a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: B1FE52 second address: B1FE78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jne 00007F6F2CC2BEF6h 0x0000000e popad 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6F2CC2BF02h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C90B02 second address: C90B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C90B06 second address: C90B16 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F6F2CC2BEF6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C90B16 second address: C90B1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C90B1A second address: C90B20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9993F second address: C99943 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C99943 second address: C9994E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9994E second address: C9996C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F6F2C525646h 0x0000000a jmp 00007F6F2C525653h 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C0DA second address: B1FE52 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F6F2CC2BF00h 0x0000000e popad 0x0000000f add dword ptr [esp], 7C5B7718h 0x00000016 jno 00007F6F2CC2BEFCh 0x0000001c xor ecx, dword ptr [ebp+122D2E5Eh] 0x00000022 jmp 00007F6F2CC2BF02h 0x00000027 push dword ptr [ebp+122D03FDh] 0x0000002d mov esi, dword ptr [ebp+122D1ED8h] 0x00000033 call dword ptr [ebp+122D180Eh] 0x00000039 pushad 0x0000003a jg 00007F6F2CC2BEFCh 0x00000040 xor eax, eax 0x00000042 mov dword ptr [ebp+122D1D2Bh], eax 0x00000048 mov edx, dword ptr [esp+28h] 0x0000004c cmc 0x0000004d mov dword ptr [ebp+122D2C46h], eax 0x00000053 pushad 0x00000054 push esi 0x00000055 mov dl, cl 0x00000057 pop edi 0x00000058 movsx ecx, dx 0x0000005b popad 0x0000005c pushad 0x0000005d mov dword ptr [ebp+122D1D2Bh], eax 0x00000063 mov edx, dword ptr [ebp+122D2EE6h] 0x00000069 popad 0x0000006a mov esi, 0000003Ch 0x0000006f pushad 0x00000070 mov esi, dword ptr [ebp+122D2EBAh] 0x00000076 jmp 00007F6F2CC2BEFBh 0x0000007b popad 0x0000007c add esi, dword ptr [esp+24h] 0x00000080 xor dword ptr [ebp+122D1D2Bh], edx 0x00000086 lodsw 0x00000088 jns 00007F6F2CC2BF08h 0x0000008e jmp 00007F6F2CC2BF02h 0x00000093 add eax, dword ptr [esp+24h] 0x00000097 jnp 00007F6F2CC2BEFDh 0x0000009d mov ebx, dword ptr [esp+24h] 0x000000a1 jnc 00007F6F2CC2BF0Fh 0x000000a7 nop 0x000000a8 pushad 0x000000a9 push ecx 0x000000aa push eax 0x000000ab push edx 0x000000ac rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C165 second address: C9C1AE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c jnc 00007F6F2C525646h 0x00000012 call 00007F6F2C525659h 0x00000017 pop esi 0x00000018 push 00000000h 0x0000001a or dword ptr [ebp+122D1D88h], edi 0x00000020 push FF247626h 0x00000025 push eax 0x00000026 push edx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C1AE second address: C9C226 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 add dword ptr [esp], 00DB8A5Ah 0x0000000f xor dword ptr [ebp+122D1D1Bh], edi 0x00000015 push 00000003h 0x00000017 push 00000000h 0x00000019 push edx 0x0000001a call 00007F6F2CC2BEF8h 0x0000001f pop edx 0x00000020 mov dword ptr [esp+04h], edx 0x00000024 add dword ptr [esp+04h], 00000017h 0x0000002c inc edx 0x0000002d push edx 0x0000002e ret 0x0000002f pop edx 0x00000030 ret 0x00000031 jmp 00007F6F2CC2BEFDh 0x00000036 jmp 00007F6F2CC2BF04h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e mov dh, EBh 0x00000040 pop edx 0x00000041 push 00000003h 0x00000043 mov edi, dword ptr [ebp+122D2BE6h] 0x00000049 push CE4C2E81h 0x0000004e jp 00007F6F2CC2BF04h 0x00000054 push eax 0x00000055 push edx 0x00000056 jnp 00007F6F2CC2BEF6h 0x0000005c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C226 second address: C9C28A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 0E4C2E81h 0x0000000d call 00007F6F2C525656h 0x00000012 jmp 00007F6F2C525659h 0x00000017 pop ecx 0x00000018 lea ebx, dword ptr [ebp+1245004Fh] 0x0000001e mov dx, cx 0x00000021 xchg eax, ebx 0x00000022 jmp 00007F6F2C52564Ch 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b jnl 00007F6F2C525646h 0x00000031 jnc 00007F6F2C525646h 0x00000037 popad 0x00000038 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C373 second address: C9C379 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C379 second address: C9C383 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F6F2C52564Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C383 second address: C9C390 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [eax] 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C390 second address: C9C394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C394 second address: C9C3FC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b jmp 00007F6F2CC2BF00h 0x00000010 pop eax 0x00000011 call 00007F6F2CC2BEFFh 0x00000016 cmc 0x00000017 pop esi 0x00000018 push 00000003h 0x0000001a adc dh, 00000010h 0x0000001d push 00000000h 0x0000001f push 00000003h 0x00000021 sub cx, 9000h 0x00000026 call 00007F6F2CC2BEF9h 0x0000002b jp 00007F6F2CC2BF0Eh 0x00000031 jp 00007F6F2CC2BF08h 0x00000037 jmp 00007F6F2CC2BF02h 0x0000003c push eax 0x0000003d pushad 0x0000003e push eax 0x0000003f push edx 0x00000040 push edx 0x00000041 pop edx 0x00000042 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C3FC second address: C9C49C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525658h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edi 0x0000000b pop edi 0x0000000c push esi 0x0000000d pop esi 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jmp 00007F6F2C52564Bh 0x00000019 mov eax, dword ptr [eax] 0x0000001b ja 00007F6F2C525654h 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 jno 00007F6F2C525666h 0x0000002b pop eax 0x0000002c adc di, 01C1h 0x00000031 lea ebx, dword ptr [ebp+12450058h] 0x00000037 pushad 0x00000038 mov esi, dword ptr [ebp+122D1D10h] 0x0000003e push edi 0x0000003f mov cx, 7E28h 0x00000043 pop esi 0x00000044 popad 0x00000045 xchg eax, ebx 0x00000046 pushad 0x00000047 push ebx 0x00000048 jmp 00007F6F2C52564Ch 0x0000004d pop ebx 0x0000004e push eax 0x0000004f push edx 0x00000050 push edi 0x00000051 pop edi 0x00000052 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C49C second address: C9C4A0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C4A0 second address: C9C4AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C4E2 second address: C9C4E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C4E6 second address: C9C505 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jng 00007F6F2C525646h 0x0000000d pop ecx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F6F2C52564Dh 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C505 second address: C9C50B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C50B second address: C9C50F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C50F second address: C9C545 instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F2CC2BEF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d pushad 0x0000000e mov edx, 0CC0A9DDh 0x00000013 mov ecx, esi 0x00000015 popad 0x00000016 push 00000000h 0x00000018 sub esi, dword ptr [ebp+122D17FAh] 0x0000001e call 00007F6F2CC2BEF9h 0x00000023 push eax 0x00000024 push edx 0x00000025 jmp 00007F6F2CC2BEFDh 0x0000002a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C545 second address: C9C579 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c ja 00007F6F2C525646h 0x00000012 pop eax 0x00000013 pop esi 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push edx 0x00000019 je 00007F6F2C525648h 0x0000001f push esi 0x00000020 pop esi 0x00000021 pop edx 0x00000022 mov eax, dword ptr [eax] 0x00000024 pushad 0x00000025 pushad 0x00000026 push ecx 0x00000027 pop ecx 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e popad 0x0000002f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C579 second address: C9C61E instructions: 0x00000000 rdtsc 0x00000002 js 00007F6F2CC2BEF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push ebx 0x00000010 jc 00007F6F2CC2BF07h 0x00000016 pop ebx 0x00000017 pop eax 0x00000018 jns 00007F6F2CC2BEFCh 0x0000001e push 00000003h 0x00000020 jmp 00007F6F2CC2BF01h 0x00000025 push 00000000h 0x00000027 add dword ptr [ebp+122D1856h], ecx 0x0000002d push 00000003h 0x0000002f call 00007F6F2CC2BEF9h 0x00000034 jmp 00007F6F2CC2BF01h 0x00000039 push eax 0x0000003a pushad 0x0000003b push edx 0x0000003c ja 00007F6F2CC2BEF6h 0x00000042 pop edx 0x00000043 jmp 00007F6F2CC2BEFCh 0x00000048 popad 0x00000049 mov eax, dword ptr [esp+04h] 0x0000004d jmp 00007F6F2CC2BF02h 0x00000052 mov eax, dword ptr [eax] 0x00000054 push eax 0x00000055 push edx 0x00000056 jo 00007F6F2CC2BEF8h 0x0000005c push edx 0x0000005d pop edx 0x0000005e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9C61E second address: C9C663 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp+04h], eax 0x0000000e push edi 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F6F2C52564Dh 0x00000017 popad 0x00000018 pop edi 0x00000019 pop eax 0x0000001a jmp 00007F6F2C525656h 0x0000001f lea ebx, dword ptr [ebp+12450063h] 0x00000025 xchg eax, ebx 0x00000026 push eax 0x00000027 push edx 0x00000028 push esi 0x00000029 pushad 0x0000002a popad 0x0000002b pop esi 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CAF156 second address: CAF15A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C81B29 second address: C81B2E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBCB31 second address: CBCB37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBCB37 second address: CBCB4F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F2C525646h 0x00000008 jno 00007F6F2C525646h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 ja 00007F6F2C52564Eh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBCC9D second address: CBCCA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBCE23 second address: CBCE27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBD0AB second address: CBD0BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F6F2CC2BF10h 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBD0BA second address: CBD0C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBD1F0 second address: CBD1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBD1F5 second address: CBD1FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBD4FD second address: CBD51C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F2CC2BEF6h 0x00000008 jnc 00007F6F2CC2BEF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 ja 00007F6F2CC2BEF6h 0x00000017 jo 00007F6F2CC2BEF6h 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBD810 second address: CBD81F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBDAFF second address: CBDB0D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBDB0D second address: CBDB18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C92694 second address: C9269A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9269A second address: C9269E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C9269E second address: C926C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F6F2CC2BF07h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c push edi 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C926C0 second address: C926CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBDC78 second address: CBDC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBDC7E second address: CBDC82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBDC82 second address: CBDC86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBDC86 second address: CBDC8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBE52B second address: CBE533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBE92F second address: CBE935 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBE935 second address: CBE93B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CBE93B second address: CBE942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C88642 second address: C88663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BF09h 0x00000009 popad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C88663 second address: C88669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C88669 second address: C88685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BF02h 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC25B0 second address: CC25B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC25B5 second address: CC25E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2CC2BF04h 0x00000008 jmp 00007F6F2CC2BF06h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C86B72 second address: C86B78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C86B78 second address: C86B80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C86B80 second address: C86B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC4804 second address: CC4808 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC33D3 second address: CC33EA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525653h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC33EA second address: CC33F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC33F0 second address: CC33F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC4C01 second address: CC4C05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC4C05 second address: CC4C1A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2C52564Ah 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CC4C1A second address: CC4C20 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCCA93 second address: CCCAA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2C52564Ah 0x00000009 push eax 0x0000000a push edx 0x0000000b ja 00007F6F2C525646h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCCAA9 second address: CCCAE7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F6F2CC2BF00h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jmp 00007F6F2CC2BF07h 0x00000014 jne 00007F6F2CC2BEF6h 0x0000001a pushad 0x0000001b popad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f pushad 0x00000020 popad 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCCAE7 second address: CCCAF3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jne 00007F6F2C525646h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCCE05 second address: CCCE1E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF03h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCD231 second address: CCD23B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCD23B second address: CCD247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCDCF5 second address: CCDCF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCDD94 second address: CCDDF7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF08h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 43E227B0h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F6F2CC2BEF8h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a add dword ptr [ebp+122D3B65h], edx 0x00000030 mov dword ptr [ebp+122D17F5h], eax 0x00000036 call 00007F6F2CC2BEF9h 0x0000003b pushad 0x0000003c jbe 00007F6F2CC2BEF8h 0x00000042 pushad 0x00000043 popad 0x00000044 pushad 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCDDF7 second address: CCDE0A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jnl 00007F6F2C525646h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCDE0A second address: CCDE1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jbe 00007F6F2CC2BF00h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCE252 second address: CCE256 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCE4A7 second address: CCE4E4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007F6F2CC2BEFCh 0x0000000f jne 00007F6F2CC2BEF6h 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jo 00007F6F2CC2BF0Ah 0x0000001f jmp 00007F6F2CC2BF04h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCE4E4 second address: CCE4EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCEB45 second address: CCEB4F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F2CC2BEF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCEB4F second address: CCEB76 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007F6F2C525655h 0x0000000e xchg eax, ebx 0x0000000f mov esi, ebx 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 push ecx 0x00000016 pop ecx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCEFB4 second address: CCEFB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCF0DB second address: CCF0DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCF0DF second address: CCF0E5 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCF0E5 second address: CCF0EB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCF0EB second address: CCF117 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F2CC2BEF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f cmc 0x00000010 xchg eax, ebx 0x00000011 push esi 0x00000012 pushad 0x00000013 jmp 00007F6F2CC2BEFFh 0x00000018 pushad 0x00000019 popad 0x0000001a popad 0x0000001b pop esi 0x0000001c push eax 0x0000001d pushad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCF117 second address: CCF11B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CCF5C6 second address: CCF5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F2CC2BEF6h 0x0000000a popad 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD234B second address: CD2357 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD09E4 second address: CD09E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD09E9 second address: CD09EE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C836C2 second address: C836C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C836C6 second address: C836CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C836CC second address: C836F0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F2CC2BEFCh 0x00000008 jnl 00007F6F2CC2BEF6h 0x0000000e pushad 0x0000000f jmp 00007F6F2CC2BF03h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD3E09 second address: CD3E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD3E12 second address: CD3E16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD4BAB second address: CD4C15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 nop 0x00000007 add dword ptr [ebp+12473268h], ecx 0x0000000d mov dword ptr [ebp+122D3B41h], edx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push esi 0x00000018 call 00007F6F2C525648h 0x0000001d pop esi 0x0000001e mov dword ptr [esp+04h], esi 0x00000022 add dword ptr [esp+04h], 0000001Ch 0x0000002a inc esi 0x0000002b push esi 0x0000002c ret 0x0000002d pop esi 0x0000002e ret 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ebp 0x00000034 call 00007F6F2C525648h 0x00000039 pop ebp 0x0000003a mov dword ptr [esp+04h], ebp 0x0000003e add dword ptr [esp+04h], 0000001Ch 0x00000046 inc ebp 0x00000047 push ebp 0x00000048 ret 0x00000049 pop ebp 0x0000004a ret 0x0000004b mov edi, dword ptr [ebp+122D2BD2h] 0x00000051 push eax 0x00000052 pushad 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD5715 second address: CD5744 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F2CC2BEFCh 0x00000008 jno 00007F6F2CC2BEF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 jnc 00007F6F2CC2BEF6h 0x0000001b popad 0x0000001c pushad 0x0000001d jmp 00007F6F2CC2BF00h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD5744 second address: CD578A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 mov dword ptr [ebp+1247BF3Ch], edi 0x0000000d sub dword ptr [ebp+1245578Ch], ecx 0x00000013 push 00000000h 0x00000015 push 00000000h 0x00000017 push ebx 0x00000018 call 00007F6F2C525648h 0x0000001d pop ebx 0x0000001e mov dword ptr [esp+04h], ebx 0x00000022 add dword ptr [esp+04h], 00000015h 0x0000002a inc ebx 0x0000002b push ebx 0x0000002c ret 0x0000002d pop ebx 0x0000002e ret 0x0000002f cmc 0x00000030 push 00000000h 0x00000032 jmp 00007F6F2C52564Ah 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push esi 0x0000003b push edi 0x0000003c pop edi 0x0000003d pop esi 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD541C second address: CD5422 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD5422 second address: CD5426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD939C second address: CD93CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F6F2CC2BF07h 0x0000000d pushad 0x0000000e jmp 00007F6F2CC2BF01h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD5426 second address: CD5441 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F6F2C525646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007F6F2C52564Ch 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD5441 second address: CD5447 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD6039 second address: CD603D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD603D second address: CD604A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDA664 second address: CDA68A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6F2C52564Fh 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jnl 00007F6F2C525658h 0x00000014 push eax 0x00000015 push edx 0x00000016 jne 00007F6F2C525646h 0x0000001c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDA68A second address: CDA68E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDA68E second address: CDA72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 xor edi, 05760A2Ch 0x0000000d push dword ptr fs:[00000000h] 0x00000014 jmp 00007F6F2C52564Dh 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edi 0x00000023 call 00007F6F2C525648h 0x00000028 pop edi 0x00000029 mov dword ptr [esp+04h], edi 0x0000002d add dword ptr [esp+04h], 00000014h 0x00000035 inc edi 0x00000036 push edi 0x00000037 ret 0x00000038 pop edi 0x00000039 ret 0x0000003a pushad 0x0000003b push edx 0x0000003c mov dword ptr [ebp+122D35E1h], ecx 0x00000042 pop eax 0x00000043 mov cl, 77h 0x00000045 popad 0x00000046 mov eax, dword ptr [ebp+122D16DDh] 0x0000004c add dword ptr [ebp+1246165Dh], eax 0x00000052 push FFFFFFFFh 0x00000054 push 00000000h 0x00000056 push edx 0x00000057 call 00007F6F2C525648h 0x0000005c pop edx 0x0000005d mov dword ptr [esp+04h], edx 0x00000061 add dword ptr [esp+04h], 00000018h 0x00000069 inc edx 0x0000006a push edx 0x0000006b ret 0x0000006c pop edx 0x0000006d ret 0x0000006e mov dword ptr [ebp+12458555h], edi 0x00000074 nop 0x00000075 jnl 00007F6F2C525650h 0x0000007b push eax 0x0000007c pushad 0x0000007d jl 00007F6F2C52564Ch 0x00000083 push eax 0x00000084 push edx 0x00000085 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDB722 second address: CDB741 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF05h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDB7E1 second address: CDB7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDB7E5 second address: CDB7EF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F6F2CC2BEF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDD715 second address: CDD72D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDD8A9 second address: CDD8AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDF72F second address: CDF735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDF735 second address: CDF75C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F6F2CC2BEFBh 0x0000000a popad 0x0000000b push eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F6F2CC2BF02h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDD8AF second address: CDD8B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CDD8B5 second address: CDD8D5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2CC2BF05h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE4A4A second address: CE4A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE4A4E second address: CE4AD3 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push esi 0x0000000b call 00007F6F2CC2BEF8h 0x00000010 pop esi 0x00000011 mov dword ptr [esp+04h], esi 0x00000015 add dword ptr [esp+04h], 0000001Ch 0x0000001d inc esi 0x0000001e push esi 0x0000001f ret 0x00000020 pop esi 0x00000021 ret 0x00000022 jno 00007F6F2CC2BEFCh 0x00000028 mov dword ptr [ebp+122D31A0h], eax 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebp 0x00000033 call 00007F6F2CC2BEF8h 0x00000038 pop ebp 0x00000039 mov dword ptr [esp+04h], ebp 0x0000003d add dword ptr [esp+04h], 00000017h 0x00000045 inc ebp 0x00000046 push ebp 0x00000047 ret 0x00000048 pop ebp 0x00000049 ret 0x0000004a movsx ebx, si 0x0000004d push 00000000h 0x0000004f call 00007F6F2CC2BF03h 0x00000054 mov bx, cx 0x00000057 pop edi 0x00000058 xchg eax, esi 0x00000059 pushad 0x0000005a jp 00007F6F2CC2BEFCh 0x00000060 push eax 0x00000061 push edx 0x00000062 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE4AD3 second address: CE4ADA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE5AEB second address: CE5AF6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F6F2CC2BEF6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE5AF6 second address: CE5B02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE6B41 second address: CE6BCF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 jmp 00007F6F2CC2BEFDh 0x0000000b jmp 00007F6F2CC2BF06h 0x00000010 popad 0x00000011 popad 0x00000012 push eax 0x00000013 jg 00007F6F2CC2BEFEh 0x00000019 nop 0x0000001a mov dword ptr [ebp+122D324Fh], edx 0x00000020 push 00000000h 0x00000022 sub dword ptr [ebp+122D31E5h], ebx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F6F2CC2BEF8h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 0000001Ch 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 sub ebx, dword ptr [ebp+122D1D09h] 0x0000004a push eax 0x0000004b jnl 00007F6F2CC2BF0Eh 0x00000051 push eax 0x00000052 push edx 0x00000053 jmp 00007F6F2CC2BF00h 0x00000058 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE3A8B second address: CE3A8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE4C4A second address: CE4C4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE7B81 second address: CE7B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE1A34 second address: CE1A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2CC2BEFFh 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE5C93 second address: CE5C97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE6D14 second address: CE6D1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE6D1A second address: CE6D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE6E35 second address: CE6E3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE6E3B second address: CE6E40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8C26 second address: CE8C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8C2A second address: CE8C30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE7D36 second address: CE7D3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE7D3B second address: CE7DAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b jmp 00007F6F2C525658h 0x00000010 pop ecx 0x00000011 nop 0x00000012 pushad 0x00000013 mov dx, ax 0x00000016 mov eax, dword ptr [ebp+122D2CC6h] 0x0000001c popad 0x0000001d push dword ptr fs:[00000000h] 0x00000024 add dword ptr [ebp+122D1CF3h], ebx 0x0000002a mov dword ptr fs:[00000000h], esp 0x00000031 push edx 0x00000032 push ecx 0x00000033 movsx ebx, di 0x00000036 pop edi 0x00000037 pop edi 0x00000038 mov eax, dword ptr [ebp+122D13D9h] 0x0000003e push FFFFFFFFh 0x00000040 mov ebx, dword ptr [ebp+122D2C9Eh] 0x00000046 nop 0x00000047 push edx 0x00000048 pushad 0x00000049 jmp 00007F6F2C525655h 0x0000004e push eax 0x0000004f push edx 0x00000050 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE7DAE second address: CE7DCA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 push eax 0x00000007 pushad 0x00000008 jne 00007F6F2CC2BEFCh 0x0000000e push eax 0x0000000f push edx 0x00000010 js 00007F6F2CC2BEF6h 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8D87 second address: CE8D8C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8D8C second address: CE8DA2 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F2CC2BEFCh 0x00000008 jns 00007F6F2CC2BEF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8DA2 second address: CE8DA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8E97 second address: CE8E9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8E9B second address: CE8E9F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CE8E9F second address: CE8EA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CEC1D4 second address: CEC1DE instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F2C525646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CF2015 second address: CF201B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CF201B second address: CF2030 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007F6F2C52564Eh 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CF2030 second address: CF203C instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F6F2CC2BEFEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CF51F0 second address: CF51F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFC8CD second address: CFC8D3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFC8D3 second address: CFC90A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F6F2C52564Fh 0x0000000a pop edi 0x0000000b push edi 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e pop edi 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 pushad 0x00000013 pushad 0x00000014 popad 0x00000015 pushad 0x00000016 popad 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6F2C52564Fh 0x00000021 push eax 0x00000022 pop eax 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD002 second address: CFD006 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD530 second address: CFD536 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD694 second address: CFD69A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD69A second address: CFD69F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD69F second address: CFD6A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F6F2CC2BEF6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD6A9 second address: CFD6AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD7B5 second address: CFD7D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BF07h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CFD934 second address: CFD939 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D01DE3 second address: D01DE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C8D5DB second address: C8D5DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD543D second address: CD5441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D0660B second address: D0664D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525654h 0x00000007 jmp 00007F6F2C52564Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f jmp 00007F6F2C525658h 0x00000014 push ebx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D068E4 second address: D068F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F2CC2BEF6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06A89 second address: D06A8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06A8F second address: D06AA3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06C08 second address: D06C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F6F2C525646h 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06DCA second address: D06DF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BEFDh 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2CC2BF06h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06F6B second address: D06F78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jng 00007F6F2C52564Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06F78 second address: D06F80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06F80 second address: D06F84 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D06F84 second address: D06F8F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D07108 second address: D0711E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2C525651h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D0711E second address: D0712F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6F2CC2BEF6h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D0712F second address: D07133 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D07133 second address: D07139 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D0742F second address: D07434 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D076D5 second address: D076DA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CB32DC second address: CB32E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C85121 second address: C85125 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C85125 second address: C85129 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D0AFCB second address: D0B023 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 jbe 00007F6F2CC2BEF6h 0x0000000b pop ecx 0x0000000c pushad 0x0000000d jmp 00007F6F2CC2BF06h 0x00000012 push edx 0x00000013 pop edx 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007F6F2CC2BF09h 0x00000020 jmp 00007F6F2CC2BF03h 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D11884 second address: D118A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007F6F2C525658h 0x0000000b jmp 00007F6F2C525652h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D10652 second address: D10657 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D10D0B second address: D10D15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F6F2C525646h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D10D15 second address: D10D1F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F6F2CC2BEF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D10D1F second address: D10D53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2C525653h 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F6F2C525653h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D10D53 second address: D10D57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D103AB second address: D103B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D10FF9 second address: D1102D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jnl 00007F6F2CC2BF11h 0x0000000e jmp 00007F6F2CC2BEFBh 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D1102D second address: D11033 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D11033 second address: D11039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D11039 second address: D1103D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D11183 second address: D11190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jp 00007F6F2CC2BEF8h 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD741D second address: CD7495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 ja 00007F6F2C52564Eh 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F6F2C525648h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Bh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 js 00007F6F2C52564Ch 0x0000002d mov edx, dword ptr [ebp+122D350Eh] 0x00000033 lea eax, dword ptr [ebp+1248B16Ah] 0x00000039 push 00000000h 0x0000003b push edx 0x0000003c call 00007F6F2C525648h 0x00000041 pop edx 0x00000042 mov dword ptr [esp+04h], edx 0x00000046 add dword ptr [esp+04h], 00000016h 0x0000004e inc edx 0x0000004f push edx 0x00000050 ret 0x00000051 pop edx 0x00000052 ret 0x00000053 and cl, FFFFFFACh 0x00000056 xor edi, dword ptr [ebp+122D3BE2h] 0x0000005c nop 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 push esi 0x00000062 pop esi 0x00000063 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7495 second address: CD7499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7499 second address: CD749F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD749F second address: CD74A9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F6F2CC2BEF6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD74A9 second address: CB27C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a push esi 0x0000000b jmp 00007F6F2C52564Dh 0x00000010 pop esi 0x00000011 jnc 00007F6F2C52564Ch 0x00000017 popad 0x00000018 nop 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007F6F2C525648h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 jmp 00007F6F2C525655h 0x00000038 call dword ptr [ebp+122D326Dh] 0x0000003e pushad 0x0000003f je 00007F6F2C525648h 0x00000045 pushad 0x00000046 popad 0x00000047 jmp 00007F6F2C525651h 0x0000004c push eax 0x0000004d push edx 0x0000004e pushad 0x0000004f popad 0x00000050 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD76BF second address: CD76C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7935 second address: CD793B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7A19 second address: CD7A1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7A1D second address: CD7A30 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7A30 second address: CD7A44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CC2BF00h 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7B5D second address: CD7B61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7B61 second address: CD7B65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7B65 second address: CD7B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7C91 second address: CD7CA2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CC2BEFDh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7CA2 second address: CD7CA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7DDA second address: CD7DDE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD7FF2 second address: CD8039 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F6F2C525653h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007F6F2C525648h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 00000014h 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 mov edi, 7F8DA274h 0x0000002d push 00000004h 0x0000002f movsx ecx, di 0x00000032 push eax 0x00000033 push eax 0x00000034 pushad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD87A0 second address: CD87F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a popad 0x0000000b popad 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push edi 0x00000010 call 00007F6F2CC2BEF8h 0x00000015 pop edi 0x00000016 mov dword ptr [esp+04h], edi 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc edi 0x00000023 push edi 0x00000024 ret 0x00000025 pop edi 0x00000026 ret 0x00000027 mov dword ptr [ebp+122D2A76h], ebx 0x0000002d jno 00007F6F2CC2BEFCh 0x00000033 lea eax, dword ptr [ebp+1248B1AEh] 0x00000039 xor cl, 00000006h 0x0000003c push eax 0x0000003d js 00007F6F2CC2BEFEh 0x00000043 push esi 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: CD87F7 second address: CB32E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 mov dword ptr [esp], eax 0x00000008 mov ecx, dword ptr [ebp+122D2D16h] 0x0000000e lea eax, dword ptr [ebp+1248B16Ah] 0x00000014 jmp 00007F6F2C525653h 0x00000019 push eax 0x0000001a push edi 0x0000001b push edi 0x0000001c jmp 00007F6F2C525650h 0x00000021 pop edi 0x00000022 pop edi 0x00000023 mov dword ptr [esp], eax 0x00000026 push 00000000h 0x00000028 push ebx 0x00000029 call 00007F6F2C525648h 0x0000002e pop ebx 0x0000002f mov dword ptr [esp+04h], ebx 0x00000033 add dword ptr [esp+04h], 00000019h 0x0000003b inc ebx 0x0000003c push ebx 0x0000003d ret 0x0000003e pop ebx 0x0000003f ret 0x00000040 jmp 00007F6F2C525655h 0x00000045 mov dword ptr [ebp+122D2A51h], ecx 0x0000004b call dword ptr [ebp+122D1AC0h] 0x00000051 pushad 0x00000052 ja 00007F6F2C52564Eh 0x00000058 push eax 0x00000059 push edx 0x0000005a pushad 0x0000005b popad 0x0000005c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D1535E second address: D15370 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6F2CC2BEF6h 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D154A8 second address: D154AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D15BB8 second address: D15BBE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D15BBE second address: D15BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D15BC4 second address: D15BC9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D15BC9 second address: D15BED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F6F2C525657h 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C88627 second address: C88642 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F6F2CC2BF00h 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D18F57 second address: D18F7A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525655h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jns 00007F6F2C525646h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D1B441 second address: D1B457 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F6F2CC2BEF8h 0x0000000c pushad 0x0000000d popad 0x0000000e jp 00007F6F2CC2BF02h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D1B457 second address: D1B45D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D1B45D second address: D1B46A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 je 00007F6F2CC2BEF6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D1B46A second address: D1B472 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D22389 second address: D22399 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BEFCh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D22399 second address: D2239F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D2239F second address: D223A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D20EE7 second address: D20EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D20EED second address: D20EFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnl 00007F6F2CC2BEF6h 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D211FD second address: D21208 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D21208 second address: D2120C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D2120C second address: D21216 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D2139F second address: D213A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 pop eax 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D259CA second address: D25A01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2C525659h 0x00000009 je 00007F6F2C525646h 0x0000000f jmp 00007F6F2C52564Fh 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D25A01 second address: D25A07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D25A07 second address: D25A2C instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F2C525646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007F6F2C525657h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D25BD6 second address: D25BDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D25BDC second address: D25BE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push edx 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D25FEB second address: D26007 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BF07h 0x00000009 popad 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D26007 second address: D26010 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pop esi 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D26010 second address: D2601B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D2977A second address: D29788 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F2C525646h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D29788 second address: D29793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D29793 second address: D29797 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D2D90E second address: D2D914 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D2D914 second address: D2D95A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2C525652h 0x00000008 jg 00007F6F2C525646h 0x0000000e jmp 00007F6F2C525659h 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6F2C52564Fh 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D354A9 second address: D354B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D354B7 second address: D35501 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F6F2C52564Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F6F2C525658h 0x00000017 ja 00007F6F2C525646h 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 jmp 00007F6F2C525650h 0x00000025 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3348A second address: D33494 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F2CC2BEF6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33494 second address: D33498 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33498 second address: D3349E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3349E second address: D334AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F6F2C52564Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D334AC second address: D334B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D334B2 second address: D334C6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jnl 00007F6F2C525646h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D334C6 second address: D334D0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F6F2CC2BEF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D334D0 second address: D334E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2C52564Dh 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33674 second address: D3367A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3367A second address: D33680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33680 second address: D3368B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3368B second address: D33691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33D1B second address: D33D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6F2CC2BEF6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33D25 second address: D33D29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33D29 second address: D33D2F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33FE5 second address: D33FFB instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F6F2C525650h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D33FFB second address: D34005 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F6F2CC2BEF6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D342FB second address: D3430F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007F6F2C52564Ch 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3430F second address: D34317 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D34606 second address: D3460A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3460A second address: D3461E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F6F2CC2BEF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jl 00007F6F2CC2BEFCh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3461E second address: D3464E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F6F2C525652h 0x0000000d jno 00007F6F2C525657h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3464E second address: D34653 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D34653 second address: D34662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F6F2C525646h 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D34662 second address: D34666 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D34BA7 second address: D34BB1 instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F2C525646h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D351C7 second address: D351CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D351CD second address: D351D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D351D3 second address: D351D7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D351D7 second address: D351DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D351DD second address: D35209 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2CC2BEFEh 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f jbe 00007F6F2CC2BEF6h 0x00000015 jnp 00007F6F2CC2BEF6h 0x0000001b pop eax 0x0000001c pushad 0x0000001d push ecx 0x0000001e pop ecx 0x0000001f push edx 0x00000020 pop edx 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D35209 second address: D35221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F2C525651h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FBD3 second address: D3FBDD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F6F2CC2BEF6h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FD17 second address: D3FD1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FD1D second address: D3FD4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007F6F2CC2BF06h 0x0000000d popad 0x0000000e pushad 0x0000000f jmp 00007F6F2CC2BEFEh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FD4D second address: D3FD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F6F2C52564Dh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FD65 second address: D3FD78 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFFh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FEBC second address: D3FED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F6F2C52564Ch 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FED2 second address: D3FEE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F6F2CC2BEF6h 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FEE0 second address: D3FEF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D3FEF2 second address: D3FF27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BEFEh 0x00000009 push edi 0x0000000a pop edi 0x0000000b popad 0x0000000c jnl 00007F6F2CC2BEFAh 0x00000012 push eax 0x00000013 push edx 0x00000014 jns 00007F6F2CC2BEF6h 0x0000001a jmp 00007F6F2CC2BEFEh 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D401A1 second address: D401A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D401A7 second address: D401AC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D46BA8 second address: D46BAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D46BAC second address: D46BC2 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F6F2CC2BEF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007F6F2CC2BEF6h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D46BC2 second address: D46BC8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D46BC8 second address: D46BE5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F2CC2BEFFh 0x0000000d jp 00007F6F2CC2BEF6h 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D46BE5 second address: D46C0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525655h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F6F2C52564Bh 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D46C0E second address: D46C16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D471C8 second address: D471D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D4757F second address: D47583 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D47823 second address: D4783D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525654h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D4783D second address: D47841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D47841 second address: D47861 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525656h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push esi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D47861 second address: D47867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D47867 second address: D4786F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D4786F second address: D47879 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D47A10 second address: D47A1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jbe 00007F6F2C525646h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D47A1F second address: D47A24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D47A24 second address: D47A2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F6F2C525646h 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D48113 second address: D48130 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F2CC2BF03h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D48130 second address: D48136 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D48936 second address: D4895E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F6F2CC2BEF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F6F2CC2BF09h 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D4895E second address: D4896A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F6F2C525646h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D5015E second address: D50162 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D4FBFB second address: D4FBFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D4FBFF second address: D4FC0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F6F2CC2BEF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D4FEDA second address: D4FEDE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D525CB second address: D525F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F6F2CC2BF08h 0x0000000c jmp 00007F6F2CC2BEFAh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C941ED second address: C941F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D5DB8A second address: D5DB90 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D5DB90 second address: D5DB94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D5DB94 second address: D5DB98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D5DB98 second address: D5DBA6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F6F2C525648h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D5F473 second address: D5F47D instructions: 0x00000000 rdtsc 0x00000002 je 00007F6F2CC2BEF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D64869 second address: D6486D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D684C8 second address: D684F4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF06h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 js 00007F6F2CC2BF08h 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D681CE second address: D681E8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jp 00007F6F2C52564Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D681E8 second address: D681EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D681EC second address: D681F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D6D2CD second address: D6D2DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 je 00007F6F2CC2BEFCh 0x0000000b jnp 00007F6F2CC2BEF6h 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D6D2DE second address: D6D2F9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525650h 0x00000007 push ebx 0x00000008 jg 00007F6F2C525646h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D7697C second address: D7699A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2CC2BF01h 0x00000009 pop esi 0x0000000a jo 00007F6F2CC2BF02h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D7699A second address: D769A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D79C61 second address: D79C65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D79C65 second address: D79C6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D79C6B second address: D79C8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F6F2CC2BF09h 0x0000000e pop edi 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D802FC second address: D80306 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D80420 second address: D80426 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D80426 second address: D80449 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F6F2C525651h 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 jbe 00007F6F2C525646h 0x00000016 pop edx 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D80816 second address: D8081A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D8081A second address: D80833 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525654h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D85566 second address: D8556C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D8556C second address: D85583 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525653h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D85583 second address: D85589 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D85589 second address: D8558F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D8505D second address: D85071 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jc 00007F6F2CC2BEFCh 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D85071 second address: D8508E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e jns 00007F6F2C525646h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D8508E second address: D850AC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007F6F2CC2BF01h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D850AC second address: D850B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D850B2 second address: D850BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F6F2CC2BEF6h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D850BF second address: D850C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D8522E second address: D85238 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F6F2CC2BEF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D85238 second address: D85243 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D889EC second address: D889F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D9A2E0 second address: D9A2F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2C52564Ah 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D9A2F0 second address: D9A2F4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D9A2F4 second address: D9A323 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2C525659h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f jmp 00007F6F2C52564Ch 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: D9A323 second address: D9A32D instructions: 0x00000000 rdtsc 0x00000002 jc 00007F6F2CC2BEF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C8F11B second address: C8F121 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: C8F121 second address: C8F12C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DA844F second address: DA8476 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F6F2C52564Dh 0x00000009 jno 00007F6F2C525653h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DA7FDB second address: DA7FE9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F6F2CC2BEF6h 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB8F8 second address: DCB90A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnc 00007F6F2C525646h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCA786 second address: DCA7A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF07h 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCA8E3 second address: DCA91D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F6F2C525654h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d jmp 00007F6F2C525650h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007F6F2C52564Ah 0x0000001b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCAA87 second address: DCAA8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCAA8F second address: DCAA93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCAA93 second address: DCAAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007F6F2CC2BF06h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCAAB8 second address: DCAAC5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jl 00007F6F2C525646h 0x0000000d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCAAC5 second address: DCAADD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF04h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCAF54 second address: DCAF59 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB0C9 second address: DCB0E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF05h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB0E3 second address: DCB0E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB0E9 second address: DCB0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F6F2CC2BEF6h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB0FD second address: DCB101 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB101 second address: DCB107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB3E2 second address: DCB407 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 jmp 00007F6F2C52564Bh 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 jng 00007F6F2C525646h 0x0000001a pop ecx 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e pop eax 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB407 second address: DCB424 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFDh 0x00000007 jmp 00007F6F2CC2BEFCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCB424 second address: DCB429 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCD016 second address: DCD01B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCD01B second address: DCD027 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F6F2C525646h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCE748 second address: DCE74E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DCE74E second address: DCE764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnl 00007F6F2C525650h 0x0000000c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DD2742 second address: DD2755 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnc 00007F6F2CC2BEFCh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DD2755 second address: DD2759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DD2759 second address: DD2763 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F6F2CC2BEFCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DD43E7 second address: DD43ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DD43ED second address: DD43F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: DD43F1 second address: DD4432 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F6F2C525655h 0x0000000b jmp 00007F6F2C52564Eh 0x00000010 jmp 00007F6F2C52564Eh 0x00000015 popad 0x00000016 push eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jc 00007F6F2C525646h 0x0000001f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C70807 second address: 4C70835 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F2CC2BF06h 0x0000000f mov ebp, esp 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C70835 second address: 4C70852 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C70852 second address: 4C70858 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C70858 second address: 4C7085C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C7085C second address: 4C7086B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C7086B second address: 4C7086F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C7086F second address: 4C70875 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C40246 second address: 4C4024A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C4024A second address: 4C40250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C40250 second address: 4C402B8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edx, esi 0x00000005 pushfd 0x00000006 jmp 00007F6F2C52564Ah 0x0000000b sub cl, FFFFFFE8h 0x0000000e jmp 00007F6F2C52564Bh 0x00000013 popfd 0x00000014 popad 0x00000015 pop edx 0x00000016 pop eax 0x00000017 xchg eax, ebp 0x00000018 jmp 00007F6F2C525656h 0x0000001d push eax 0x0000001e pushad 0x0000001f movsx ebx, cx 0x00000022 pushfd 0x00000023 jmp 00007F6F2C52564Ah 0x00000028 sbb eax, 797CA778h 0x0000002e jmp 00007F6F2C52564Bh 0x00000033 popfd 0x00000034 popad 0x00000035 xchg eax, ebp 0x00000036 push eax 0x00000037 push edx 0x00000038 pushad 0x00000039 mov edi, 443C7966h 0x0000003e pushad 0x0000003f popad 0x00000040 popad 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C402B8 second address: 4C402BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C402BE second address: 4C4031A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525654h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov ebp, esp 0x0000000d pushad 0x0000000e pushfd 0x0000000f jmp 00007F6F2C52564Eh 0x00000014 jmp 00007F6F2C525655h 0x00000019 popfd 0x0000001a pushad 0x0000001b jmp 00007F6F2C52564Dh 0x00000020 popad 0x00000021 popad 0x00000022 pop ebp 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 pushad 0x00000027 popad 0x00000028 mov cx, di 0x0000002b popad 0x0000002c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0833 second address: 4CB0837 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0837 second address: 4CB083B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB083B second address: 4CB0841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0841 second address: 4CB0890 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F2C525658h 0x00000009 xor cx, C1F8h 0x0000000e jmp 00007F6F2C52564Bh 0x00000013 popfd 0x00000014 mov dx, cx 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F6F2C525657h 0x00000024 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0890 second address: 4CB08AD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB08AD second address: 4CB08E6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov bx, 4D82h 0x00000007 pushfd 0x00000008 jmp 00007F6F2C525653h 0x0000000d jmp 00007F6F2C525653h 0x00000012 popfd 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 xchg eax, ebp 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB08E6 second address: 4CB0901 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0901 second address: 4CB0907 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0907 second address: 4CB091D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov ebp, esp 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F2CC2BEFAh 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C30DB9 second address: 4C30DF1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F2C525656h 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6F2C52564Dh 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C30DF1 second address: 4C30E06 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C30E06 second address: 4C30E0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C30E0C second address: 4C30E2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F6F2CC2BEFFh 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C30E2C second address: 4C30E30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C30E30 second address: 4C30E4B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0548 second address: 4CB055A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov cl, A7h 0x00000005 mov ax, dx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB055A second address: 4CB0560 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0560 second address: 4CB0566 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0566 second address: 4CB056A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB056A second address: 4CB05BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e call 00007F6F2C52564Fh 0x00000013 pop ecx 0x00000014 pushfd 0x00000015 jmp 00007F6F2C525659h 0x0000001a add ax, 9F26h 0x0000001f jmp 00007F6F2C525651h 0x00000024 popfd 0x00000025 popad 0x00000026 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80C05 second address: 4C80C97 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F6F2CC2BEFEh 0x0000000f push eax 0x00000010 jmp 00007F6F2CC2BEFBh 0x00000015 xchg eax, ebp 0x00000016 pushad 0x00000017 mov cl, BAh 0x00000019 mov cl, dl 0x0000001b popad 0x0000001c mov ebp, esp 0x0000001e jmp 00007F6F2CC2BF08h 0x00000023 pop ebp 0x00000024 push eax 0x00000025 push edx 0x00000026 pushad 0x00000027 pushfd 0x00000028 jmp 00007F6F2CC2BEFDh 0x0000002d sbb ah, 00000026h 0x00000030 jmp 00007F6F2CC2BF01h 0x00000035 popfd 0x00000036 call 00007F6F2CC2BF00h 0x0000003b pop eax 0x0000003c popad 0x0000003d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD06D3 second address: 4CD06D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD06D9 second address: 4CD06DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD06DD second address: 4CD06E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC0019 second address: 4CC001D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC001D second address: 4CC0023 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC0023 second address: 4CC0032 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F6F2CC2BEFBh 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C409A8 second address: 4C409D3 instructions: 0x00000000 rdtsc 0x00000002 mov di, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, esi 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c mov ch, 79h 0x0000000e popad 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F6F2C525657h 0x00000019 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C409D3 second address: 4C409D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0635 second address: 4CB06A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F2C52564Fh 0x00000009 xor ecx, 04B3E27Eh 0x0000000f jmp 00007F6F2C525659h 0x00000014 popfd 0x00000015 pushfd 0x00000016 jmp 00007F6F2C525650h 0x0000001b adc eax, 7C0E2578h 0x00000021 jmp 00007F6F2C52564Bh 0x00000026 popfd 0x00000027 popad 0x00000028 pop edx 0x00000029 pop eax 0x0000002a xchg eax, ebp 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007F6F2C525655h 0x00000032 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB06A6 second address: 4CB06D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF01h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F6F2CC2BF01h 0x0000000f xchg eax, ebp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB06D4 second address: 4CB06D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB06D8 second address: 4CB06DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB06DE second address: 4CB06E3 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0E1F second address: 4CB0E23 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0E23 second address: 4CB0E29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0E29 second address: 4CB0E33 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ecx, 010D0C03h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0E33 second address: 4CB0EA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebp 0x00000008 jmp 00007F6F2C525654h 0x0000000d mov ebp, esp 0x0000000f pushad 0x00000010 mov edx, ecx 0x00000012 jmp 00007F6F2C52564Ah 0x00000017 popad 0x00000018 mov eax, dword ptr [ebp+08h] 0x0000001b jmp 00007F6F2C525650h 0x00000020 and dword ptr [eax], 00000000h 0x00000023 jmp 00007F6F2C525650h 0x00000028 and dword ptr [eax+04h], 00000000h 0x0000002c push eax 0x0000002d push edx 0x0000002e pushad 0x0000002f mov ecx, edx 0x00000031 jmp 00007F6F2C525659h 0x00000036 popad 0x00000037 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0EA8 second address: 4CB0EAE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0EAE second address: 4CB0EB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CB0EB2 second address: 4CB0ECF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ebp 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F6F2CC2BF02h 0x00000010 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80B1E second address: 4C80B22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80B22 second address: 4C80B28 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80B28 second address: 4C80B2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80B2E second address: 4C80B47 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80B47 second address: 4C80B7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6F2C525659h 0x0000000a sub ax, 7486h 0x0000000f jmp 00007F6F2C525651h 0x00000014 popfd 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80B7D second address: 4C80BA8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov di, A4C2h 0x00000007 movsx edi, ax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e pushad 0x0000000f pushad 0x00000010 mov edi, 0B15C5D4h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 mov bh, 93h 0x0000001a popad 0x0000001b xchg eax, ebp 0x0000001c pushad 0x0000001d mov si, 5017h 0x00000021 movzx esi, di 0x00000024 popad 0x00000025 mov ebp, esp 0x00000027 pushad 0x00000028 pushad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80BA8 second address: 4C80BC4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov cl, dh 0x00000006 popad 0x00000007 push eax 0x00000008 movsx edx, cx 0x0000000b pop ecx 0x0000000c popad 0x0000000d pop ebp 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F6F2C52564Ch 0x00000015 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC0233 second address: 4CC0239 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC0239 second address: 4CC023F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC023F second address: 4CC0243 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC0243 second address: 4CC029A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], ebp 0x0000000b pushad 0x0000000c call 00007F6F2C525652h 0x00000011 mov ch, C3h 0x00000013 pop edi 0x00000014 mov bx, cx 0x00000017 popad 0x00000018 mov ebp, esp 0x0000001a pushad 0x0000001b mov si, 336Bh 0x0000001f popad 0x00000020 pop ebp 0x00000021 pushad 0x00000022 push eax 0x00000023 push edx 0x00000024 pushfd 0x00000025 jmp 00007F6F2C525656h 0x0000002a add al, 00000028h 0x0000002d jmp 00007F6F2C52564Bh 0x00000032 popfd 0x00000033 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD001B second address: 4CD0082 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007F6F2CC2BEFBh 0x0000000b sbb ecx, 061EB04Eh 0x00000011 jmp 00007F6F2CC2BF09h 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b jmp 00007F6F2CC2BEFEh 0x00000020 push eax 0x00000021 jmp 00007F6F2CC2BEFBh 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F6F2CC2BF05h 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD0082 second address: 4CD011A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c pushfd 0x0000000d jmp 00007F6F2C52564Ch 0x00000012 add cl, FFFFFF88h 0x00000015 jmp 00007F6F2C52564Bh 0x0000001a popfd 0x0000001b jmp 00007F6F2C525658h 0x00000020 popad 0x00000021 xchg eax, ecx 0x00000022 jmp 00007F6F2C525650h 0x00000027 push eax 0x00000028 push eax 0x00000029 push edx 0x0000002a pushad 0x0000002b pushfd 0x0000002c jmp 00007F6F2C52564Ch 0x00000031 or ah, 00000048h 0x00000034 jmp 00007F6F2C52564Bh 0x00000039 popfd 0x0000003a call 00007F6F2C525658h 0x0000003f pop eax 0x00000040 popad 0x00000041 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD011A second address: 4CD0146 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov edi, esi 0x00000005 movzx eax, di 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ecx 0x0000000c pushad 0x0000000d mov si, dx 0x00000010 mov dl, B9h 0x00000012 popad 0x00000013 mov eax, dword ptr [76FA65FCh] 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c jmp 00007F6F2CC2BF00h 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD0146 second address: 4CD0155 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD0155 second address: 4CD01D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF09h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 test eax, eax 0x0000000b jmp 00007F6F2CC2BEFEh 0x00000010 je 00007F6F9EE7F6DAh 0x00000016 pushad 0x00000017 pushfd 0x00000018 jmp 00007F6F2CC2BEFEh 0x0000001d add al, FFFFFFF8h 0x00000020 jmp 00007F6F2CC2BEFBh 0x00000025 popfd 0x00000026 pushfd 0x00000027 jmp 00007F6F2CC2BF08h 0x0000002c sub ch, 00000058h 0x0000002f jmp 00007F6F2CC2BEFBh 0x00000034 popfd 0x00000035 popad 0x00000036 mov ecx, eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push eax 0x0000003b push edx 0x0000003c pushad 0x0000003d popad 0x0000003e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD01D8 second address: 4CD01DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD01DE second address: 4CD0215 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor eax, dword ptr [ebp+08h] 0x0000000c pushad 0x0000000d jmp 00007F6F2CC2BF07h 0x00000012 mov cx, 3EDFh 0x00000016 popad 0x00000017 and ecx, 1Fh 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CD0215 second address: 4CD021B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4CC040A second address: 4CC0411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dh, FBh 0x00000006 popad 0x00000007 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8001F second address: 4C80025 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80025 second address: 4C8009C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop edi 0x00000005 pushfd 0x00000006 jmp 00007F6F2CC2BF06h 0x0000000b sbb ecx, 70953298h 0x00000011 jmp 00007F6F2CC2BEFBh 0x00000016 popfd 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a xchg eax, ebp 0x0000001b pushad 0x0000001c mov bx, cx 0x0000001f mov edi, eax 0x00000021 popad 0x00000022 push eax 0x00000023 jmp 00007F6F2CC2BEFDh 0x00000028 xchg eax, ebp 0x00000029 pushad 0x0000002a jmp 00007F6F2CC2BEFCh 0x0000002f push esi 0x00000030 jmp 00007F6F2CC2BF01h 0x00000035 pop eax 0x00000036 popad 0x00000037 mov ebp, esp 0x00000039 push eax 0x0000003a push edx 0x0000003b jmp 00007F6F2CC2BEFAh 0x00000040 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8009C second address: 4C800A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C800A2 second address: 4C800A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C800A6 second address: 4C800C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C52564Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b and esp, FFFFFFF8h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 mov cl, dh 0x00000013 mov ebx, esi 0x00000015 popad 0x00000016 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C800C4 second address: 4C8010B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F2CC2BF07h 0x00000009 xor esi, 6E1D302Eh 0x0000000f jmp 00007F6F2CC2BF09h 0x00000014 popfd 0x00000015 mov dx, cx 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ecx 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8010B second address: 4C80132 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6F2C525655h 0x0000000a jmp 00007F6F2C52564Bh 0x0000000f popfd 0x00000010 popad 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80132 second address: 4C80138 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80138 second address: 4C8013C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8013C second address: 4C80153 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BEFBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80153 second address: 4C8017B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushfd 0x00000005 jmp 00007F6F2C525650h 0x0000000a and esi, 3294F268h 0x00000010 jmp 00007F6F2C52564Bh 0x00000015 popfd 0x00000016 popad 0x00000017 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8017B second address: 4C801D9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F2CC2BEFFh 0x00000009 sbb cx, 05AEh 0x0000000e jmp 00007F6F2CC2BF09h 0x00000013 popfd 0x00000014 mov ax, F237h 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b xchg eax, ecx 0x0000001c jmp 00007F6F2CC2BEFAh 0x00000021 xchg eax, ebx 0x00000022 push eax 0x00000023 push edx 0x00000024 jmp 00007F6F2CC2BF07h 0x00000029 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C801D9 second address: 4C80205 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525659h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F6F2C52564Ch 0x00000011 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80205 second address: 4C8020A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8020A second address: 4C80268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 5932h 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushfd 0x00000010 jmp 00007F6F2C525652h 0x00000015 sub cx, EE48h 0x0000001a jmp 00007F6F2C52564Bh 0x0000001f popfd 0x00000020 pushfd 0x00000021 jmp 00007F6F2C525658h 0x00000026 sbb si, 30A8h 0x0000002b jmp 00007F6F2C52564Bh 0x00000030 popfd 0x00000031 popad 0x00000032 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80268 second address: 4C80271 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov dx, 234Ah 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80271 second address: 4C80280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov ebx, dword ptr [ebp+10h] 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80280 second address: 4C80284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80284 second address: 4C802E4 instructions: 0x00000000 rdtsc 0x00000002 movsx edi, si 0x00000005 pop edx 0x00000006 pop eax 0x00000007 movzx esi, bx 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007F6F2C52564Ah 0x00000011 mov dword ptr [esp], esi 0x00000014 pushad 0x00000015 mov bx, ax 0x00000018 mov esi, 34A3BE49h 0x0000001d popad 0x0000001e mov esi, dword ptr [ebp+08h] 0x00000021 jmp 00007F6F2C525654h 0x00000026 xchg eax, edi 0x00000027 jmp 00007F6F2C525650h 0x0000002c push eax 0x0000002d jmp 00007F6F2C52564Bh 0x00000032 xchg eax, edi 0x00000033 pushad 0x00000034 movzx esi, dx 0x00000037 push eax 0x00000038 push edx 0x00000039 push eax 0x0000003a push edx 0x0000003b rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C802E4 second address: 4C802E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C802E8 second address: 4C8030F instructions: 0x00000000 rdtsc 0x00000002 mov eax, edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 test esi, esi 0x00000009 jmp 00007F6F2C52564Fh 0x0000000e je 00007F6F9E7C395Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 push edx 0x00000018 pop eax 0x00000019 mov si, bx 0x0000001c popad 0x0000001d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8030F second address: 4C8036B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 call 00007F6F2CC2BF06h 0x00000008 pop ecx 0x00000009 mov si, di 0x0000000c popad 0x0000000d pop edx 0x0000000e pop eax 0x0000000f cmp dword ptr [esi+08h], DDEEDDEEh 0x00000016 jmp 00007F6F2CC2BEFDh 0x0000001b je 00007F6F9EECA1DEh 0x00000021 pushad 0x00000022 push esi 0x00000023 movsx edi, ax 0x00000026 pop esi 0x00000027 movsx edi, cx 0x0000002a popad 0x0000002b mov edx, dword ptr [esi+44h] 0x0000002e jmp 00007F6F2CC2BEFCh 0x00000033 or edx, dword ptr [ebp+0Ch] 0x00000036 push eax 0x00000037 push edx 0x00000038 push eax 0x00000039 push edx 0x0000003a pushad 0x0000003b popad 0x0000003c rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8036B second address: 4C80371 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80371 second address: 4C80377 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C80377 second address: 4C8037B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C8037B second address: 4C803C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 test edx, 61000000h 0x0000000e jmp 00007F6F2CC2BEFAh 0x00000013 jne 00007F6F9EECA1EBh 0x00000019 push eax 0x0000001a push edx 0x0000001b pushad 0x0000001c pushfd 0x0000001d jmp 00007F6F2CC2BEFDh 0x00000022 or cx, 7516h 0x00000027 jmp 00007F6F2CC2BF01h 0x0000002c popfd 0x0000002d popad 0x0000002e rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C90069 second address: 4C90089 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2C525651h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], ebp 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f mov ecx, 39662519h 0x00000014 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C90089 second address: 4C90139 instructions: 0x00000000 rdtsc 0x00000002 movzx eax, dx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 call 00007F6F2CC2BEFBh 0x0000000c mov ch, AEh 0x0000000e pop edi 0x0000000f popad 0x00000010 mov ebp, esp 0x00000012 pushad 0x00000013 jmp 00007F6F2CC2BEFEh 0x00000018 call 00007F6F2CC2BF02h 0x0000001d pushfd 0x0000001e jmp 00007F6F2CC2BF02h 0x00000023 sbb ch, 00000038h 0x00000026 jmp 00007F6F2CC2BEFBh 0x0000002b popfd 0x0000002c pop esi 0x0000002d popad 0x0000002e and esp, FFFFFFF8h 0x00000031 jmp 00007F6F2CC2BEFFh 0x00000036 xchg eax, ebx 0x00000037 pushad 0x00000038 mov eax, 623A187Bh 0x0000003d pushfd 0x0000003e jmp 00007F6F2CC2BF00h 0x00000043 sub si, 55C8h 0x00000048 jmp 00007F6F2CC2BEFBh 0x0000004d popfd 0x0000004e popad 0x0000004f push eax 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007F6F2CC2BF04h 0x00000057 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C90139 second address: 4C9013E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C901DB second address: 4C901F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F6F2CC2BF03h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C901F2 second address: 4C90258 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F6F2C52564Fh 0x00000009 xor ah, 0000004Eh 0x0000000c jmp 00007F6F2C525659h 0x00000011 popfd 0x00000012 pushfd 0x00000013 jmp 00007F6F2C525650h 0x00000018 jmp 00007F6F2C525655h 0x0000001d popfd 0x0000001e popad 0x0000001f pop edx 0x00000020 pop eax 0x00000021 je 00007F6F9E7AB788h 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d rdtsc
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeRDTSC instruction interceptor: First address: 4C90258 second address: 4C9025C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
            Tries to evade debugger and weak emulator (self modifying code)
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSpecial instruction interceptor: First address: B1FEEF instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSpecial instruction interceptor: First address: CC4897 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSpecial instruction interceptor: First address: CD7626 instructions caused by: Self-modifying code
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSpecial instruction interceptor: First address: D578EE instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: BFFEEF instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: DA4897 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: DB7626 instructions caused by: Self-modifying code
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeSpecial instruction interceptor: First address: E378EE instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: AAFEEF instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: C54897 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: C67626 instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeSpecial instruction interceptor: First address: CE78EE instructions caused by: Self-modifying code
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_04D00A81 rdtsc 0_2_04D00A81
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow / User API: threadDelayed 1193Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeWindow / User API: threadDelayed 1211Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 367Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 455Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeWindow / User API: threadDelayed 358Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1174Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1242Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1184Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1169Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1173Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1184Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeWindow / User API: threadDelayed 1148Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 4368Thread sleep time: -52026s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 1412Thread sleep count: 1193 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 1412Thread sleep time: -2387193s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 2360Thread sleep count: 98 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 4456Thread sleep time: -34017s >= -30000sJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 2360Thread sleep count: 212 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 5804Thread sleep count: 214 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 4752Thread sleep count: 1211 > 30Jump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exe TID: 4752Thread sleep time: -2423211s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2576Thread sleep count: 101 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2576Thread sleep time: -202101s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1848Thread sleep count: 66 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1848Thread sleep time: -132066s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6552Thread sleep count: 45 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6552Thread sleep count: 330 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 6552Thread sleep time: -33330s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7312Thread sleep count: 367 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7312Thread sleep count: 70 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5836Thread sleep count: 113 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 5836Thread sleep time: -226113s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2300Thread sleep count: 120 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2300Thread sleep time: -240120s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7184Thread sleep count: 149 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7184Thread sleep time: -298149s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7136Thread sleep count: 42 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2072Thread sleep count: 116 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 2072Thread sleep time: -232116s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7136Thread sleep count: 455 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7136Thread sleep time: -45955s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7308Thread sleep count: 358 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7308Thread sleep count: 90 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1576Thread sleep count: 125 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1576Thread sleep time: -250125s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3292Thread sleep count: 72 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 3292Thread sleep time: -144072s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1272Thread sleep count: 69 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 1272Thread sleep time: -138069s >= -30000sJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7172Thread sleep count: 74 > 30Jump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exe TID: 7172Thread sleep time: -148074s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7376Thread sleep count: 34 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7376Thread sleep time: -68034s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7352Thread sleep count: 1174 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7352Thread sleep time: -2349174s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7328Thread sleep count: 83 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7328Thread sleep count: 230 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7544Thread sleep count: 227 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7364Thread sleep count: 1242 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7364Thread sleep time: -2485242s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7372Thread sleep count: 1184 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7372Thread sleep time: -2369184s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7360Thread sleep count: 1169 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7360Thread sleep time: -2339169s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7712Thread sleep time: -60030s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7692Thread sleep count: 1173 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7692Thread sleep time: -2347173s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7656Thread sleep count: 43 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7656Thread sleep count: 245 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7792Thread sleep count: 234 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7700Thread sleep count: 1184 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7700Thread sleep time: -2369184s >= -30000sJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7708Thread sleep count: 1148 > 30Jump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exe TID: 7708Thread sleep time: -2297148s >= -30000sJump to behavior
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeLast function: Thread delayed
            Source: RageMP131.exe, RageMP131.exe, 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3306150889.000000000053C000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&00
            Source: RageMP131.exe, 00000008.00000002.3307041255.000000000080E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}G
            Source: RageMP131.exe, 0000000A.00000003.2283094806.0000000000742000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000007.00000002.3308650896.00000000015C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78D81E37
            Source: RageMP131.exe, 0000000A.00000002.3306406019.000000000070B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&-
            Source: MPGPH131.exe, 00000006.00000002.3306495921.0000000000815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000006.00000002.3306381357.00000000006FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}|
            Source: MPGPH131.exe, 00000006.00000002.3306495921.0000000000815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: -c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f5
            Source: RageMP131.exe, 00000008.00000002.3306473370.00000000004FD000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}0
            Source: RageMP131.exe, 0000000A.00000003.2283094806.0000000000742000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#Disk&Ven_VMware&Prod_Virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000007.00000002.3308650896.00000000015BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dlla
            Source: RageMP131.exe, 00000008.00000002.3307041255.000000000080E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}ywWJ\
            Source: MPGPH131.exe, 00000006.00000002.3306495921.0000000000803000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: RageMP131.exe, 00000008.00000002.3307041255.0000000000855000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 9e146be9-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}_78D81E37
            Source: RageMP131.exe, 0000000A.00000002.3306406019.000000000070B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
            Source: MPGPH131.exe, 00000007.00000002.3308650896.00000000015BD000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000&
            Source: RageMP131.exe, 0000000A.00000002.3306406019.000000000070B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}*
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: #disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
            Source: MPGPH131.exe, 00000006.00000002.3306495921.0000000000815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
            Source: MPGPH131.exe, 00000007.00000002.3308262965.000000000116D000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}Y
            Source: RageMP131.exe, 00000008.00000002.3307041255.0000000000844000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllF
            Source: RageMP131.exe, 0000000A.00000002.3306406019.000000000070B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}V
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008B0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}dul
            Source: MPGPH131.exe, 00000006.00000002.3306495921.0000000000815000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: }-c76a-4720-bcdb-53011b87bd06_{a33c7340-61ca-11ee-8c18-806e6f6e6963}_\\?\scsi#disk&ven_vmware&prod_virtual_disk#4&1656f219&0&000000#{53f5
            Source: LisectAVT_2403002A_218.exe, 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmp, RageMP131.exe, 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
            Source: RageMP131.exe, 00000008.00000002.3307041255.0000000000800000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeSystem information queried: ModuleInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess information queried: ProcessInformationJump to behavior

            Anti Debugging

            barindex
            Hides threads from debuggers
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeThread information set: HideFromDebuggerJump to behavior
            Tries to detect sandboxes and other dynamic analysis tools (window names)
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: regmonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: gbdyllo
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: procmon_window_class
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: ollydbg
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: filemonclass
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: NTICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SICE
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeFile opened: SIWVID
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeProcess queried: DebugPortJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_04D00A81 rdtsc 0_2_04D00A81
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00A43A40 mov eax, dword ptr fs:[00000030h]0_2_00A43A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00A43A40 mov eax, dword ptr fs:[00000030h]0_2_00A43A40
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_009F4100 mov eax, dword ptr fs:[00000030h]0_2_009F4100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B23A40 mov eax, dword ptr fs:[00000030h]6_2_00B23A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00B23A40 mov eax, dword ptr fs:[00000030h]6_2_00B23A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 6_2_00AD4100 mov eax, dword ptr fs:[00000030h]6_2_00AD4100
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00B23A40 mov eax, dword ptr fs:[00000030h]7_2_00B23A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00B23A40 mov eax, dword ptr fs:[00000030h]7_2_00B23A40
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeCode function: 7_2_00AD4100 mov eax, dword ptr fs:[00000030h]7_2_00AD4100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009D3A40 mov eax, dword ptr fs:[00000030h]8_2_009D3A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_009D3A40 mov eax, dword ptr fs:[00000030h]8_2_009D3A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 8_2_00984100 mov eax, dword ptr fs:[00000030h]8_2_00984100
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009D3A40 mov eax, dword ptr fs:[00000030h]10_2_009D3A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_009D3A40 mov eax, dword ptr fs:[00000030h]10_2_009D3A40
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeCode function: 10_2_00984100 mov eax, dword ptr fs:[00000030h]10_2_00984100
            Source: LisectAVT_2403002A_218.exe, LisectAVT_2403002A_218.exe, 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmp, RageMP131.exe, RageMP131.exe, 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpBinary or memory string: 1RProgram Manager
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\ProgramData\MPGPH131\MPGPH131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\AppData\Local\RageMP131\RageMP131.exeQueries volume information: C:\ VolumeInformationJump to behavior
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeCode function: 0_2_00ABF26A GetSystemTimePreciseAsFileTime,GetSystemTimePreciseAsFileTime,0_2_00ABF26A
            Source: C:\Users\user\Desktop\LisectAVT_2403002A_218.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

            Stealing of Sensitive Information

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_218.exe PID: 3596, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 4580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2656, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7652, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected RisePro Stealer
            Source: Yara matchFile source: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: LisectAVT_2403002A_218.exe PID: 3596, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 4580, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: MPGPH131.exe PID: 2656, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7324, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: RageMP131.exe PID: 7652, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
            Command and Scripting Interpreter            		1
            Scheduled Task/Job            		2
            Process Injection            		1
            Masquerading            		OS Credential Dumping1
            System Time Discovery            		Remote Services1
            Archive Collected Data            		1
            Encrypted Channel            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		1
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		24
            Virtualization/Sandbox Evasion            		LSASS Memory641
            Security Software Discovery            		Remote Desktop ProtocolData from Removable Media1
            Non-Standard Port            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Native API            		1
            DLL Side-Loading            		1
            Registry Run Keys / Startup Folder            		2
            Process Injection            		Security Account Manager24
            Virtualization/Sandbox Evasion            		SMB/Windows Admin SharesData from Network Shared Drive1
            Ingress Tool Transfer            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
            DLL Side-Loading            		1
            Deobfuscate/Decode Files or Information            		NTDS2
            Process Discovery            		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script3
            Obfuscated Files or Information            		LSA Secrets1
            Application Window Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
            Software Packing            		Cached Domain Credentials214
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 signatures2 2 Behavior Graph ID: 1482410 Sample: LisectAVT_2403002A_218.exe Startdate: 25/07/2024 Architecture: WINDOWS Score: 100 36 Antivirus / Scanner detection for submitted sample 2->36 38 Yara detected RisePro Stealer 2->38 40 Machine Learning detection for sample 2->40 42 3 other signatures 2->42 7 LisectAVT_2403002A_218.exe 1 9 2->7         started        12 RageMP131.exe 2 2->12         started        14 MPGPH131.exe 2 2->14         started        16 2 other processes 2->16 process3 dnsIp4 34 193.233.132.74, 49704, 49705, 49706 FREE-NET-ASFREEnetEU Russian Federation 7->34 26 C:\Users\user\AppData\Local\...\RageMP131.exe, PE32 7->26 dropped 28 C:\ProgramData\MPGPH131\MPGPH131.exe, PE32 7->28 dropped 30 C:\Users\...\RageMP131.exe:Zone.Identifier, ASCII 7->30 dropped 32 C:\...\MPGPH131.exe:Zone.Identifier, ASCII 7->32 dropped 44 Detected unpacking (changes PE section rights) 7->44 46 Found evasive API chain (may stop execution after reading information in the PEB, e.g. number of processors) 7->46 48 Uses schtasks.exe or at.exe to add and modify task schedules 7->48 50 Tries to detect virtualization through RDTSC time measurements 7->50 18 schtasks.exe 1 7->18         started        20 schtasks.exe 1 7->20         started        52 Antivirus detection for dropped file 12->52 54 Tries to detect sandboxes and other dynamic analysis tools (window names) 12->54 56 Machine Learning detection for dropped file 12->56 58 Tries to evade debugger and weak emulator (self modifying code) 14->58 60 Hides threads from debuggers 14->60 62 Tries to detect sandboxes / dynamic malware analysis system (registry check) 14->62 64 Tries to detect process monitoring tools (Task Manager, Process Explorer etc.) 16->64 file5 signatures6 process7 process8 22 conhost.exe 18->22         started        24 conhost.exe 20->24         started       

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            LisectAVT_2403002A_218.exe100%AviraTR/Redcap.iodtu
            LisectAVT_2403002A_218.exe100%Joe Sandbox ML

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%AviraTR/Redcap.iodtu
            C:\ProgramData\MPGPH131\MPGPH131.exe100%AviraTR/Redcap.iodtu
            C:\Users\user\AppData\Local\RageMP131\RageMP131.exe100%Joe Sandbox ML
            C:\ProgramData\MPGPH131\MPGPH131.exe100%Joe Sandbox ML

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://www.winimage.com/zLibDll0%URL Reputationsafe
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dll0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORTd0%Avira URL Cloudsafe
            https://t.me/RiseProSUPPORT0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            No contacted domains info

            URLs from Memory and Binaries

            NameSourceMaliciousAntivirus DetectionReputation
            https://ipinfo.io/https://www.maxmind.com/en/locate-my-ip-addressWs2_32.dllLisectAVT_2403002A_218.exe, 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_218.exe, 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://www.winimage.com/zLibDllLisectAVT_2403002A_218.exe, 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, LisectAVT_2403002A_218.exe, 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, MPGPH131.exe, 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, MPGPH131.exe, 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, RageMP131.exe, 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmpfalse
            • URL Reputation: safe
            		unknown
            https://t.me/RiseProSUPPORTLisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008BE000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000006.00000002.3306495921.00000000007CD000.00000004.00000020.00020000.00000000.sdmp, MPGPH131.exe, 00000007.00000002.3308650896.000000000159B000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 00000008.00000002.3307041255.000000000080E000.00000004.00000020.00020000.00000000.sdmp, RageMP131.exe, 0000000A.00000002.3306406019.000000000070B000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            https://t.me/RiseProSUPPORTdLisectAVT_2403002A_218.exe, 00000000.00000002.3306620800.00000000008BE000.00000004.00000020.00020000.00000000.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            World Map of Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public IPs

            IPDomainCountryFlagASNASN NameMalicious
            193.233.132.74
            		unknownRussian Federation
            		2895FREE-NET-ASFREEnetEUtrue

            General Information

            Joe Sandbox version:40.0.0 Tourmaline
            Analysis ID:1482410
            Start date and time:2024-07-25 22:34:39 +02:00
            Joe Sandbox product:CloudBasic
            Overall analysis duration:0h 8m 20s
            Hypervisor based Inspection enabled:false
            Report type:full
            Cookbook file name:default.jbs
            Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
            Number of analysed new started processes analysed:13
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Sample name:LisectAVT_2403002A_218.exe
            Detection:MAL
            Classification:mal100.troj.evad.winEXE@11/5@0/1
            EGA Information:
            • Successful, ratio: 100%
            HCA Information:Failed
            Cookbook Comments:
            • Found application associated with file extension: .exe

            Warnings

            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
            • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
            • Not all processes where analyzed, report is missing behavior information
            • VT rate limit hit for: LisectAVT_2403002A_218.exe

            Simulations

            Behavior and APIs

            TimeTypeDescription
            16:35:59API Interceptor1507066x Sleep call for process: LisectAVT_2403002A_218.exe modified
            16:36:06API Interceptor3435x Sleep call for process: MPGPH131.exe modified
            16:36:13API Interceptor1224678x Sleep call for process: RageMP131.exe modified
            22:35:34Task SchedulerRun new task: MPGPH131 HR path: C:\ProgramData\MPGPH131\MPGPH131.exe
            22:35:34AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
            22:35:35Task SchedulerRun new task: MPGPH131 LG path: C:\ProgramData\MPGPH131\MPGPH131.exe
            22:35:43AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RageMP131 C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
            193.233.132.74LisectAVT_2403002A_228.exeGet hashmaliciousRisePro StealerBrowse
              LisectAVT_2403002A_376.exeGet hashmaliciousRisePro StealerBrowse
                LisectAVT_2403002B_242.exeGet hashmaliciousRisePro StealerBrowse
                  LisectAVT_2403002A_224.exeGet hashmaliciousRisePro StealerBrowse
                    80OrFCsz0u.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                      SecuriteInfo.com.Win64.Evo-gen.28136.30716.exeGet hashmaliciousGCleaner, Glupteba, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro StealerBrowse
                        file.exeGet hashmaliciousRisePro StealerBrowse
                          vGDqFBB1Jz.exeGet hashmaliciousRisePro StealerBrowse
                            iKV7MCWDJF.exeGet hashmaliciousRisePro StealerBrowse
                              8TFD6H44Pz.exeGet hashmaliciousRisePro StealerBrowse

                                Domains

                                No context

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                FREE-NET-ASFREEnetEULisectAVT_2403002A_228.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.74
                                LisectAVT_2403002A_30.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002A_33.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002A_376.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.74
                                LisectAVT_2403002A_389.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56
                                LisectAVT_2403002A_419.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.67
                                LisectAVT_2403002A_419.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.67
                                LisectAVT_2403002A_464.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.109
                                LisectAVT_2403002A_464.exeGet hashmaliciousRisePro StealerBrowse
                                • 193.233.132.109
                                LisectAVT_2403002A_79.exeGet hashmaliciousAmadeyBrowse
                                • 193.233.132.56

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\MPGPH131\MPGPH131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_218.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2343431
                                Entropy (8bit):7.968148546076954
                                Encrypted:false
                                SSDEEP:49152:CpzidCiuvctbVbLnkCUJeKDHkQ9bQEc9DQ33/XWfup14n9Od:ogFlbVb7Ke6H9bQ3DQ+fEOO
                                MD5:6B79EBBF323BC3F77FB55112E9110F12
                                SHA1:764F8EF62FCBAE36F7AA89E7766C171A2CB0D658
                                SHA-256:B0F736A2FF992A8ADC9FE5186368EF213B16CDF26ACDE6DE7A6EC7DD9EFA14FD
                                SHA-512:E83EF6B9352599A8C0B677F61DC061C89DCD8F45C679533D15219F06EF282E94D1D574D5BBF7798952F091380853A299BCA24B7A7CE6512CB6A71694498FF058
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0........Z...........@...........................Z.......$...@.........................tmZ.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... .@,..........$..............@...ixqntyfn......@......&..............@...fwmicjtz......Z.......#.............@...........................................................................................................................................................................................................................

                                C:\ProgramData\MPGPH131\MPGPH131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_218.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_218.exe
                                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):2343431
                                Entropy (8bit):7.968148546076954
                                Encrypted:false
                                SSDEEP:49152:CpzidCiuvctbVbLnkCUJeKDHkQ9bQEc9DQ33/XWfup14n9Od:ogFlbVb7Ke6H9bQ3DQ+fEOO
                                MD5:6B79EBBF323BC3F77FB55112E9110F12
                                SHA1:764F8EF62FCBAE36F7AA89E7766C171A2CB0D658
                                SHA-256:B0F736A2FF992A8ADC9FE5186368EF213B16CDF26ACDE6DE7A6EC7DD9EFA14FD
                                SHA-512:E83EF6B9352599A8C0B677F61DC061C89DCD8F45C679533D15219F06EF282E94D1D574D5BBF7798952F091380853A299BCA24B7A7CE6512CB6A71694498FF058
                                Malicious:true
                                Antivirus:
                                • Antivirus: Avira, Detection: 100%
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Reputation:low
                                Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{Tf..Tg.{T..yUg.{TRichf.{T................PE..L.....e...............".....0........Z...........@...........................Z.......$...@.........................tmZ.L...U...i.......X+.......................................................................................................... . .p..........................@....rsrc...X+..........................@....idata ............."..............@... .@,..........$..............@...ixqntyfn......@......&..............@...fwmicjtz......Z.......#.............@...........................................................................................................................................................................................................................

                                C:\Users\user\AppData\Local\RageMP131\RageMP131.exe:Zone.Identifier

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_218.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):26
                                Entropy (8bit):3.95006375643621
                                Encrypted:false
                                SSDEEP:3:ggPYV:rPYV
                                MD5:187F488E27DB4AF347237FE461A079AD
                                SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                Malicious:true
                                Reputation:high, very likely benign file
                                Preview:[ZoneTransfer]....ZoneId=0

                                C:\Users\user\AppData\Local\Temp\rage131MP.tmp

                                Download File
                                Process:C:\Users\user\Desktop\LisectAVT_2403002A_218.exe
                                File Type:ASCII text, with no line terminators
                                Category:modified
                                Size (bytes):13
                                Entropy (8bit):2.8731406795131336
                                Encrypted:false
                                SSDEEP:3:LE6:T
                                MD5:E2362ACA25F39E284E6E9D2F9B30F59F
                                SHA1:257B9A745CE7E7146DECF3BAC12D9E06E1425BCF
                                SHA-256:4D8C2EB9746A578F0EB4EBA37463B575CB57BB6DC6BE5C7FCE9CF30A594E7564
                                SHA-512:C8E3956EB5A816F4E8C668503999C87ADCEF8C1DEF703783201D03E7B8AA4CC3786FBE5AE546BF4ED24E028B94B78115A2AE6C3AD674DE9EA0FB5FBC66615664
                                Malicious:false
                                Reputation:low
                                Preview:1721943720415

                                Static File Info

                                General

                                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                Entropy (8bit):7.968148546076954
                                TrID:
                                • Win32 Executable (generic) a (10002005/4) 99.96%
                                • Generic Win/DOS Executable (2004/3) 0.02%
                                • DOS Executable Generic (2002/1) 0.02%
                                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                File name:LisectAVT_2403002A_218.exe
                                File size:2'343'431 bytes
                                MD5:6b79ebbf323bc3f77fb55112e9110f12
                                SHA1:764f8ef62fcbae36f7aa89e7766c171a2cb0d658
                                SHA256:b0f736a2ff992a8adc9fe5186368ef213b16cdf26acde6de7a6ec7dd9efa14fd
                                SHA512:e83ef6b9352599a8c0b677f61dc061c89dcd8f45c679533d15219f06ef282e94d1d574d5bbf7798952f091380853a299bca24b7a7ce6512cb6a71694498ff058
                                SSDEEP:49152:CpzidCiuvctbVbLnkCUJeKDHkQ9bQEc9DQ33/XWfup14n9Od:ogFlbVb7Ke6H9bQ3DQ+fEOO
                                TLSH:A2B533B6966772AECD0A8FB1143257032E91BF805364F28E0CD67F9F791B3598306DA1
                                File Content Preview:MZ......................@...................................(...........!..L.!This program cannot be run in DOS mode....$......."...f.{Tf.{Tf.{T-.xUk.{T-.~U..{T-.|Ug.{T)..Tb.{T)..Ut.{T).xUq.{T).~U3.{T-..U..{T-.}Ug.{T-.zU}.{Tf.zT@.{T..rUz.{T..{Ug.{T...Tg.{

                                File Icon

                                Icon Hash:c769eccc64f6e2bb

                                Static PE Info

                                General

                                Entrypoint:0x9aa000
                                Entrypoint Section:fwmicjtz
                                Digitally signed:false
                                Imagebase:0x400000
                                Subsystem:windows gui
                                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                Time Stamp:0x65FE94C6 [Sat Mar 23 08:37:26 2024 UTC]
                                TLS Callbacks:
                                CLR (.Net) Version:
                                OS Version Major:6
                                OS Version Minor:0
                                File Version Major:6
                                File Version Minor:0
                                Subsystem Version Major:6
                                Subsystem Version Minor:0
                                Import Hash:2eabe9054cad5152567f0699947a2c5b

                                Entrypoint Preview

                                Instruction
                                push edx
                                mov dword ptr [esp], 3FBEF12Ch
                                shr dword ptr [esp], 08h
                                xor dword ptr [esp], 6D29DE47h
                                mov dword ptr [esp], esi
                                sub esp, 00000004h
                                mov dword ptr [esp], esi
                                mov dword ptr [esp], 76801F97h
                                mov dword ptr [esp], eax
                                push ecx
                                mov dword ptr [esp], edx
                                mov edx, esp
                                add edx, 00000004h
                                sub edx, 00000004h
                                xchg dword ptr [esp], edx
                                pop esp
                                mov dword ptr [esp], ebx
                                call 00007F6F2CDE7F96h
                                int3
                                mov eax, dword ptr [esp]
                                push edi
                                mov edi, esp
                                add edi, 00000004h
                                push eax
                                mov eax, 00000004h
                                add edi, eax
                                pop eax
                                xchg dword ptr [esp], edi
                                pop esp
                                sub esp, 04h
                                mov dword ptr [esp], ebp
                                mov ebp, eax
                                push ebp
                                pop ebx
                                pop ebp
                                push 7E7D5AE6h
                                mov dword ptr [esp], edx
                                mov edx, 00000001h
                                add eax, edx
                                pop edx
                                push ebp
                                mov dword ptr [esp], 6B952718h
                                mov dword ptr [esp], ebx
                                mov ebx, 001AA000h
                                sub eax, ebx
                                pop ebx
                                sub eax, 0C3C0048h
                                add eax, 0C3C0000h
                                cmp byte ptr [ebx], FFFFFFCCh
                                jne 00007F6F2CDE8027h
                                push eax
                                mov al, 5Fh
                                push edx
                                mov edx, 00000000h
                                add edx, ebx
                                mov byte ptr [edx], 0000000Ah
                                pop edx
                                xor byte ptr [ebx], 00000068h
                                and byte ptr [ebx], FFFFFFFEh
                                neg byte ptr [ebx]
                                sub byte ptr [ebx], 0000007Dh
                                shl byte ptr [ebx], 00000003h
                                add byte ptr [ebx], 00000057h
                                xor byte ptr [ebx], al
                                pop eax
                                push ebp
                                mov ebp, 000000DDh

                                Data Directories

                                NameVirtual AddressVirtual Size Is in Section
                                IMAGE_DIRECTORY_ENTRY_EXPORT0x5a6d740x4cixqntyfn
                                IMAGE_DIRECTORY_ENTRY_IMPORT0x13b0550x69.idata
                                IMAGE_DIRECTORY_ENTRY_RESOURCE0x1380000x2b58.rsrc
                                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                IMAGE_DIRECTORY_ENTRY_BASERELOC0x13b1f80x8.idata
                                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                Sections

                                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                0x10000x1370000x906002f3e59fe3d0b6bd6ffe66be3698eb65fFalse0.9990462662337662data7.98579152603459IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .rsrc0x1380000x2b580xc00088b2f7c99be53e7b12a0d59558146c3False0.83984375data7.038625793039814IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                .idata 0x13b0000x10000x200745dea56938759dccaf9e183aa01b020False0.146484375data0.998472215956371IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                0x13c0000x2c40000x20059b749c1cee081df0d12bfac401b8ab3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                ixqntyfn0x4000000x1aa0000x1a98005ea51b357be7882422932451ca51d3d3False0.990290031029671data7.951072598064479IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                fwmicjtz0x5aa0000x10000x4008f84baac9206d013b351c216dc22ff66False0.75390625data5.862732268027027IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                Resources

                                NameRVASizeTypeLanguageCountryZLIB Complexity
                                RT_ICON0x5a6dc00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216RussianRussia0.1892116182572614
                                RT_GROUP_ICON0x5a93680x14dataRussianRussia1.15
                                RT_VERSION0x5a937c0x2e4dataRussianRussia0.4689189189189189
                                RT_MANIFEST0x5a96600x17dXML 1.0 document, ASCII text, with CRLF line terminatorsEnglishUnited States0.5931758530183727

                                Imports

                                DLLImport
                                kernel32.dlllstrcpy

                                Exports

                                NameOrdinalAddress
                                Start10x466e80

                                Possible Origin

                                Language of compilation systemCountry where language is spokenMap
                                RussianRussia
                                EnglishUnited States

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampProtocolSIDSignatureSource PortDest PortSource IPDest IP
                                2024-07-25T22:35:48.985004+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434970740.68.123.157192.168.2.5
                                2024-07-25T22:35:33.898254+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970458709192.168.2.5193.233.132.74
                                2024-07-25T22:35:58.153768+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4971658709192.168.2.5193.233.132.74
                                2024-07-25T22:35:39.900957+0200TCP2049060ET MALWARE RisePro TCP Heartbeat Packet4970658709192.168.2.5193.233.132.74
                                2024-07-25T22:35:36.888332+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970458709192.168.2.5193.233.132.74
                                2024-07-25T22:36:27.419925+0200TCP2022930ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow4434971740.68.123.157192.168.2.5
                                2024-07-25T22:35:42.875935+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970658709192.168.2.5193.233.132.74
                                2024-07-25T22:35:50.981833+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970958709192.168.2.5193.233.132.74
                                2024-07-25T22:35:42.873236+0200TCP2046269ET MALWARE [ANY.RUN] RisePro TCP (Activity)4970558709192.168.2.5193.233.132.74

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jul 25, 2024 22:35:33.871870995 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:33.877065897 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:33.877168894 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:33.898253918 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:33.903213978 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:36.888331890 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:36.906835079 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:39.753460884 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:39.753681898 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:39.870589018 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:39.870623112 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:39.870687962 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:39.870732069 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:39.900957108 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:39.902481079 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:39.905869961 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:39.907398939 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:42.873235941 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:42.875935078 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:42.878331900 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:42.880894899 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:47.967374086 CEST4970958709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:47.972361088 CEST5870949709193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:47.972471952 CEST4970958709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:48.002965927 CEST4970958709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:48.009160042 CEST5870949709193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:50.981832981 CEST4970958709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:50.986999035 CEST5870949709193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:55.154416084 CEST4971658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:55.159446955 CEST5870949716193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:55.159538031 CEST4971658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:55.188407898 CEST4971658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:55.193422079 CEST5870949716193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:55.298173904 CEST5870949704193.233.132.74192.168.2.5
                                Jul 25, 2024 22:35:55.298388004 CEST4970458709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:58.153768063 CEST4971658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:35:58.158899069 CEST5870949716193.233.132.74192.168.2.5
                                Jul 25, 2024 22:36:01.293879986 CEST5870949705193.233.132.74192.168.2.5
                                Jul 25, 2024 22:36:01.294007063 CEST4970558709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:36:01.309449911 CEST5870949706193.233.132.74192.168.2.5
                                Jul 25, 2024 22:36:01.309639931 CEST4970658709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:36:09.420144081 CEST5870949709193.233.132.74192.168.2.5
                                Jul 25, 2024 22:36:09.420278072 CEST4970958709192.168.2.5193.233.132.74
                                Jul 25, 2024 22:36:16.545372009 CEST5870949716193.233.132.74192.168.2.5
                                Jul 25, 2024 22:36:16.545458078 CEST4971658709192.168.2.5193.233.132.74

                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:16:35:28
                                Start date:25/07/2024
                                Path:C:\Users\user\Desktop\LisectAVT_2403002A_218.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\Desktop\LisectAVT_2403002A_218.exe"
                                Imagebase:0x9e0000
                                File size:2'343'431 bytes
                                MD5 hash:6B79EBBF323BC3F77FB55112E9110F12
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000003.2038565636.0000000004AA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:2
                                Start time:16:35:33
                                Start date:25/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
                                Imagebase:0xe90000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:3
                                Start time:16:35:33
                                Start date:25/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:16:35:33
                                Start date:25/07/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /f /RU "user" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
                                Imagebase:0xe90000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:16:35:33
                                Start date:25/07/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:16:35:34
                                Start date:25/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0xac0000
                                File size:2'343'431 bytes
                                MD5 hash:6B79EBBF323BC3F77FB55112E9110F12
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000006.00000003.2108165970.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:7
                                Start time:16:35:35
                                Start date:25/07/2024
                                Path:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Wow64 process (32bit):true
                                Commandline:C:\ProgramData\MPGPH131\MPGPH131.exe
                                Imagebase:0xac0000
                                File size:2'343'431 bytes
                                MD5 hash:6B79EBBF323BC3F77FB55112E9110F12
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000007.00000003.2109410350.00000000052E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:8
                                Start time:16:35:43
                                Start date:25/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x970000
                                File size:2'343'431 bytes
                                MD5 hash:6B79EBBF323BC3F77FB55112E9110F12
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 00000008.00000003.2182379846.00000000049C0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Antivirus matches:
                                • Detection: 100%, Avira
                                • Detection: 100%, Joe Sandbox ML
                                Reputation:low
                                Has exited:false

                                General

                                Target ID:10
                                Start time:16:35:51
                                Start date:25/07/2024
                                Path:C:\Users\user\AppData\Local\RageMP131\RageMP131.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Users\user\AppData\Local\RageMP131\RageMP131.exe"
                                Imagebase:0x970000
                                File size:2'343'431 bytes
                                MD5 hash:6B79EBBF323BC3F77FB55112E9110F12
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_RiseProStealer, Description: Yara detected RisePro Stealer, Source: 0000000A.00000003.2262402855.0000000004BD0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:low
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:2.5%
                                  Dynamic/Decrypted Code Coverage:1.5%
                                  Signature Coverage:2.1%
                                  Total number of Nodes:616
                                  Total number of Limit Nodes:61
                                  execution_graph 20810 4d00c52 20811 4d00c58 20810->20811 20812 4d00c68 GetCurrentHwProfileW 20811->20812 20813 4d00c88 20811->20813 20812->20813 19866 9ea210 19899 abf290 19866->19899 19868 9ea248 19904 9e2ae0 19868->19904 19870 9ea28b 19920 ac5362 19870->19920 19874 9ea377 19877 9ea34e 19877->19874 19949 ac47b0 19877->19949 19880 ac9136 4 API calls 19881 9ea2fc 19880->19881 19886 9ea318 19881->19886 19935 a4cf60 19881->19935 19940 acdbdf 19886->19940 19901 9e21d0 Concurrency::cancel_current_task std::_Xinvalid_argument ___std_exception_copy std::_Facet_Register 19899->19901 19900 abf2af 19900->19868 19900->19900 19901->19900 19952 ac0651 19901->19952 19905 9e2ba5 19904->19905 19911 9e2af6 19904->19911 20170 9e2270 19905->20170 19906 9e2b02 std::_Locinfo::_Locinfo_ctor 19906->19870 19908 9e2b2a 19914 abf290 std::_Facet_Register RtlAllocateHeap 19908->19914 19909 9e2baa 20180 9e21d0 19909->20180 19911->19906 19911->19908 19912 9e2b6e 19911->19912 19913 9e2b65 19911->19913 19918 abf290 std::_Facet_Register RtlAllocateHeap 19912->19918 19919 9e2b46 std::_Locinfo::_Locinfo_ctor 19912->19919 19913->19908 19913->19909 19915 9e2b3d 19914->19915 19916 ac47b0 RtlAllocateHeap 19915->19916 19915->19919 19917 9e2bb4 19916->19917 19918->19919 19919->19870 20193 ac52a0 19920->20193 19922 9ea2d7 19922->19877 19923 ac9136 19922->19923 19924 ac9149 __fread_nolock 19923->19924 20217 ac8e8d 19924->20217 19926 ac915e 19927 ac44dc __fread_nolock RtlAllocateHeap 19926->19927 19928 9ea2ea 19927->19928 19929 ac4eeb 19928->19929 19930 ac4efe __fread_nolock 19929->19930 20350 ac4801 19930->20350 19932 ac4f0a 19933 ac44dc __fread_nolock RtlAllocateHeap 19932->19933 19934 9ea2f0 19933->19934 19934->19880 19936 a4cfa7 19935->19936 19938 a4cf78 __fread_nolock 19935->19938 20398 a50560 19936->20398 19938->19886 19939 a4cfba 19939->19886 20413 acdbfc 19940->20413 19942 9ea348 19943 ac8be8 19942->19943 19944 ac8bfb __fread_nolock 19943->19944 20537 ac8ac3 19944->20537 19946 ac8c07 19947 ac44dc __fread_nolock RtlAllocateHeap 19946->19947 19948 ac8c13 19947->19948 19948->19877 19950 ac46ec __fread_nolock RtlAllocateHeap 19949->19950 19951 ac47bf __Getctype 19950->19951 19953 ac065e ___std_exception_copy 19952->19953 19957 9e2213 19952->19957 19954 ac068b 19953->19954 19953->19957 19958 ad56b8 19953->19958 19967 acd7d6 19954->19967 19957->19868 19959 ad56d4 19958->19959 19960 ad56c6 19958->19960 19970 acd23f 19959->19970 19960->19959 19964 ad56ec 19960->19964 19962 ad56dc 19973 ac47a0 19962->19973 19963 ad56e6 19963->19954 19964->19963 19966 acd23f __dosmaperr RtlAllocateHeap 19964->19966 19966->19962 19968 ad6db3 __freea RtlAllocateHeap 19967->19968 19969 acd7ee 19968->19969 19969->19957 19976 ad5d2c 19970->19976 20081 ac46ec 19973->20081 19977 ad5d35 __dosmaperr 19976->19977 19985 acd244 19977->19985 19987 ad63f3 19977->19987 19979 ad5d79 __dosmaperr 19980 ad5db9 19979->19980 19981 ad5d81 __dosmaperr 19979->19981 19995 ad5a09 19980->19995 19991 ad6db3 19981->19991 19985->19962 19986 ad6db3 __freea RtlAllocateHeap 19986->19985 19990 ad6400 __dosmaperr std::_Facet_Register 19987->19990 19988 ad642b RtlAllocateHeap 19989 ad643e __dosmaperr 19988->19989 19988->19990 19989->19979 19990->19988 19990->19989 19992 ad6dbe __dosmaperr 19991->19992 19994 ad6de8 19991->19994 19993 acd23f __dosmaperr RtlAllocateHeap 19992->19993 19992->19994 19993->19994 19994->19985 19996 ad5a77 __dosmaperr 19995->19996 19999 ad59af 19996->19999 19998 ad5aa0 19998->19986 20000 ad59bb __fread_nolock std::_Lockit::_Lockit 19999->20000 20003 ad5b90 20000->20003 20002 ad59dd __dosmaperr 20002->19998 20004 ad5b9f __Getctype 20003->20004 20006 ad5bc6 __Getctype 20003->20006 20004->20006 20007 adf2a7 20004->20007 20006->20002 20008 adf2bd 20007->20008 20009 adf327 20007->20009 20008->20009 20013 adf2f0 20008->20013 20016 ad6db3 __freea RtlAllocateHeap 20008->20016 20011 ad6db3 __freea RtlAllocateHeap 20009->20011 20034 adf375 20009->20034 20012 adf349 20011->20012 20015 ad6db3 __freea RtlAllocateHeap 20012->20015 20014 adf312 20013->20014 20022 ad6db3 __freea RtlAllocateHeap 20013->20022 20018 ad6db3 __freea RtlAllocateHeap 20014->20018 20017 adf35c 20015->20017 20021 adf2e5 20016->20021 20023 ad6db3 __freea RtlAllocateHeap 20017->20023 20024 adf31c 20018->20024 20019 adf3e3 20026 ad6db3 __freea RtlAllocateHeap 20019->20026 20020 adf383 20020->20019 20033 ad6db3 RtlAllocateHeap __freea 20020->20033 20035 ade5ab 20021->20035 20028 adf307 20022->20028 20029 adf36a 20023->20029 20025 ad6db3 __freea RtlAllocateHeap 20024->20025 20025->20009 20030 adf3e9 20026->20030 20063 adea0a 20028->20063 20032 ad6db3 __freea RtlAllocateHeap 20029->20032 20030->20006 20032->20034 20033->20020 20075 adf418 20034->20075 20036 ade5bc 20035->20036 20062 ade6a5 20035->20062 20037 ade5cd 20036->20037 20038 ad6db3 __freea RtlAllocateHeap 20036->20038 20039 ade5df 20037->20039 20040 ad6db3 __freea RtlAllocateHeap 20037->20040 20038->20037 20041 ade5f1 20039->20041 20043 ad6db3 __freea RtlAllocateHeap 20039->20043 20040->20039 20042 ade603 20041->20042 20044 ad6db3 __freea RtlAllocateHeap 20041->20044 20045 ade615 20042->20045 20046 ad6db3 __freea RtlAllocateHeap 20042->20046 20043->20041 20044->20042 20047 ade627 20045->20047 20048 ad6db3 __freea RtlAllocateHeap 20045->20048 20046->20045 20049 ade639 20047->20049 20051 ad6db3 __freea RtlAllocateHeap 20047->20051 20048->20047 20050 ade64b 20049->20050 20052 ad6db3 __freea RtlAllocateHeap 20049->20052 20053 ade65d 20050->20053 20054 ad6db3 __freea RtlAllocateHeap 20050->20054 20051->20049 20052->20050 20055 ade66f 20053->20055 20056 ad6db3 __freea RtlAllocateHeap 20053->20056 20054->20053 20057 ade681 20055->20057 20059 ad6db3 __freea RtlAllocateHeap 20055->20059 20056->20055 20058 ade693 20057->20058 20060 ad6db3 __freea RtlAllocateHeap 20057->20060 20061 ad6db3 __freea RtlAllocateHeap 20058->20061 20058->20062 20059->20057 20060->20058 20061->20062 20062->20013 20064 adea17 20063->20064 20074 adea6f 20063->20074 20065 adea27 20064->20065 20067 ad6db3 __freea RtlAllocateHeap 20064->20067 20066 adea39 20065->20066 20068 ad6db3 __freea RtlAllocateHeap 20065->20068 20069 adea4b 20066->20069 20070 ad6db3 __freea RtlAllocateHeap 20066->20070 20067->20065 20068->20066 20071 ad6db3 __freea RtlAllocateHeap 20069->20071 20072 adea5d 20069->20072 20070->20069 20071->20072 20073 ad6db3 __freea RtlAllocateHeap 20072->20073 20072->20074 20073->20074 20074->20014 20076 adf425 20075->20076 20077 adf444 20075->20077 20076->20077 20078 adef31 __Getctype RtlAllocateHeap 20076->20078 20077->20020 20079 adf43e 20078->20079 20080 ad6db3 __freea RtlAllocateHeap 20079->20080 20080->20077 20082 ac46fe __fread_nolock 20081->20082 20087 ac4723 20082->20087 20084 ac4716 20094 ac44dc 20084->20094 20088 ac4733 20087->20088 20090 ac473a __fread_nolock __Getctype 20087->20090 20100 ac4541 20088->20100 20091 ac4748 20090->20091 20092 ac46ec __fread_nolock RtlAllocateHeap 20090->20092 20091->20084 20093 ac47ac 20092->20093 20093->20084 20095 ac44e8 20094->20095 20096 ac44ff 20095->20096 20115 ac4587 20095->20115 20098 ac4587 __fread_nolock RtlAllocateHeap 20096->20098 20099 ac4512 20096->20099 20098->20099 20099->19963 20101 ac4550 20100->20101 20104 ad5ddd 20101->20104 20105 ad5df0 __dosmaperr 20104->20105 20106 ad63f3 __dosmaperr RtlAllocateHeap 20105->20106 20114 ac4572 20105->20114 20108 ad5e20 __dosmaperr 20106->20108 20107 ad5e28 __dosmaperr 20111 ad6db3 __freea RtlAllocateHeap 20107->20111 20108->20107 20109 ad5e5c 20108->20109 20110 ad5a09 __dosmaperr RtlAllocateHeap 20109->20110 20112 ad5e67 20110->20112 20111->20114 20113 ad6db3 __freea RtlAllocateHeap 20112->20113 20113->20114 20114->20090 20116 ac459a 20115->20116 20117 ac4591 20115->20117 20116->20096 20118 ac4541 __fread_nolock RtlAllocateHeap 20117->20118 20119 ac4596 20118->20119 20119->20116 20122 ad0259 20119->20122 20123 ad025e std::locale::_Setgloballocale 20122->20123 20127 ad0269 std::locale::_Setgloballocale 20123->20127 20128 adc7c6 20123->20128 20149 acf224 20127->20149 20129 adc7d2 __fread_nolock 20128->20129 20130 ad5d2c __dosmaperr RtlAllocateHeap 20129->20130 20131 adc822 20129->20131 20134 adc803 std::locale::_Setgloballocale 20129->20134 20136 adc834 std::_Lockit::_Lockit std::locale::_Setgloballocale 20129->20136 20130->20134 20132 acd23f __dosmaperr RtlAllocateHeap 20131->20132 20133 adc827 20132->20133 20135 ac47a0 __fread_nolock RtlAllocateHeap 20133->20135 20134->20131 20134->20136 20148 adc80c 20134->20148 20135->20148 20137 adc9a4 std::_Lockit::~_Lockit 20136->20137 20138 adc8a7 20136->20138 20139 adc8d5 std::locale::_Setgloballocale 20136->20139 20140 acf224 std::locale::_Setgloballocale RtlAllocateHeap 20137->20140 20138->20139 20152 ad5bdb 20138->20152 20143 ad5bdb __Getctype RtlAllocateHeap 20139->20143 20146 adc92a 20139->20146 20139->20148 20142 adc9b7 20140->20142 20143->20146 20145 ad5bdb __Getctype RtlAllocateHeap 20145->20139 20147 ad5bdb __Getctype RtlAllocateHeap 20146->20147 20146->20148 20147->20148 20148->20127 20166 acf094 20149->20166 20151 acf235 20153 ad5be4 __dosmaperr 20152->20153 20154 ad63f3 __dosmaperr RtlAllocateHeap 20153->20154 20156 ad5bfb 20153->20156 20157 ad5c28 __dosmaperr 20154->20157 20155 ad5c8b 20155->20145 20156->20155 20158 ad0259 __Getctype RtlAllocateHeap 20156->20158 20159 ad5c30 __dosmaperr 20157->20159 20160 ad5c68 20157->20160 20161 ad5c95 20158->20161 20163 ad6db3 __freea RtlAllocateHeap 20159->20163 20162 ad5a09 __dosmaperr RtlAllocateHeap 20160->20162 20164 ad5c73 20162->20164 20163->20156 20165 ad6db3 __freea RtlAllocateHeap 20164->20165 20165->20156 20168 acf0c1 std::locale::_Setgloballocale 20166->20168 20167 acef23 std::locale::_Setgloballocale RtlAllocateHeap 20169 acf10a std::locale::_Setgloballocale 20167->20169 20168->20167 20169->20151 20184 abd6e9 20170->20184 20181 9e21de Concurrency::cancel_current_task std::_Xinvalid_argument 20180->20181 20182 ac0651 ___std_exception_copy RtlAllocateHeap 20181->20182 20183 9e2213 20182->20183 20183->19915 20187 abd4af 20184->20187 20186 abd6fa std::_Xinvalid_argument 20190 9e3010 20187->20190 20191 ac0651 ___std_exception_copy RtlAllocateHeap 20190->20191 20192 9e303d 20191->20192 20192->20186 20196 ac52ac __fread_nolock 20193->20196 20194 ac52b3 20195 acd23f __dosmaperr RtlAllocateHeap 20194->20195 20197 ac52b8 20195->20197 20196->20194 20198 ac52d3 20196->20198 20199 ac47a0 __fread_nolock RtlAllocateHeap 20197->20199 20200 ac52d8 20198->20200 20201 ac52e5 20198->20201 20204 ac52c3 20199->20204 20202 acd23f __dosmaperr RtlAllocateHeap 20200->20202 20207 ad6688 20201->20207 20202->20204 20204->19922 20205 ac52ee 20205->20204 20206 acd23f __dosmaperr RtlAllocateHeap 20205->20206 20206->20204 20208 ad6694 __fread_nolock std::_Lockit::_Lockit 20207->20208 20211 ad672c 20208->20211 20210 ad66af 20210->20205 20215 ad674f __fread_nolock 20211->20215 20212 ad63f3 __dosmaperr RtlAllocateHeap 20213 ad67b0 20212->20213 20214 ad6db3 __freea RtlAllocateHeap 20213->20214 20216 ad6795 __fread_nolock 20214->20216 20215->20212 20215->20215 20215->20216 20216->20210 20219 ac8e99 __fread_nolock 20217->20219 20218 ac8e9f 20220 ac4723 __fread_nolock RtlAllocateHeap 20218->20220 20219->20218 20221 ac8ee2 __fread_nolock 20219->20221 20222 ac8eba 20220->20222 20224 ac9010 20221->20224 20222->19926 20225 ac9036 20224->20225 20226 ac9023 20224->20226 20233 ac8f37 20225->20233 20226->20222 20228 ac90e7 20228->20222 20229 ac9059 20229->20228 20237 ac55d3 20229->20237 20234 ac8fa0 20233->20234 20235 ac8f48 20233->20235 20234->20229 20235->20234 20246 ace13d 20235->20246 20238 ac55ec 20237->20238 20242 ac5613 20237->20242 20238->20242 20273 ad5f82 20238->20273 20240 ac5608 20280 ad538b 20240->20280 20243 ace17d 20242->20243 20244 ace05c __fread_nolock 2 API calls 20243->20244 20245 ace196 20244->20245 20245->20228 20247 ace151 __fread_nolock 20246->20247 20252 ace05c 20247->20252 20249 ace166 20250 ac44dc __fread_nolock RtlAllocateHeap 20249->20250 20251 ace175 20250->20251 20251->20234 20257 ada6de 20252->20257 20254 ace06e 20255 ace08a SetFilePointerEx 20254->20255 20256 ace076 __fread_nolock 20254->20256 20255->20256 20256->20249 20258 ada6eb 20257->20258 20259 ada700 20257->20259 20270 acd22c 20258->20270 20261 acd22c __dosmaperr RtlAllocateHeap 20259->20261 20263 ada725 20259->20263 20264 ada730 20261->20264 20263->20254 20266 acd23f __dosmaperr RtlAllocateHeap 20264->20266 20265 acd23f __dosmaperr RtlAllocateHeap 20267 ada6f8 20265->20267 20268 ada738 20266->20268 20267->20254 20269 ac47a0 __fread_nolock RtlAllocateHeap 20268->20269 20269->20267 20271 ad5d2c __dosmaperr RtlAllocateHeap 20270->20271 20272 acd231 20271->20272 20272->20265 20274 ad5f8e 20273->20274 20275 ad5fa3 20273->20275 20276 acd23f __dosmaperr RtlAllocateHeap 20274->20276 20275->20240 20277 ad5f93 20276->20277 20278 ac47a0 __fread_nolock RtlAllocateHeap 20277->20278 20279 ad5f9e 20278->20279 20279->20240 20281 ad5397 __fread_nolock 20280->20281 20282 ad53d8 20281->20282 20284 ad541e 20281->20284 20286 ad539f 20281->20286 20283 ac4723 __fread_nolock RtlAllocateHeap 20282->20283 20283->20286 20284->20286 20287 ad549c 20284->20287 20286->20242 20288 ad54c4 20287->20288 20300 ad54e7 __fread_nolock 20287->20300 20289 ad54c8 20288->20289 20291 ad5523 20288->20291 20290 ac4723 __fread_nolock RtlAllocateHeap 20289->20290 20290->20300 20292 ad5541 20291->20292 20293 ace17d 2 API calls 20291->20293 20301 ad4fe1 20292->20301 20293->20292 20296 ad5559 20296->20300 20306 ad4bb2 20296->20306 20297 ad55a0 20298 ad5609 WriteFile 20297->20298 20297->20300 20298->20300 20300->20286 20312 ae0d44 20301->20312 20303 ad5021 20303->20296 20303->20297 20304 ad4ff3 20304->20303 20321 ac9d10 20304->20321 20307 ad4c1a 20306->20307 20308 ac9d10 std::_Locinfo::_Locinfo_ctor 2 API calls 20307->20308 20311 ad4c2b std::_Locinfo::_Locinfo_ctor 20307->20311 20308->20311 20309 ad84be RtlAllocateHeap RtlAllocateHeap 20309->20311 20310 ad4ee1 _ValidateLocalCookies 20310->20300 20311->20309 20311->20310 20313 ae0d5e 20312->20313 20314 ae0d51 20312->20314 20316 ae0d6a 20313->20316 20317 acd23f __dosmaperr RtlAllocateHeap 20313->20317 20315 acd23f __dosmaperr RtlAllocateHeap 20314->20315 20318 ae0d56 20315->20318 20316->20304 20319 ae0d8b 20317->20319 20318->20304 20320 ac47a0 __fread_nolock RtlAllocateHeap 20319->20320 20320->20318 20322 ac4587 __fread_nolock RtlAllocateHeap 20321->20322 20323 ac9d20 20322->20323 20328 ad5ef3 20323->20328 20329 ad5f0a 20328->20329 20330 ac9d3d 20328->20330 20329->20330 20336 adf4f3 20329->20336 20332 ad5f51 20330->20332 20333 ac9d4a 20332->20333 20334 ad5f68 20332->20334 20333->20303 20334->20333 20345 add81e 20334->20345 20337 adf4ff __fread_nolock 20336->20337 20338 ad5bdb __Getctype RtlAllocateHeap 20337->20338 20340 adf508 std::_Lockit::_Lockit 20338->20340 20339 adf54e 20339->20330 20340->20339 20341 adf574 __Getctype RtlAllocateHeap 20340->20341 20342 adf537 __Getctype 20341->20342 20342->20339 20343 ad0259 __Getctype RtlAllocateHeap 20342->20343 20344 adf573 20343->20344 20346 ad5bdb __Getctype RtlAllocateHeap 20345->20346 20347 add823 20346->20347 20348 add736 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 20347->20348 20349 add82e 20348->20349 20349->20333 20351 ac480d __fread_nolock 20350->20351 20352 ac4814 20351->20352 20353 ac4835 __fread_nolock 20351->20353 20354 ac4723 __fread_nolock RtlAllocateHeap 20352->20354 20357 ac4910 20353->20357 20356 ac482d 20354->20356 20356->19932 20360 ac4942 20357->20360 20359 ac4922 20359->20356 20361 ac4979 20360->20361 20362 ac4951 20360->20362 20364 ad5f82 __fread_nolock RtlAllocateHeap 20361->20364 20363 ac4723 __fread_nolock RtlAllocateHeap 20362->20363 20365 ac496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20363->20365 20366 ac4982 20364->20366 20365->20359 20373 ace11f 20366->20373 20369 ac4a2c 20376 ac4cae 20369->20376 20371 ac4a43 20371->20365 20384 ac4ae3 20371->20384 20391 acdf37 20373->20391 20375 ac49a0 20375->20365 20375->20369 20375->20371 20377 ac4cbd 20376->20377 20378 ad5f82 __fread_nolock RtlAllocateHeap 20377->20378 20379 ac4cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20378->20379 20380 ace11f 2 API calls 20379->20380 20383 ac4ce5 _ValidateLocalCookies 20379->20383 20381 ac4d39 20380->20381 20382 ace11f 2 API calls 20381->20382 20381->20383 20382->20383 20383->20365 20385 ad5f82 __fread_nolock RtlAllocateHeap 20384->20385 20386 ac4af6 20385->20386 20387 ace11f 2 API calls 20386->20387 20390 ac4b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 20386->20390 20388 ac4b9d 20387->20388 20389 ace11f 2 API calls 20388->20389 20388->20390 20389->20390 20390->20365 20392 acdf43 __fread_nolock 20391->20392 20393 acdf86 20392->20393 20395 acdfcc 20392->20395 20397 acdf4b 20392->20397 20394 ac4723 __fread_nolock RtlAllocateHeap 20393->20394 20394->20397 20396 ace05c __fread_nolock 2 API calls 20395->20396 20395->20397 20396->20397 20397->20375 20399 a50585 20398->20399 20400 a506a9 20398->20400 20403 a5059a 20399->20403 20405 a505f0 20399->20405 20406 a505e3 20399->20406 20401 9e2270 RtlAllocateHeap 20400->20401 20402 a506ae 20401->20402 20404 9e21d0 Concurrency::cancel_current_task RtlAllocateHeap 20402->20404 20407 abf290 std::_Facet_Register RtlAllocateHeap 20403->20407 20411 a505aa __fread_nolock std::_Locinfo::_Locinfo_ctor 20404->20411 20410 abf290 std::_Facet_Register RtlAllocateHeap 20405->20410 20405->20411 20406->20402 20406->20403 20407->20411 20408 ac47b0 RtlAllocateHeap 20409 a506b8 20408->20409 20410->20411 20411->20408 20412 a50667 __fread_nolock std::_Locinfo::_Locinfo_ctor 20411->20412 20412->19939 20414 acdc08 __fread_nolock 20413->20414 20415 acdc1b __fread_nolock 20414->20415 20416 acdc52 __fread_nolock 20414->20416 20421 acdc40 __fread_nolock 20414->20421 20417 acd23f __dosmaperr RtlAllocateHeap 20415->20417 20422 acda06 20416->20422 20419 acdc35 20417->20419 20420 ac47a0 __fread_nolock RtlAllocateHeap 20419->20420 20420->20421 20421->19942 20426 acda18 __fread_nolock 20422->20426 20428 acda35 20422->20428 20423 acda25 20424 acd23f __dosmaperr RtlAllocateHeap 20423->20424 20425 acda2a 20424->20425 20427 ac47a0 __fread_nolock RtlAllocateHeap 20425->20427 20426->20423 20426->20428 20430 acda76 __fread_nolock 20426->20430 20427->20428 20428->20421 20429 acdba1 __fread_nolock 20433 acd23f __dosmaperr RtlAllocateHeap 20429->20433 20430->20428 20430->20429 20432 ad5f82 __fread_nolock RtlAllocateHeap 20430->20432 20435 ad4623 20430->20435 20494 ac8a2b 20430->20494 20432->20430 20433->20425 20436 ad464d 20435->20436 20437 ad4635 20435->20437 20439 ad498f 20436->20439 20444 ad4690 20436->20444 20438 acd22c __dosmaperr RtlAllocateHeap 20437->20438 20441 ad463a 20438->20441 20440 acd22c __dosmaperr RtlAllocateHeap 20439->20440 20442 ad4994 20440->20442 20443 acd23f __dosmaperr RtlAllocateHeap 20441->20443 20445 acd23f __dosmaperr RtlAllocateHeap 20442->20445 20449 ad4642 20443->20449 20446 ad469b 20444->20446 20444->20449 20453 ad46cb 20444->20453 20448 ad46a8 20445->20448 20447 acd22c __dosmaperr RtlAllocateHeap 20446->20447 20450 ad46a0 20447->20450 20452 ac47a0 __fread_nolock RtlAllocateHeap 20448->20452 20449->20430 20451 acd23f __dosmaperr RtlAllocateHeap 20450->20451 20451->20448 20452->20449 20454 ad46e4 20453->20454 20455 ad471f 20453->20455 20456 ad46f1 20453->20456 20454->20456 20457 ad470d 20454->20457 20508 ad6e2d 20455->20508 20458 acd22c __dosmaperr RtlAllocateHeap 20456->20458 20463 ae0d44 __fread_nolock RtlAllocateHeap 20457->20463 20460 ad46f6 20458->20460 20462 acd23f __dosmaperr RtlAllocateHeap 20460->20462 20465 ad46fd 20462->20465 20477 ad486b 20463->20477 20464 ad6db3 __freea RtlAllocateHeap 20466 ad4739 20464->20466 20467 ac47a0 __fread_nolock RtlAllocateHeap 20465->20467 20469 ad6db3 __freea RtlAllocateHeap 20466->20469 20493 ad4708 __fread_nolock 20467->20493 20468 ad48e3 ReadFile 20470 ad48fb 20468->20470 20471 ad4957 20468->20471 20472 ad4740 20469->20472 20470->20471 20491 ad48d4 20470->20491 20479 ad4964 20471->20479 20484 ad48b5 20471->20484 20473 ad474a 20472->20473 20474 ad4765 20472->20474 20478 acd23f __dosmaperr RtlAllocateHeap 20473->20478 20476 ace13d __fread_nolock 2 API calls 20474->20476 20475 ad6db3 __freea RtlAllocateHeap 20475->20449 20476->20457 20477->20468 20486 ad489b 20477->20486 20480 ad474f 20478->20480 20481 acd23f __dosmaperr RtlAllocateHeap 20479->20481 20485 acd22c __dosmaperr RtlAllocateHeap 20480->20485 20487 ad4969 20481->20487 20482 ad4937 20482->20493 20529 ad417b 20482->20529 20483 ad4920 20519 ad4335 20483->20519 20484->20493 20514 acd1e5 20484->20514 20485->20493 20486->20484 20486->20491 20492 acd22c __dosmaperr RtlAllocateHeap 20487->20492 20491->20482 20491->20483 20491->20493 20492->20493 20493->20475 20495 ac8a3c 20494->20495 20504 ac8a38 std::_Locinfo::_Locinfo_ctor 20494->20504 20496 ac8a43 20495->20496 20499 ac8a56 __fread_nolock 20495->20499 20497 acd23f __dosmaperr RtlAllocateHeap 20496->20497 20498 ac8a48 20497->20498 20500 ac47a0 __fread_nolock RtlAllocateHeap 20498->20500 20501 ac8a8d 20499->20501 20502 ac8a84 20499->20502 20499->20504 20500->20504 20501->20504 20506 acd23f __dosmaperr RtlAllocateHeap 20501->20506 20503 acd23f __dosmaperr RtlAllocateHeap 20502->20503 20505 ac8a89 20503->20505 20504->20430 20507 ac47a0 __fread_nolock RtlAllocateHeap 20505->20507 20506->20505 20507->20504 20509 ad6e6b 20508->20509 20513 ad6e3b __dosmaperr std::_Facet_Register 20508->20513 20510 acd23f __dosmaperr RtlAllocateHeap 20509->20510 20512 ad4730 20510->20512 20511 ad6e56 RtlAllocateHeap 20511->20512 20511->20513 20512->20464 20513->20509 20513->20511 20515 acd22c __dosmaperr RtlAllocateHeap 20514->20515 20516 acd1f0 __dosmaperr 20515->20516 20517 acd23f __dosmaperr RtlAllocateHeap 20516->20517 20518 acd203 20517->20518 20518->20493 20533 ad402e 20519->20533 20522 ad43d7 20526 ad4391 __fread_nolock 20522->20526 20527 ace13d __fread_nolock 2 API calls 20522->20527 20523 ad43c7 20524 acd23f __dosmaperr RtlAllocateHeap 20523->20524 20525 ad437d 20524->20525 20525->20493 20526->20525 20528 acd1e5 __dosmaperr RtlAllocateHeap 20526->20528 20527->20526 20528->20525 20530 ad41b5 20529->20530 20531 ad4246 20530->20531 20532 ace13d __fread_nolock 2 API calls 20530->20532 20531->20493 20532->20531 20535 ad4062 20533->20535 20534 ad40ce 20534->20522 20534->20523 20534->20525 20534->20526 20535->20534 20536 ace13d __fread_nolock 2 API calls 20535->20536 20536->20534 20538 ac8acf __fread_nolock 20537->20538 20539 ac8afc __fread_nolock 20538->20539 20540 ac8ad9 20538->20540 20541 ac8af4 20539->20541 20544 ac8b5a 20539->20544 20542 ac4723 __fread_nolock RtlAllocateHeap 20540->20542 20541->19946 20542->20541 20545 ac8b8a 20544->20545 20546 ac8b67 20544->20546 20548 ac55d3 4 API calls 20545->20548 20556 ac8b82 20545->20556 20547 ac4723 __fread_nolock RtlAllocateHeap 20546->20547 20547->20556 20549 ac8ba2 20548->20549 20558 ad6ded 20549->20558 20552 ad5f82 __fread_nolock RtlAllocateHeap 20553 ac8bb6 20552->20553 20562 ad4a3f 20553->20562 20556->20541 20557 ad6db3 __freea RtlAllocateHeap 20557->20556 20559 ac8baa 20558->20559 20560 ad6e04 20558->20560 20559->20552 20560->20559 20561 ad6db3 __freea RtlAllocateHeap 20560->20561 20561->20559 20563 ad4a68 20562->20563 20568 ac8bbd 20562->20568 20564 ad4ab7 20563->20564 20566 ad4a8f 20563->20566 20565 ac4723 __fread_nolock RtlAllocateHeap 20564->20565 20565->20568 20569 ad49ae 20566->20569 20568->20556 20568->20557 20570 ad49ba __fread_nolock 20569->20570 20572 ad49f9 20570->20572 20573 ad4b12 20570->20573 20572->20568 20574 ada6de __fread_nolock RtlAllocateHeap 20573->20574 20575 ad4b22 20574->20575 20578 ada6de __fread_nolock RtlAllocateHeap 20575->20578 20583 ad4b5a 20575->20583 20584 ad4b28 20575->20584 20577 ad4b80 __fread_nolock 20577->20572 20580 ad4b51 20578->20580 20579 ada6de __fread_nolock RtlAllocateHeap 20581 ad4b66 FindCloseChangeNotification 20579->20581 20582 ada6de __fread_nolock RtlAllocateHeap 20580->20582 20581->20584 20582->20583 20583->20579 20583->20584 20585 ada64d 20584->20585 20586 ada65c 20585->20586 20587 acd23f __dosmaperr RtlAllocateHeap 20586->20587 20590 ada686 20586->20590 20588 ada6c8 20587->20588 20589 acd22c __dosmaperr RtlAllocateHeap 20588->20589 20589->20590 20590->20577 19855 a43a40 19858 a43a55 19855->19858 19856 a43b28 GetPEB 19856->19858 19857 a43a73 GetPEB 19857->19858 19858->19856 19858->19857 19859 a43b9d Sleep 19858->19859 19860 a43ae8 Sleep 19858->19860 19861 a43bc7 19858->19861 19859->19858 19860->19858 20921 4d00a7a 20922 4d00ad0 GetCurrentHwProfileW 20921->20922 20924 4d00c88 20922->20924 19853 4d00c63 GetCurrentHwProfileW 19854 4d00c88 19853->19854 20591 9fe0a0 WSAStartup 20592 9fe0d8 20591->20592 20596 9fe1a7 20591->20596 20593 9fe175 socket 20592->20593 20592->20596 20594 9fe18b connect 20593->20594 20593->20596 20595 9fe19d closesocket 20594->20595 20594->20596 20595->20593 20595->20596

                                  Executed Functions

                                  Function 009FE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 9fe0a0-9fe0d2 WSAStartup 1 9fe0d8-9fe102 call 9e6bd0 * 2 0->1 2 9fe1b7-9fe1c0 0->2 7 9fe10e-9fe165 1->7 8 9fe104-9fe108 1->8 10 9fe167-9fe16d 7->10 11 9fe1b1-9fe1b6 7->11 8->2 8->7 12 9fe16f 10->12 13 9fe1c5-9fe1cf 10->13 11->2 15 9fe175-9fe189 socket 12->15 13->11 20 9fe1d1-9fe1d9 13->20 15->11 16 9fe18b-9fe19b connect 15->16 18 9fe19d-9fe1a5 closesocket 16->18 19 9fe1c1 16->19 18->15 21 9fe1a7-9fe1ab 18->21 19->13 21->11
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: c843637cb94904a42ab8c003a4f313a10092caeaa9373ba547fc072836424424
                                  • Instruction ID: a53336a2b26ddcac3fb0b3ab66f002cc5e8582403f568d5fe18ff03b6a8cb292
                                  • Opcode Fuzzy Hash: c843637cb94904a42ab8c003a4f313a10092caeaa9373ba547fc072836424424
                                  • Instruction Fuzzy Hash: 7B31B2716093046FD7219F658C85B6BB7E8EB85328F015F1DFAA4972E0D33198088B92
                                  Function 00A43A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 134 a43a40-a43a52 135 a43a55-a43a61 134->135 137 a43a67-a43a6d 135->137 138 a43b28-a43b31 GetPEB 135->138 137->138 140 a43a73-a43a7f GetPEB 137->140 139 a43b34-a43b48 138->139 142 a43b99-a43b9b 139->142 143 a43b4a-a43b4f 139->143 141 a43a80-a43a94 140->141 145 a43ae4-a43ae6 141->145 146 a43a96-a43a9b 141->146 142->139 143->142 144 a43b51-a43b59 143->144 147 a43b60-a43b73 144->147 145->141 146->145 148 a43a9d-a43aa3 146->148 149 a43b75-a43b88 147->149 150 a43b92-a43b97 147->150 151 a43aa5-a43ab8 148->151 149->149 152 a43b8a-a43b90 149->152 150->142 150->147 153 a43add-a43ae2 151->153 154 a43aba 151->154 152->150 155 a43b9d-a43bc2 Sleep 152->155 153->145 153->151 156 a43ac0-a43ad3 154->156 155->135 156->156 157 a43ad5-a43adb 156->157 157->153 158 a43ae8-a43b0d Sleep 157->158 159 a43b13-a43b1a 158->159 159->138 160 a43b1c-a43b22 159->160 160->138 161 a43bc7-a43bd8 call 9e6bd0 160->161 164 a43bde 161->164 165 a43bda-a43bdc 161->165 166 a43be0-a43bfd call 9e6bd0 164->166 165->166
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00A43DB6), ref: 00A43B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00A43DB6), ref: 00A43BBA
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: d3e59d71b8843aa30dcf898d2598ea723fde877028961797a53566b0591417f2
                                  • Instruction ID: 70852f3d8cc9e6fae6090d412f03ec798b0d07cfcb9ea09af533d895db9e4e82
                                  • Opcode Fuzzy Hash: d3e59d71b8843aa30dcf898d2598ea723fde877028961797a53566b0591417f2
                                  • Instruction Fuzzy Hash: 1751AB3AA44215CFCF14CF58C8D0EA9B3B1EF85744B298599D445AF351D732EE06CB80
                                  Function 04D00A81 Relevance: 1.9, APIs: 1, Instructions: 393COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 219 4d00a81-4d00c5d 234 4d00c68-4d00c73 GetCurrentHwProfileW 219->234 235 4d00c88-4d00f8b 234->235
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 992a9dcf566866e75ae7c138f62a615b2a67a80088952797274ffafb05babaab
                                  • Instruction ID: d65a648b2b7083f6fe77c42d3ce86593ea12707703009e40f66cf4a9c9a7ff10
                                  • Opcode Fuzzy Hash: 992a9dcf566866e75ae7c138f62a615b2a67a80088952797274ffafb05babaab
                                  • Instruction Fuzzy Hash: 42714DEB64C120BDB15381813B24BFB666EE6D6B30730C466F847D7582F6D49E892131
                                  Function 00AD4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 22 ad4623-ad4633 23 ad464d-ad464f 22->23 24 ad4635-ad4648 call acd22c call acd23f 22->24 26 ad498f-ad499c call acd22c call acd23f 23->26 27 ad4655-ad465b 23->27 42 ad49a7 24->42 45 ad49a2 call ac47a0 26->45 27->26 30 ad4661-ad468a 27->30 30->26 33 ad4690-ad4699 30->33 36 ad469b-ad46ae call acd22c call acd23f 33->36 37 ad46b3-ad46b5 33->37 36->45 40 ad498b-ad498d 37->40 41 ad46bb-ad46bf 37->41 43 ad49aa-ad49ad 40->43 41->40 46 ad46c5-ad46c9 41->46 42->43 45->42 46->36 49 ad46cb-ad46e2 46->49 51 ad46e4-ad46e7 49->51 52 ad4717-ad471d 49->52 55 ad470d-ad4715 51->55 56 ad46e9-ad46ef 51->56 53 ad471f-ad4726 52->53 54 ad46f1-ad4708 call acd22c call acd23f call ac47a0 52->54 58 ad4728 53->58 59 ad472a-ad472b call ad6e2d 53->59 83 ad48c2 54->83 57 ad478a-ad47a9 55->57 56->54 56->55 61 ad47af-ad47bb 57->61 62 ad4865-ad486e call ae0d44 57->62 58->59 66 ad4730-ad4748 call ad6db3 * 2 59->66 61->62 65 ad47c1-ad47c3 61->65 73 ad48df 62->73 74 ad4870-ad4882 62->74 65->62 70 ad47c9-ad47ea 65->70 92 ad474a-ad4760 call acd23f call acd22c 66->92 93 ad4765-ad4788 call ace13d 66->93 70->62 75 ad47ec-ad4802 70->75 80 ad48e3-ad48f9 ReadFile 73->80 74->73 79 ad4884-ad4893 74->79 75->62 81 ad4804-ad4806 75->81 79->73 96 ad4895-ad4899 79->96 84 ad48fb-ad4901 80->84 85 ad4957-ad4962 80->85 81->62 86 ad4808-ad482b 81->86 88 ad48c5-ad48cf call ad6db3 83->88 84->85 90 ad4903 84->90 104 ad497b-ad497e 85->104 105 ad4964-ad4976 call acd23f call acd22c 85->105 86->62 91 ad482d-ad4843 86->91 88->43 98 ad4906-ad4918 90->98 91->62 99 ad4845-ad4847 91->99 92->83 93->57 96->80 103 ad489b-ad48b3 96->103 98->88 106 ad491a-ad491e 98->106 99->62 107 ad4849-ad4860 99->107 124 ad48b5-ad48ba 103->124 125 ad48d4-ad48dd 103->125 112 ad48bb-ad48c1 call acd1e5 104->112 113 ad4984-ad4986 104->113 105->83 110 ad4937-ad4944 106->110 111 ad4920-ad4930 call ad4335 106->111 107->62 120 ad4946 call ad448c 110->120 121 ad4950-ad4955 call ad417b 110->121 132 ad4933-ad4935 111->132 112->83 113->88 129 ad494b-ad494e 120->129 121->129 124->112 125->98 129->132 132->88
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 806bdb39056bfd60bcf21a95cf994778b8e8635a74c2694368ce632aeeb970e1
                                  • Instruction ID: 82c36fe6024be7cba5dd64e579616a95f4f152dac1762a839b42b346ea62fe58
                                  • Opcode Fuzzy Hash: 806bdb39056bfd60bcf21a95cf994778b8e8635a74c2694368ce632aeeb970e1
                                  • Instruction Fuzzy Hash: 0EB12470E04249AFEB11DFA9D841BEEBBB5EF4D304F14415AE452AB392CB709D41DBA0
                                  Function 04D00A7A Relevance: 1.9, APIs: 1, Instructions: 393COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 169 4d00a7a-4d00c5d 184 4d00c68-4d00c73 GetCurrentHwProfileW 169->184 185 4d00c88-4d00f8b 184->185
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 38dab8dcae2307b7440f36f30850d350c2485f7d02e2353949621511c3de8a58
                                  • Instruction ID: 585e3da82fffcd27efa32ffb583306152fdfd39b9ef62cdafede886ee56ff84b
                                  • Opcode Fuzzy Hash: 38dab8dcae2307b7440f36f30850d350c2485f7d02e2353949621511c3de8a58
                                  • Instruction Fuzzy Hash: 35715FEB64C220BDB15381813B64BFB666EE6D6B30730C46AF847D7642F6D49E893131
                                  Function 04D00B5F Relevance: 1.9, APIs: 1, Instructions: 375COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 269 4d00b5f-4d00b60 270 4d00b62 269->270 271 4d00b6c-4d00b72 269->271 272 4d00b64-4d00b68 270->272 273 4d00afc-4d00b5a 270->273 274 4d00b73-4d00c5d 271->274 272->271 273->274 285 4d00c68-4d00c73 GetCurrentHwProfileW 274->285 286 4d00c88-4d00f8b 285->286
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 998c339c4260892db74fe668d49bbd3f8a07140fb7759b8a687bce587e109255
                                  • Instruction ID: 18425620cbf11497f7c7985c3249960e088dbb9cf5350397268635d5c0e585bf
                                  • Opcode Fuzzy Hash: 998c339c4260892db74fe668d49bbd3f8a07140fb7759b8a687bce587e109255
                                  • Instruction Fuzzy Hash: E771E5EB64C210BDB21385813B64BF76B6DE6D6730330C46AF887D7582F2D4AE892171
                                  Function 04D00AD5 Relevance: 1.8, APIs: 1, Instructions: 342COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 320 4d00ad5-4d00c5d 335 4d00c68-4d00c73 GetCurrentHwProfileW 320->335 336 4d00c88-4d00f8b 335->336
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 179bb831bfeb2e80ebe5b55a80ab38e3050a58a200056b7518477d657f630a59
                                  • Instruction ID: 0486fe14e44c2225fe8153ef56038473f23ad8dcdf48e12ee79ffeb364ed8896
                                  • Opcode Fuzzy Hash: 179bb831bfeb2e80ebe5b55a80ab38e3050a58a200056b7518477d657f630a59
                                  • Instruction Fuzzy Hash: FC61A2EB24C120BDB15381823B24BF75A6EE2D6B30730C426F847D7682F6D4AE893171
                                  Function 04D00ADE Relevance: 1.8, APIs: 1, Instructions: 338COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 370 4d00ade-4d00c5d 384 4d00c68-4d00c73 GetCurrentHwProfileW 370->384 385 4d00c88-4d00f8b 384->385
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 1839e2cd50d9245d8f4c2f869b621a2d484ddec1d2327f0beb6f22fc14f96dca
                                  • Instruction ID: 3d161274f867a8f29e8c60f564733969dcbf6032b8ccc4a61055301d0ed181c6
                                  • Opcode Fuzzy Hash: 1839e2cd50d9245d8f4c2f869b621a2d484ddec1d2327f0beb6f22fc14f96dca
                                  • Instruction Fuzzy Hash: 1D6191EB24C120BDB15381813B64BF75A6EE2D6B30730C426F887D7682F6D4AE893171
                                  Function 04D00B02 Relevance: 1.8, APIs: 1, Instructions: 335COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 419 4d00b02-4d00c5d 430 4d00c68-4d00c73 GetCurrentHwProfileW 419->430 431 4d00c88-4d00f8b 430->431
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e2227fd5b5b33c8cab11637b2c4e6cc2eb901b079414399da6b930872acf9ef3
                                  • Instruction ID: 648d951db0aab9c88ab27330369fa50eb9e949098060a486996f798b1d4c56c7
                                  • Opcode Fuzzy Hash: e2227fd5b5b33c8cab11637b2c4e6cc2eb901b079414399da6b930872acf9ef3
                                  • Instruction Fuzzy Hash: 0851B2EB24C120BDB15381813B64BF7566EE2D6B30730C46AF847E7682F6D4AE893131
                                  Function 04D00B1C Relevance: 1.8, APIs: 1, Instructions: 334COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 465 4d00b1c-4d00c5d 475 4d00c68-4d00c73 GetCurrentHwProfileW 465->475 476 4d00c88-4d00f8b 475->476
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 1f570adf3132cf2eecc4a7cd01a008b192488ee8ff81449b191219bf5405b463
                                  • Instruction ID: e0a31e5d1ee1c8a4e21039b7e56176f4f3d966f144ca03f21c2aeabd5d4749d1
                                  • Opcode Fuzzy Hash: 1f570adf3132cf2eecc4a7cd01a008b192488ee8ff81449b191219bf5405b463
                                  • Instruction Fuzzy Hash: F76183EB64C220BDB15381813B64BF76A6EE6D6730730C46AF887D7582F2D49E893171
                                  Function 04D00AF5 Relevance: 1.8, APIs: 1, Instructions: 333COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 510 4d00af5-4d00c5d 523 4d00c68-4d00c73 GetCurrentHwProfileW 510->523 524 4d00c88-4d00f8b 523->524
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7fc2ae3759e9799cc035036188c9cd9126025868e1e5303b946be868e1d823c7
                                  • Instruction ID: 63f54801e96cdc403d152d4b690b339a0ae30a37569f60fd95f50cb56590e264
                                  • Opcode Fuzzy Hash: 7fc2ae3759e9799cc035036188c9cd9126025868e1e5303b946be868e1d823c7
                                  • Instruction Fuzzy Hash: 105192EB64C120BDB15381813B64BF75A6EE6D6B30730C466F847D7682F6D4AE893131
                                  Function 04D00B4F Relevance: 1.8, APIs: 1, Instructions: 315COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 558 4d00b4f-4d00c5d 567 4d00c68-4d00c73 GetCurrentHwProfileW 558->567 568 4d00c88-4d00f8b 567->568
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: e3fc6e9daafe36380574b37dfd20c30e2826b96bc6d66404030901db9f254654
                                  • Instruction ID: b14338dc8c6515c6fddf423ec9dc048f79b7ae87876e048139e02ae15d77a608
                                  • Opcode Fuzzy Hash: e3fc6e9daafe36380574b37dfd20c30e2826b96bc6d66404030901db9f254654
                                  • Instruction Fuzzy Hash: B85181EB64C120BDB15381813B64BFB566EE6D6B30730C42AF847D7682F6D49E893171
                                  Function 04D00B90 Relevance: 1.8, APIs: 1, Instructions: 307COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 602 4d00b90-4d00c5d 607 4d00c68-4d00c73 GetCurrentHwProfileW 602->607 608 4d00c88-4d00f8b 607->608
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ac5db14624d55e986353935af7f69ca215edf3a7a4fd208e234a383c6bfa7cf9
                                  • Instruction ID: 797b2ace1b79eb0234e51dd6e2026ad7298059a0ab014f7308e4382b44df3fb0
                                  • Opcode Fuzzy Hash: ac5db14624d55e986353935af7f69ca215edf3a7a4fd208e234a383c6bfa7cf9
                                  • Instruction Fuzzy Hash: AF5160EB64C120BDB15381813B24BFB566EE6D6B30730C46AF847E7582F6D49E893131
                                  Function 04D00BB3 Relevance: 1.8, APIs: 1, Instructions: 285COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 642 4d00bb3-4d00c5d 646 4d00c68-4d00c73 GetCurrentHwProfileW 642->646 647 4d00c88-4d00f8b 646->647
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f895e960ca9198a5a419f8ea528193b17fb1305eeb1d8014d30db35d23245ede
                                  • Instruction ID: 30ea630b11cf51335cfc7e8a97c11af193fd0e37ad44ef3a5a04d3ad2ac22f6c
                                  • Opcode Fuzzy Hash: f895e960ca9198a5a419f8ea528193b17fb1305eeb1d8014d30db35d23245ede
                                  • Instruction Fuzzy Hash: 905160EB64C120BDB15381813B24BF7566EE6D6B30730C46AF847E7681F6D4AE893171
                                  Function 04D00BCC Relevance: 1.8, APIs: 1, Instructions: 281COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 681 4d00bcc-4d00c5d 684 4d00c68-4d00c73 GetCurrentHwProfileW 681->684 685 4d00c88-4d00f8b 684->685
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: b33c9cb058af36ae5f1950537200d88cc4f44d7e4a0491f6e9ccf89c4cda9388
                                  • Instruction ID: 008f8e51354602a95a984c8e6aa1e1e0b1c76a8f6ea5ebb5d6b818bdd6639832
                                  • Opcode Fuzzy Hash: b33c9cb058af36ae5f1950537200d88cc4f44d7e4a0491f6e9ccf89c4cda9388
                                  • Instruction Fuzzy Hash: 0B5172EB64C120BDB11381813B24BF75A6EE6C6730730C46AF847D7582F6C49E893171
                                  Function 04D00C0C Relevance: 1.8, APIs: 1, Instructions: 255COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 8fb5fbf49f70b27e929a6d473d156aa37396794bb3356fabf0314aaf004e5a3f
                                  • Instruction ID: 0b0920d826741d1fc9c3614cb33f1be6dbc42ae8606e43c146e4e9679374daac
                                  • Opcode Fuzzy Hash: 8fb5fbf49f70b27e929a6d473d156aa37396794bb3356fabf0314aaf004e5a3f
                                  • Instruction Fuzzy Hash: 434150EB64C120BDB15381813B24BF7566EE6D6730730C466F887E7686F6C4AE893131
                                  Function 009EA210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: b7a3f66c33ec9cdc57d09b3f7bbe34659ae0e74d644eeeac4575655df8aefb57
                                  • Instruction ID: 2b8b0af8987db12879eb056d93061263b28bac4f6bb0979d4a7d6c49cd0eebed
                                  • Opcode Fuzzy Hash: b7a3f66c33ec9cdc57d09b3f7bbe34659ae0e74d644eeeac4575655df8aefb57
                                  • Instruction Fuzzy Hash: B4716970900245AFDB15DF69CD49B9EBBE8EF41300F10856DF8159B292E7B4AE40CBA2
                                  Function 04D00CB8 Relevance: 1.7, APIs: 1, Instructions: 221COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 33d32698f6fae1d367fc2c28bdbfc902714c6ef2f5883efef29ebde2683fa6fc
                                  • Instruction ID: c76cfab2c4761170c04361502284f5b57edce379cbc823725a577940ef94e5d5
                                  • Opcode Fuzzy Hash: 33d32698f6fae1d367fc2c28bdbfc902714c6ef2f5883efef29ebde2683fa6fc
                                  • Instruction Fuzzy Hash: A9417EEB64D114BDB15385813B24BF75A2EE6D6B30730C426F887E7681F6D4AE893131
                                  Function 04D00C52 Relevance: 1.7, APIs: 1, Instructions: 215COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 82d2b8148d88980c2c72482ebebe3c3937db2abb85cc30542cf76a7a3f98cdae
                                  • Instruction ID: 2f6768960da278b2a40074006b62751c05fe75a8d22f48b5477e065ef58a5c57
                                  • Opcode Fuzzy Hash: 82d2b8148d88980c2c72482ebebe3c3937db2abb85cc30542cf76a7a3f98cdae
                                  • Instruction Fuzzy Hash: F5416DEB64D124BDB15385813B24BF75A2EE2D6B30730C426F887E7681F6D4AE893131
                                  Function 04D00C63 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04D00C6C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315055823.0000000004D00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d00000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 0a8c5dbcb99540b220e8d30cd810c6ae9e76f383f1dfd4863e59ac46068e2972
                                  • Instruction ID: ca3c6d6f173b97ba980fd205863926fe0dd7903019e33bedb1b9b25bc3235833
                                  • Opcode Fuzzy Hash: 0a8c5dbcb99540b220e8d30cd810c6ae9e76f383f1dfd4863e59ac46068e2972
                                  • Instruction Fuzzy Hash: F3415CEB64C124BDB11385813B24BFB562EE6D6B30730C426F847E7681F694AE892131
                                  Function 00AD549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00AC9087,?,00000000,00000000,00000000,?,00000000,?,009EA3EB,00AC9087,00000000,009EA3EB,?,?), ref: 00AD5621
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 6cfcda78efa3475e09f278d72a6dec42bb66cac8b4f82d7ab63888b522523076
                                  • Instruction ID: 8a769733f841afc0945961b160e38579e81ad0ef6ecfa8ac1db667dd7d91a054
                                  • Opcode Fuzzy Hash: 6cfcda78efa3475e09f278d72a6dec42bb66cac8b4f82d7ab63888b522523076
                                  • Instruction Fuzzy Hash: E861B1B1D04519AFDF11DFB8D944EEEBBBAAF19304F58014AE802A7315D772D901CBA0
                                  Function 00AC4942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 69c4a52cfe036083bccbe4529d72274fd6159733e3c84e81c6c17ce5eea8dc93
                                  • Instruction ID: 107f1ccc511a4e9e2f6bde16825a46cb3b8537d06ec7469320ad76905a34a5aa
                                  • Opcode Fuzzy Hash: 69c4a52cfe036083bccbe4529d72274fd6159733e3c84e81c6c17ce5eea8dc93
                                  • Instruction Fuzzy Hash: 0B51B570A00108AFDB14CF58C891FAABFB5EF4D364F26815CF8499B252D3319E51CB98
                                  Function 00A50560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00A506AE
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 1e1544a1ae7544c9d6c9fdb0d722977772c77c284b91e1606165c4dc96399736
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: D241F472A001149FCB15DF68DD80A9E7BA9BF89312F154169FC05DB302E770DE649BE1
                                  Function 00AD4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00AD49F9,00000000,CF830579,00B11140,0000000C,00AD4AB5,00AC8BBD,?), ref: 00AD4B68
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: b5fbdabef05f6c18cfce0eab15b990ecdf2dea3461747e52e88e09cebba3eba7
                                  • Instruction ID: af80e51326b1019cd8893f8caafb64021e4049e3871ddec5542969cddd90c09c
                                  • Opcode Fuzzy Hash: b5fbdabef05f6c18cfce0eab15b990ecdf2dea3461747e52e88e09cebba3eba7
                                  • Instruction Fuzzy Hash: FA116B3364422457D72433346942B7E778ACBBAB74F29021FF81A8B3D2EE74DC415195
                                  Function 00ACE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00B10DF8,009EA3EB,00000002,009EA3EB,00000000,?,?,?,00ACE166,00000000,?,009EA3EB,00000002,00B10DF8), ref: 00ACE098
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: b908323ac42a57d46ea83ee74772b309eeb7757c2bb812100f7ef926b023d84a
                                  • Instruction ID: 4f88e12ce34a25b9413aa9eca8bc366b2607931748e38190554794a8b21990c8
                                  • Opcode Fuzzy Hash: b908323ac42a57d46ea83ee74772b309eeb7757c2bb812100f7ef926b023d84a
                                  • Instruction Fuzzy Hash: 3C012232650295AFCF15DF19CC01D9E7B6ADB81324F25020CF8509B2E1EAB2ED419BD0
                                  Function 00ABF290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009E220E
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: d401e379500ae9bc4ee1765facb5c109f8c4336cb7dc2b998a7ec396ac2786b5
                                  • Instruction ID: 1aa8ba388aef43d70124f26fd0f0b0db97e7625ebce1064878ca5436ca23a0d2
                                  • Opcode Fuzzy Hash: d401e379500ae9bc4ee1765facb5c109f8c4336cb7dc2b998a7ec396ac2786b5
                                  • Instruction Fuzzy Hash: EC012B3550430DAFCB14AFA9DC01ED977ECDA00310B54843EFA18DBA52E770E9508790
                                  Function 00AD63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00AC91F7,00000000,?,00AD5D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00ACD244,00AC89C3,00AC91F7,00000000), ref: 00AD6434
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: a0c3f69f207fea4fdeb017436c5e5522b9b1c3c742e6d5b93d42599a820c552a
                                  • Instruction ID: 3e9e59262313cbe6bd83667002cb93dfb67418057316f3c541afdc84d7f30c17
                                  • Opcode Fuzzy Hash: a0c3f69f207fea4fdeb017436c5e5522b9b1c3c742e6d5b93d42599a820c552a
                                  • Instruction Fuzzy Hash: B3F0E9725451246ADB216B62DF06B5B3B98AF41B60B258023E807A7390CE70EC1046F1
                                  Function 00AD6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00ADD635,4D88C033,?,00ADD635,00000220,?,00AD57EF,4D88C033), ref: 00AD6E60
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 36b0b137e8a35d1d8651485af7362342b688d51045e39cc5ac83fd0c33a58da0
                                  • Instruction ID: 4f1fb36577d4867f519712b058f4ffdcdcc7f54406d1bc6194817bc2b0f8e0e1
                                  • Opcode Fuzzy Hash: 36b0b137e8a35d1d8651485af7362342b688d51045e39cc5ac83fd0c33a58da0
                                  • Instruction Fuzzy Hash: 16E0ED3A180625AADA3023A5CE04BAB77AD8B827A0F060923EC1797390CF20C80081A4
                                  Function 04D1046C Relevance: .1, Instructions: 106COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a5c654dfdc4875668e0b58c67efec343cb1bed57fd1360d6efaf92ee627c44f8
                                  • Instruction ID: 4d83239e531b4f7bb1b58d23d8b4bd568e7ac756116248cf4d6ed4091a1f670f
                                  • Opcode Fuzzy Hash: a5c654dfdc4875668e0b58c67efec343cb1bed57fd1360d6efaf92ee627c44f8
                                  • Instruction Fuzzy Hash: A421359B24C121BDB603B59177985F72F69E6D32303328822FC87C5963F154EACA6172
                                  Function 04D103BA Relevance: .1, Instructions: 102COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 372bff5df11d708c08315be2034ed8d75aca72f1da212e203c67fd406685afc6
                                  • Instruction ID: cc664b022d18213ad990ecacdbe2b6a1d4521ed21e26d55542ccaac39ed4bf35
                                  • Opcode Fuzzy Hash: 372bff5df11d708c08315be2034ed8d75aca72f1da212e203c67fd406685afc6
                                  • Instruction Fuzzy Hash: F82129A620C215FEB143B54176449B76769D6D3231330C422FD83D6923F2A0EAD96171
                                  Function 04D103B1 Relevance: .1, Instructions: 99COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: df18e15533a26e67ca86a65e62c48bf6321e4b049d42b0aa6ea0424f37f797db
                                  • Instruction ID: 9ca7db71ea531cd2386cb1207686719457d5911cc4b37596d9653e6622e23099
                                  • Opcode Fuzzy Hash: df18e15533a26e67ca86a65e62c48bf6321e4b049d42b0aa6ea0424f37f797db
                                  • Instruction Fuzzy Hash: 1511B1AB34C125FEB14370813A589BB6A59D2D3231331C422FD87D6D23F6A4EAD97171
                                  Function 04D1044D Relevance: .1, Instructions: 97COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cfc65d77f82dd843be9bf3150fecbbffa1d50507be77e1b669e8829d34068c25
                                  • Instruction ID: c77eb09bbe3c202c3622d11a17c6328af8d98b11f1d870c78e317f2175ff4259
                                  • Opcode Fuzzy Hash: cfc65d77f82dd843be9bf3150fecbbffa1d50507be77e1b669e8829d34068c25
                                  • Instruction Fuzzy Hash: 851103AB64C125BDB143709137986F76A5DD2D3231331C422FD83D5D23B2A4EAC92171
                                  Function 04D103DC Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4acab390215bd4b875dffb34ebdfc67420c81ea5a8357ee45a794f83db8b10a7
                                  • Instruction ID: 05663cb40614b75373a3ee72e168ec84babe4c2dbf6d6aba3fc78e9bee72badd
                                  • Opcode Fuzzy Hash: 4acab390215bd4b875dffb34ebdfc67420c81ea5a8357ee45a794f83db8b10a7
                                  • Instruction Fuzzy Hash: 6111D0AB24C125BDB14370813B989BB6A59D2D3231331C422FD87D5D23B2A4EAD97172
                                  Function 04D103E6 Relevance: .1, Instructions: 96COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8582c4a8fb95252e26fe1c127e8e1fa0d74e34779e8770a102d8eea982107d1f
                                  • Instruction ID: c7c565ad401b38af0a354ee3f075426a9b5116ab45a4cece6f0e9a4d45f94232
                                  • Opcode Fuzzy Hash: 8582c4a8fb95252e26fe1c127e8e1fa0d74e34779e8770a102d8eea982107d1f
                                  • Instruction Fuzzy Hash: 031103EB20C225BEB143709137986F76A5DD2D3231331C422FD83D6D23B2A4EAC96171
                                  Function 04D103FE Relevance: .1, Instructions: 93COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c551964239f4f81d158b760e1d7f38fd13f328d7cf7d751ef7df53ffc245f414
                                  • Instruction ID: 6b29180ef081cf538cad72c3078cd2a835619916d7357972795abe310aeb5478
                                  • Opcode Fuzzy Hash: c551964239f4f81d158b760e1d7f38fd13f328d7cf7d751ef7df53ffc245f414
                                  • Instruction Fuzzy Hash: 4A11E6AB30C125BDB14375813B585B76A19E6D3231331C422FD87C9923F6A4EAC96171
                                  Function 04D10415 Relevance: .1, Instructions: 92COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6b0837c166c67186164e5d6c83f65a0875343fcf1e5732c7eb91c2491f1ee0c6
                                  • Instruction ID: e3f64f2b5bab3a640badae597967888c69d61a7d8d39624acf777edabcfbd6c3
                                  • Opcode Fuzzy Hash: 6b0837c166c67186164e5d6c83f65a0875343fcf1e5732c7eb91c2491f1ee0c6
                                  • Instruction Fuzzy Hash: AC1123AB30C121BDB143B19137589B76A69D6E3232330C827FC87D5A23F5A0EAC97131
                                  Function 04D10439 Relevance: .1, Instructions: 85COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d6f83a85339662ff1984ccb6afa36e3df07bec93e2de6c46ca9a7c68b9f25b7
                                  • Instruction ID: 300ee4ad3458eb7bfbb4a6ab748013a24dadc97925d8d1fa50a95addc0050532
                                  • Opcode Fuzzy Hash: 3d6f83a85339662ff1984ccb6afa36e3df07bec93e2de6c46ca9a7c68b9f25b7
                                  • Instruction Fuzzy Hash: 1F11E5AB60C111BDB143B09137589F76A59D5D3231331C827FD83D5913B194EAC92172
                                  Function 04D10465 Relevance: .1, Instructions: 68COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7397761b6e4d1b99aeae55674cd228acf0ea123c041d37f1b0b3408b296bfcf6
                                  • Instruction ID: d4796ebc754ac1010ffe00899a287fb508835624a179c9f7e9a0f95a6782c4b5
                                  • Opcode Fuzzy Hash: 7397761b6e4d1b99aeae55674cd228acf0ea123c041d37f1b0b3408b296bfcf6
                                  • Instruction Fuzzy Hash: 2401F2AB20C221BDB143B08137586B79B29D2E3231331C823FC83D2E13B294EAC93031
                                  Function 04D104A2 Relevance: .1, Instructions: 56COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 209dfcbf8aec33a2c3aa3885b30ab099e413f19551dafbdf1cf2ec10106242d8
                                  • Instruction ID: 9284cbe6727d0015ca98b99c3361d1d70724a1b2a25ddf12e2b1be3dde887fc2
                                  • Opcode Fuzzy Hash: 209dfcbf8aec33a2c3aa3885b30ab099e413f19551dafbdf1cf2ec10106242d8
                                  • Instruction Fuzzy Hash: 01F02DAB64C110BDF143B09137281B66B58D6D3331371C463F983D2913B290D9893131
                                  Function 04D104D1 Relevance: .0, Instructions: 43COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3315106945.0000000004D10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04D10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_4d10000_LisectAVT_2403002A_218.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aa429568e2c4a483a2b1d27384969a41bbc5bc04b73eb3794d313df21a30e221
                                  • Instruction ID: 816b33c83b9c450b26bfb25e51a128c64e8c4fa796a24c54f4dff1808300da74
                                  • Opcode Fuzzy Hash: aa429568e2c4a483a2b1d27384969a41bbc5bc04b73eb3794d313df21a30e221
                                  • Instruction Fuzzy Hash: 68F0505714C154BEB34371A5225C1FB6F14D6D31317318466E94386A12A2A0998D7231

                                  Non-executed Functions

                                  Function 009F9F50 Relevance: 13.6, Strings: 9, Instructions: 2331COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: $$%s|%s$,$,$.$.$131$:$type must be boolean, but is
                                  • API String ID: 0-3347632522
                                  • Opcode ID: 1d6391184c76a3830dda888eab1aacbbf69ca5d4cf628e809cdff4db56277d88
                                  • Instruction ID: 5c81a8770b02967d08953cf4294269c5113443871be5ef2ba3686f8e806c51b0
                                  • Opcode Fuzzy Hash: 1d6391184c76a3830dda888eab1aacbbf69ca5d4cf628e809cdff4db56277d88
                                  • Instruction Fuzzy Hash: A023CFB0D0025C8FDB28DF68C958BEDBBB4BF45304F148199E549AB292DB359E84CF91
                                  Function 00A573F0 Relevance: 7.9, APIs: 3, Strings: 1, Instructions: 897COMMON
                                  Download Yara Rule
                                  Strings
                                  • unordered_map/set too long, xrefs: 00A578C7
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: unordered_map/set too long
                                  • API String ID: 0-306623848
                                  • Opcode ID: d6f83b140a36e013be64e14ec6817d3bdb11071f32ed696bcf95122f1dfe8a49
                                  • Instruction ID: ea503d0094c0e2a26c7e5c491263c9cb59e62387ff868cc2a058612f95eeb04d
                                  • Opcode Fuzzy Hash: d6f83b140a36e013be64e14ec6817d3bdb11071f32ed696bcf95122f1dfe8a49
                                  • Instruction Fuzzy Hash: 7A6281B1E002099FCB14DF6DD980A9DBBB5FF88310F248669EC19AB395D730AD55CB90
                                  Function 00AC84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 11b4e9827c41137e2607a520d2bcce1ae83cd52a521c3a20844d517e157b9056
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: D5022A71E012199FDF14CFA9C980BAEFBB1FF48314F25826DD919A7381DB35A9418B90
                                  Function 00A550B0 Relevance: 5.3, Strings: 4, Instructions: 268COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /Kim$/Kim$type must be number, but is $type must be string, but is
                                  • API String ID: 0-1144537432
                                  • Opcode ID: 252ac13bfd7c7e2e383e2fc731134e754c1be8ca5232870b34f8d769f94af2ef
                                  • Instruction ID: e76d3810afbbb85942d9e460c856830d1896430e827a2b102ed04560509f7072
                                  • Opcode Fuzzy Hash: 252ac13bfd7c7e2e383e2fc731134e754c1be8ca5232870b34f8d769f94af2ef
                                  • Instruction Fuzzy Hash: B3910872E006089FCB08DF6CD9657DDBBA9FB88310F14826DE819D7391E6759D09CB80
                                  Function 009E91A0 Relevance: 4.9, Strings: 3, Instructions: 1146COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: /$/\/$\
                                  • API String ID: 0-1523196992
                                  • Opcode ID: 608f6fbbe8370d2af2f7ecc8c6eccc1df2d8b76fd3fd4e228207dfef5d2164c7
                                  • Instruction ID: 024b2096604efde192611ff974be3c08507acb9363d52a3c8285debf43382e48
                                  • Opcode Fuzzy Hash: 608f6fbbe8370d2af2f7ecc8c6eccc1df2d8b76fd3fd4e228207dfef5d2164c7
                                  • Instruction Fuzzy Hash: 14921671D002898FDF1ACFA9C8947EEBBB9BF45314F18426DD445AB282E7315E46CB50
                                  Function 009E8D70 Relevance: 1.6, Strings: 1, Instructions: 327COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: File
                                  • API String ID: 0-749574446
                                  • Opcode ID: b5715eaea7452b83bdb68475118bf65fe444bd1caabcf8513bbb12f174958563
                                  • Instruction ID: 2207506211dce609b32aeb62fb14dde43368cd197c41244542c570b22ce99d4c
                                  • Opcode Fuzzy Hash: b5715eaea7452b83bdb68475118bf65fe444bd1caabcf8513bbb12f174958563
                                  • Instruction Fuzzy Hash: C6C1AF70D0429D9AEF25DFA5CC85BEEBBB9FF05304F10006DE904AB281EB719A45CB65
                                  Function 00ACBEAF Relevance: 1.5, Strings: 1, Instructions: 293COMMON
                                  Download Yara Rule
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID: 0
                                  • API String ID: 0-4108050209
                                  • Opcode ID: 4685ad04bba33d30d22ca923b9ad0d62b72e95544c1c84a3029acf84acc3541a
                                  • Instruction ID: 6f865dd8ee0da54549d7df12b61430d0f9ce6033a53473541cb42a1b5df94136
                                  • Opcode Fuzzy Hash: 4685ad04bba33d30d22ca923b9ad0d62b72e95544c1c84a3029acf84acc3541a
                                  • Instruction Fuzzy Hash: 54B1CE34900646CFDB24CF69C981FBAB7B1AF05320F1A465DD45A9B392C732ED45CB60
                                  Function 00ABF26A Relevance: 1.5, APIs: 1, Instructions: 16timeCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • GetSystemTimePreciseAsFileTime.KERNEL32(?,?,00ABEC78,?,?,?,?,009F40EB,?,00A43C2E), ref: 00ABF283
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Time$FilePreciseSystem
                                  • String ID:
                                  • API String ID: 1802150274-0
                                  • Opcode ID: 0e78280027d4e2bc7f01754ddcace2cb3523d94e13f37cd0aab9f7c26ac14104
                                  • Instruction ID: 8349135217661a6bbbe6bd88a99b987c53ec30b35ee8697693df71252ae1c02f
                                  • Opcode Fuzzy Hash: 0e78280027d4e2bc7f01754ddcace2cb3523d94e13f37cd0aab9f7c26ac14104
                                  • Instruction Fuzzy Hash: 17D022379010385B8A153BC0AC008ECBF2ECE09B943084036EC046B114CF116C009BD4
                                  Function 00A69880 Relevance: .7, Instructions: 748COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 270ec47e84ad16f90adf0a5b78032081837d7cc95b20ca816d63415026ea05fe
                                  • Instruction ID: e026d0dfba9cdbf27a58f63ade430536f960807c8a4297163c04adf9b5ec1200
                                  • Opcode Fuzzy Hash: 270ec47e84ad16f90adf0a5b78032081837d7cc95b20ca816d63415026ea05fe
                                  • Instruction Fuzzy Hash: 216290B0E002159FDB14CF59C5847AEBBF5AF88308F2881ADD818AB356D736D946CF91
                                  Function 00ADF771 Relevance: .3, Instructions: 327COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e01a63de0acecfa5eb1506d60f94531ec9da83d204471109b6ed84efa514c088
                                  • Instruction ID: 75f638ce04ea5b333f968e67adc417a9605d25cf55fd49befaccfdf1acdb77a1
                                  • Opcode Fuzzy Hash: e01a63de0acecfa5eb1506d60f94531ec9da83d204471109b6ed84efa514c088
                                  • Instruction Fuzzy Hash: 65B1E1365007469FDB289B24CC92BBBB3A8EF44308F54453FE98786794EA75A985CB10
                                  Function 00AD9824 Relevance: .3, Instructions: 270COMMONLIBRARYCODE
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d081ceef8a78a141e5ac2dbd6bd4c379b44bf71b8fec22b9a63984f40651a3dd
                                  • Instruction ID: d34018717610bb550bab15b13943363a1b4c76f279b5f7b02845aa72028a1969
                                  • Opcode Fuzzy Hash: d081ceef8a78a141e5ac2dbd6bd4c379b44bf71b8fec22b9a63984f40651a3dd
                                  • Instruction Fuzzy Hash: E2B12C326106089FD715CF28C49ABA67BE0FF45364F25865DE89ACF3A1C735E992CB40
                                  Function 009E24F0 Relevance: .2, Instructions: 221COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b13c60185003b5ad14668dcb3bc601f7d5a1edc7501da07896d0c4c3237e5350
                                  • Instruction ID: 483d6c1841cf8c8b22568798d007fb120f6a6ae0bad04761416a3d846c1cdb31
                                  • Opcode Fuzzy Hash: b13c60185003b5ad14668dcb3bc601f7d5a1edc7501da07896d0c4c3237e5350
                                  • Instruction Fuzzy Hash: 6971F4B4D002968FDB16CF6AC9D17FEFBB9EB19300F440269D86597342CB259D06C7A0
                                  Function 00A66550 Relevance: .2, Instructions: 189COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2d0c762883c5601642a628faadd3d23c8bd14addee5b4fc7474edd6becad6057
                                  • Instruction ID: b27a8ce40a56b4a2576870c2fb75e3cb1dc514e6bc5d101233391ab158e8a5a1
                                  • Opcode Fuzzy Hash: 2d0c762883c5601642a628faadd3d23c8bd14addee5b4fc7474edd6becad6057
                                  • Instruction Fuzzy Hash: 88612E716201654FD718CFDEECC04763772A78A311386462AEAC1DB3A6C739E927D7A0
                                  Function 00A655B0 Relevance: .2, Instructions: 187COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 57b62643dc163fa50f5cc0e6c8f0c8a786d6c6b31965158a7c8b99554546a1f3
                                  • Instruction ID: fe80458124c3c89f94eb6947826f6483aee12ff72f8bcb647aa8ea9298c139d9
                                  • Opcode Fuzzy Hash: 57b62643dc163fa50f5cc0e6c8f0c8a786d6c6b31965158a7c8b99554546a1f3
                                  • Instruction Fuzzy Hash: 6C8185B0C1429C9EDF18CFA5D4456EEBFB4EF06304F90809ED452AB651D778530ACB66
                                  Function 009F4100 Relevance: .2, Instructions: 168COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 10e515bf9a574895e222d320d781aa484cc2d8f2427c2d5a14b2124a32c28fda
                                  • Instruction ID: 652df5f8e15889cd12a71d8afa5d4be79d9813c9a4b730bda0e894d7d82cee92
                                  • Opcode Fuzzy Hash: 10e515bf9a574895e222d320d781aa484cc2d8f2427c2d5a14b2124a32c28fda
                                  • Instruction Fuzzy Hash: B351BF71E002099FCB18CF98D981AEEBBB9FB58310F14456DE925A7341D730AA44CBA0
                                  Function 00AC646A Relevance: .2, Instructions: 156COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction ID: a144fc18bb491a8022e2bb4249ffc6a85fc4fe432bd1c4a57b8302d8ff87b848
                                  • Opcode Fuzzy Hash: 920c44e739ca4d08db5b5969fbc7a5a158caad0a814d8dad7807257cb044add9
                                  • Instruction Fuzzy Hash: 9C517F72D00219AFDF14CF99C941BEEBBB6FF88314F1A846DE915AB201D7349A50DB90
                                  Function 00AC2CE0 Relevance: .1, Instructions: 76COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction ID: 86cd4175e0247e0cf0f9e348b754af705a62760457773b80cbab2803d3d2ecd9
                                  • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                  • Instruction Fuzzy Hash: D311C8BB24018283D6578B2DD8B4FB6A7A5EBE532172F437ED0434B65CD222D9459700
                                  Function 00A4F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00A4F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00A4F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00A4F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00A4F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00A4F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4FA08
                                  • std::_Facet_Register.LIBCPMT ref: 00A4FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: 0df79571b4dfd70a747309f3a51f358231318c1e8e8a741b00587d7dcc8b1e6a
                                  • Instruction ID: e1d57c3ee26af3369040fb9049467f9641fa89d95184c04262548f4eba9b0b1c
                                  • Opcode Fuzzy Hash: 0df79571b4dfd70a747309f3a51f358231318c1e8e8a741b00587d7dcc8b1e6a
                                  • Instruction Fuzzy Hash: B3618FB5D002489FEF10DFA4D945BDEBBF8AF54314F184468E805AB342EB75E905CBA1
                                  Function 009E39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009E3A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009E3AA4
                                  • __Getctype.LIBCPMT ref: 009E3ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009E3AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009E3B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: e20d9d121ebd27153faef1291672bb6d4a590ec71bdece4fcd2d79d100205652
                                  • Instruction ID: 6f0b0a9467a4ed94756f8ec0169e92e4c1a81e337ce4b93082d74398b086c53c
                                  • Opcode Fuzzy Hash: e20d9d121ebd27153faef1291672bb6d4a590ec71bdece4fcd2d79d100205652
                                  • Instruction Fuzzy Hash: 925130B1D00248AFDF11DFA5D985BDEBBB8AF14314F188169E809AB342E775DA04CB51
                                  Function 00AC2E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00AC2E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00AC2E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00AC2ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00AC2F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00AC2F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: e8218bc463cadc924c6d2be925acadff5f7a0b22190eab741a3028bf2851e0fa
                                  • Instruction ID: 9586f95eb27859333fce13544f0ee25b7ec2cdd2f7067d7cc281d4995453125f
                                  • Opcode Fuzzy Hash: e8218bc463cadc924c6d2be925acadff5f7a0b22190eab741a3028bf2851e0fa
                                  • Instruction Fuzzy Hash: 10418D34A00209ABCF10DF68C885F9EBFF5AF49324F15845DE814AB392DB31AE55CB91
                                  Function 00A4DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00A4DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00A4DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4DED6
                                  • std::_Facet_Register.LIBCPMT ref: 00A4DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00A4DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00A4DF7B
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: a7538ca9c49718676b8b31a6bafc28623c6315a8ad7b4ee139e93ab7a4accf52
                                  • Instruction ID: 40a1912e47eca92c420adc192cae92421399959f2bdc98103a4c36f2ef7a22a0
                                  • Opcode Fuzzy Hash: a7538ca9c49718676b8b31a6bafc28623c6315a8ad7b4ee139e93ab7a4accf52
                                  • Instruction Fuzzy Hash: 4A410475900219DFCB24DF58D981AEEBBB8FB84720F148269E8159B352DB31ED05CBD1
                                  Function 009E4C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009E4F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009E4FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009E50C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 009E504C
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 5c55c9c2a1cbf582171cb28f277e0c8593c62d5fd900136e9c5c1c5f63758067
                                  • Instruction ID: 4c85a4a30ee2b4a25335fdf76ee1b546828cd3fd2587e6c48d8bbed3ef6fa963
                                  • Opcode Fuzzy Hash: 5c55c9c2a1cbf582171cb28f277e0c8593c62d5fd900136e9c5c1c5f63758067
                                  • Instruction Fuzzy Hash: 1CE114719002459FCB28DF68DD45BAEBBF9FF48300F148A2DE45693781E774A944CBA1
                                  Function 009E7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009E799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009E7B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: f9f5bfa1c393e036fe894ea63d2a4f22daf9d2e04797c17d806d0d8cd980f9d7
                                  • Instruction ID: 383d897f365f77d85a63d36b4d0658b5addcba99a766082df16d66e0068a63f2
                                  • Opcode Fuzzy Hash: f9f5bfa1c393e036fe894ea63d2a4f22daf9d2e04797c17d806d0d8cd980f9d7
                                  • Instruction Fuzzy Hash: 5AC169B19002489FDB18CFA8D984B9DFBF5FF48300F148669E419EB782E7749984CB65
                                  Function 009E73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009E75BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009E75CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 56d92772fe8a15eeed9b9fa6438aa31de9c2c6f741a59f8e434abc78d88eb826
                                  • Instruction ID: e8b20ad16b085c740d2dcb8abc0aa9aa59f38e194f0a35814938df5f96974c8e
                                  • Opcode Fuzzy Hash: 56d92772fe8a15eeed9b9fa6438aa31de9c2c6f741a59f8e434abc78d88eb826
                                  • Instruction Fuzzy Hash: 0461D271A042459FDB09CFA8DD84BADFBB6FF44300F24862CF415A7792E774AA448B91
                                  Function 009E3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009E3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: e015b56ed44c349a2c2291a515dc8fba8318ea7e19704285cdb31b37f840757e
                                  • Instruction ID: 9598d00ddc3cc080423da8eebe602718a6c2505792abe3b3310bc1dd3a198bb7
                                  • Opcode Fuzzy Hash: e015b56ed44c349a2c2291a515dc8fba8318ea7e19704285cdb31b37f840757e
                                  • Instruction Fuzzy Hash: ED41A4B2900248AFCB15DF69CC45B9EBBF8EB49310F14856EE915D7681E770AE408BA4
                                  Function 009E3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009E3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: f0639693b36e982c517afb76afce396dcb12d987c86ad6a3ac251050552c19c7
                                  • Instruction ID: 7e6abf70fd2258f13348399cba7f7e63b8c3820f115d464b05d791b0462212e3
                                  • Opcode Fuzzy Hash: f0639693b36e982c517afb76afce396dcb12d987c86ad6a3ac251050552c19c7
                                  • Instruction Fuzzy Hash: 0F2105B2900344AFC714DF59D809F96B7DCAB44310F18C86EFA688B681E770EE14CB90
                                  Function 009E6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009E7340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: 3183306d6a5dd4187a4c1abc046a330d59a6456fab544149ef9b30a1fc56a498
                                  • Instruction ID: f6c37189876dd512e6c036450bd04044d908f3da3cab1b0d2231aae096600a6b
                                  • Opcode Fuzzy Hash: 3183306d6a5dd4187a4c1abc046a330d59a6456fab544149ef9b30a1fc56a498
                                  • Instruction Fuzzy Hash: 37E16D709042498FDB19CFA8D984B9DFBB1BF48300F248269E419EB792D7749A85CF51
                                  Function 009E6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009E6F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009E6F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 1130c61991e487304b1fd777a5a0c9bbea015732199785f8cc564c9327ca5fef
                                  • Instruction ID: 8463cae85499404b051d4774b84e6206f3862f976d11258f69c21e4e38e1cc46
                                  • Opcode Fuzzy Hash: 1130c61991e487304b1fd777a5a0c9bbea015732199785f8cc564c9327ca5fef
                                  • Instruction Fuzzy Hash: B191E270A002459FDB19CF68D984B9EBBF6FF55300F20866CE415AB792D770AE81CB50
                                  Function 00A5E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00A5E491
                                  Strings
                                  • type must be string, but is , xrefs: 00A5E4F8
                                  • type must be boolean, but is , xrefs: 00A5E582
                                  Memory Dump Source
                                  • Source File: 00000000.00000002.3307468308.00000000009E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 009E0000, based on PE: true
                                  • Associated: 00000000.00000002.3307413069.00000000009E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307468308.0000000000B13000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307736561.0000000000B18000.00000004.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000B1C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000CA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000D91000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DC6000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DD2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3307790549.0000000000DE0000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308363344.0000000000DE1000.00000080.00000001.01000000.00000003.sdmpDownload File
                                  • Associated: 00000000.00000002.3308789391.0000000000F8A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_0_2_9e0000_LisectAVT_2403002A_218.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 9c52e3875467446e8f40c33a9107ca9a255f6ddb66b0bfa0f80d4b1578117a75
                                  • Instruction ID: 6b4fe54d9c13d945bbe7458b904dd6059ae1e0768ccbd2f6dc1286f26aa64785
                                  • Opcode Fuzzy Hash: 9c52e3875467446e8f40c33a9107ca9a255f6ddb66b0bfa0f80d4b1578117a75
                                  • Instruction Fuzzy Hash: A5417EB5900288AFDB18EBA4D906F9EB7BCEB00310F144578F815D7682FB35AE44C796

                                  Execution Graph

                                  Execution Coverage:2.7%
                                  Dynamic/Decrypted Code Coverage:1.3%
                                  Signature Coverage:0%
                                  Total number of Nodes:615
                                  Total number of Limit Nodes:61
                                  execution_graph 19616 ade0a0 WSAStartup 19617 ade0d8 19616->19617 19618 ade1a7 19616->19618 19617->19618 19619 ade175 socket 19617->19619 19619->19618 19620 ade18b connect 19619->19620 19620->19618 19621 ade19d closesocket 19620->19621 19621->19618 19621->19619 19622 4e008ee 19623 4e008fb GetCurrentHwProfileW 19622->19623 19625 4e00a18 19623->19625 18884 b23a40 18887 b23a55 18884->18887 18885 b23b28 GetPEB 18885->18887 18886 b23a73 GetPEB 18886->18887 18887->18885 18887->18886 18888 b23b9d Sleep 18887->18888 18889 b23ae8 Sleep 18887->18889 18890 b23bc7 18887->18890 18888->18887 18889->18887 19718 4e008d5 19719 4e008d7 19718->19719 19722 4e00900 19719->19722 19723 4e00924 GetCurrentHwProfileW 19722->19723 19725 4e00a18 19723->19725 18891 aca210 18924 b9f290 18891->18924 18893 aca248 18929 ac2ae0 18893->18929 18895 aca28b 18945 ba5362 18895->18945 18899 aca377 18902 aca34e 18902->18899 18974 ba47b0 18902->18974 18905 ba9136 4 API calls 18906 aca2fc 18905->18906 18911 aca318 18906->18911 18960 b2cf60 18906->18960 18965 badbdf 18911->18965 18926 ac21d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 18924->18926 18925 b9f2af 18925->18893 18925->18925 18926->18925 18977 ba0651 18926->18977 18930 ac2ba5 18929->18930 18936 ac2af6 18929->18936 19195 ac2270 18930->19195 18931 ac2b02 std::locale::_Init 18931->18895 18933 ac2b2a 18937 b9f290 std::_Facet_Register RtlAllocateHeap 18933->18937 18934 ac2baa 19205 ac21d0 18934->19205 18936->18931 18936->18933 18939 ac2b6e 18936->18939 18940 ac2b65 18936->18940 18938 ac2b3d 18937->18938 18941 ba47b0 RtlAllocateHeap 18938->18941 18944 ac2b46 std::locale::_Init 18938->18944 18942 b9f290 std::_Facet_Register RtlAllocateHeap 18939->18942 18939->18944 18940->18933 18940->18934 18943 ac2bb4 18941->18943 18942->18944 18944->18895 19218 ba52a0 18945->19218 18947 aca2d7 18947->18902 18948 ba9136 18947->18948 18949 ba9149 __fread_nolock 18948->18949 19242 ba8e8d 18949->19242 18951 ba915e 18952 ba44dc __fread_nolock RtlAllocateHeap 18951->18952 18953 aca2ea 18952->18953 18954 ba4eeb 18953->18954 18955 ba4efe __fread_nolock 18954->18955 19375 ba4801 18955->19375 18957 ba4f0a 18958 ba44dc __fread_nolock RtlAllocateHeap 18957->18958 18959 aca2f0 18958->18959 18959->18905 18961 b2cfa7 18960->18961 18964 b2cf78 __fread_nolock 18960->18964 19423 b30560 18961->19423 18963 b2cfba 18963->18911 18964->18911 19438 badbfc 18965->19438 18967 aca348 18968 ba8be8 18967->18968 18969 ba8bfb __fread_nolock 18968->18969 19562 ba8ac3 18969->19562 18971 ba8c07 18972 ba44dc __fread_nolock RtlAllocateHeap 18971->18972 18973 ba8c13 18972->18973 18973->18902 18975 ba46ec __fread_nolock RtlAllocateHeap 18974->18975 18976 ba47bf __Getctype 18975->18976 18978 ac2213 18977->18978 18979 ba065e ___std_exception_copy 18977->18979 18978->18893 18979->18978 18980 ba068b 18979->18980 18983 bb56b8 18979->18983 18992 bad7d6 18980->18992 18984 bb56c6 18983->18984 18986 bb56d4 18983->18986 18984->18986 18990 bb56ec 18984->18990 18995 bad23f 18986->18995 18987 bb56dc 18998 ba47a0 18987->18998 18989 bb56e6 18989->18980 18990->18989 18991 bad23f __dosmaperr RtlAllocateHeap 18990->18991 18991->18987 18993 bb6db3 ___std_exception_destroy RtlAllocateHeap 18992->18993 18994 bad7ee 18993->18994 18994->18978 19001 bb5d2c 18995->19001 19106 ba46ec 18998->19106 19002 bb5d35 __Getctype 19001->19002 19009 bad244 19002->19009 19012 bb63f3 19002->19012 19004 bb5d79 __Getctype 19005 bb5db9 19004->19005 19006 bb5d81 __Getctype 19004->19006 19020 bb5a09 19005->19020 19016 bb6db3 19006->19016 19009->18987 19011 bb6db3 ___std_exception_destroy RtlAllocateHeap 19011->19009 19015 bb6400 __Getctype std::_Facet_Register 19012->19015 19013 bb642b RtlAllocateHeap 19014 bb643e __dosmaperr 19013->19014 19013->19015 19014->19004 19015->19013 19015->19014 19017 bb6de8 19016->19017 19018 bb6dbe __dosmaperr 19016->19018 19017->19009 19018->19017 19019 bad23f __dosmaperr RtlAllocateHeap 19018->19019 19019->19017 19021 bb5a77 __Getctype 19020->19021 19024 bb59af 19021->19024 19023 bb5aa0 19023->19011 19025 bb59bb __fread_nolock std::_Lockit::_Lockit 19024->19025 19028 bb5b90 19025->19028 19027 bb59dd __Getctype 19027->19023 19029 bb5b9f __Getctype 19028->19029 19030 bb5bc6 __Getctype 19028->19030 19029->19030 19032 bbf2a7 19029->19032 19030->19027 19033 bbf327 19032->19033 19036 bbf2bd 19032->19036 19035 bb6db3 ___std_exception_destroy RtlAllocateHeap 19033->19035 19058 bbf375 19033->19058 19037 bbf349 19035->19037 19036->19033 19040 bb6db3 ___std_exception_destroy RtlAllocateHeap 19036->19040 19042 bbf2f0 19036->19042 19038 bb6db3 ___std_exception_destroy RtlAllocateHeap 19037->19038 19041 bbf35c 19038->19041 19039 bbf383 19048 bbf3e3 19039->19048 19057 bb6db3 RtlAllocateHeap ___std_exception_destroy 19039->19057 19044 bbf2e5 19040->19044 19045 bb6db3 ___std_exception_destroy RtlAllocateHeap 19041->19045 19046 bb6db3 ___std_exception_destroy RtlAllocateHeap 19042->19046 19059 bbf312 19042->19059 19043 bb6db3 ___std_exception_destroy RtlAllocateHeap 19047 bbf31c 19043->19047 19060 bbe5ab 19044->19060 19051 bbf36a 19045->19051 19052 bbf307 19046->19052 19053 bb6db3 ___std_exception_destroy RtlAllocateHeap 19047->19053 19049 bb6db3 ___std_exception_destroy RtlAllocateHeap 19048->19049 19054 bbf3e9 19049->19054 19055 bb6db3 ___std_exception_destroy RtlAllocateHeap 19051->19055 19088 bbea0a 19052->19088 19053->19033 19054->19030 19055->19058 19057->19039 19100 bbf418 19058->19100 19059->19043 19061 bbe5bc 19060->19061 19087 bbe6a5 19060->19087 19062 bbe5cd 19061->19062 19063 bb6db3 ___std_exception_destroy RtlAllocateHeap 19061->19063 19064 bbe5df 19062->19064 19065 bb6db3 ___std_exception_destroy RtlAllocateHeap 19062->19065 19063->19062 19066 bbe5f1 19064->19066 19067 bb6db3 ___std_exception_destroy RtlAllocateHeap 19064->19067 19065->19064 19068 bbe603 19066->19068 19070 bb6db3 ___std_exception_destroy RtlAllocateHeap 19066->19070 19067->19066 19069 bbe615 19068->19069 19071 bb6db3 ___std_exception_destroy RtlAllocateHeap 19068->19071 19072 bbe627 19069->19072 19073 bb6db3 ___std_exception_destroy RtlAllocateHeap 19069->19073 19070->19068 19071->19069 19074 bbe639 19072->19074 19075 bb6db3 ___std_exception_destroy RtlAllocateHeap 19072->19075 19073->19072 19076 bbe64b 19074->19076 19078 bb6db3 ___std_exception_destroy RtlAllocateHeap 19074->19078 19075->19074 19077 bbe65d 19076->19077 19079 bb6db3 ___std_exception_destroy RtlAllocateHeap 19076->19079 19080 bbe66f 19077->19080 19081 bb6db3 ___std_exception_destroy RtlAllocateHeap 19077->19081 19078->19076 19079->19077 19082 bb6db3 ___std_exception_destroy RtlAllocateHeap 19080->19082 19084 bbe681 19080->19084 19081->19080 19082->19084 19083 bbe693 19086 bb6db3 ___std_exception_destroy RtlAllocateHeap 19083->19086 19083->19087 19084->19083 19085 bb6db3 ___std_exception_destroy RtlAllocateHeap 19084->19085 19085->19083 19086->19087 19087->19042 19089 bbea17 19088->19089 19099 bbea6f 19088->19099 19090 bbea27 19089->19090 19091 bb6db3 ___std_exception_destroy RtlAllocateHeap 19089->19091 19092 bbea39 19090->19092 19093 bb6db3 ___std_exception_destroy RtlAllocateHeap 19090->19093 19091->19090 19094 bb6db3 ___std_exception_destroy RtlAllocateHeap 19092->19094 19097 bbea4b 19092->19097 19093->19092 19094->19097 19095 bb6db3 ___std_exception_destroy RtlAllocateHeap 19096 bbea5d 19095->19096 19098 bb6db3 ___std_exception_destroy RtlAllocateHeap 19096->19098 19096->19099 19097->19095 19097->19096 19098->19099 19099->19059 19101 bbf425 19100->19101 19105 bbf444 19100->19105 19102 bbef31 __Getctype RtlAllocateHeap 19101->19102 19101->19105 19103 bbf43e 19102->19103 19104 bb6db3 ___std_exception_destroy RtlAllocateHeap 19103->19104 19104->19105 19105->19039 19107 ba46fe __fread_nolock 19106->19107 19112 ba4723 19107->19112 19109 ba4716 19119 ba44dc 19109->19119 19113 ba4733 19112->19113 19116 ba473a __fread_nolock __Getctype 19112->19116 19125 ba4541 19113->19125 19115 ba4748 19115->19109 19116->19115 19117 ba46ec __fread_nolock RtlAllocateHeap 19116->19117 19118 ba47ac 19117->19118 19118->19109 19120 ba44e8 19119->19120 19121 ba44ff 19120->19121 19140 ba4587 19120->19140 19123 ba4587 __fread_nolock RtlAllocateHeap 19121->19123 19124 ba4512 19121->19124 19123->19124 19124->18989 19126 ba4550 19125->19126 19129 bb5ddd 19126->19129 19130 bb5df0 __Getctype 19129->19130 19131 bb63f3 __Getctype RtlAllocateHeap 19130->19131 19139 ba4572 19130->19139 19132 bb5e20 __Getctype 19131->19132 19133 bb5e28 __Getctype 19132->19133 19134 bb5e5c 19132->19134 19135 bb6db3 ___std_exception_destroy RtlAllocateHeap 19133->19135 19136 bb5a09 __Getctype RtlAllocateHeap 19134->19136 19135->19139 19137 bb5e67 19136->19137 19138 bb6db3 ___std_exception_destroy RtlAllocateHeap 19137->19138 19138->19139 19139->19116 19141 ba459a 19140->19141 19142 ba4591 19140->19142 19141->19121 19143 ba4541 __fread_nolock RtlAllocateHeap 19142->19143 19144 ba4596 19143->19144 19144->19141 19147 bb0259 19144->19147 19148 bb025e std::locale::_Setgloballocale 19147->19148 19152 bb0269 std::locale::_Setgloballocale 19148->19152 19153 bbc7c6 19148->19153 19174 baf224 19152->19174 19156 bbc7d2 __fread_nolock 19153->19156 19154 bb5d2c __dosmaperr RtlAllocateHeap 19160 bbc803 std::locale::_Setgloballocale 19154->19160 19155 bbc822 19157 bad23f __dosmaperr RtlAllocateHeap 19155->19157 19156->19154 19156->19155 19156->19160 19161 bbc834 std::_Lockit::_Lockit std::locale::_Setgloballocale 19156->19161 19158 bbc827 19157->19158 19159 ba47a0 __fread_nolock RtlAllocateHeap 19158->19159 19173 bbc80c 19159->19173 19160->19155 19160->19161 19160->19173 19162 bbc8a7 19161->19162 19163 bbc9a4 std::_Lockit::~_Lockit 19161->19163 19164 bbc8d5 std::locale::_Setgloballocale 19161->19164 19162->19164 19177 bb5bdb 19162->19177 19165 baf224 std::locale::_Setgloballocale RtlAllocateHeap 19163->19165 19168 bb5bdb __Getctype RtlAllocateHeap 19164->19168 19171 bbc92a 19164->19171 19164->19173 19167 bbc9b7 19165->19167 19168->19171 19170 bb5bdb __Getctype RtlAllocateHeap 19170->19164 19172 bb5bdb __Getctype RtlAllocateHeap 19171->19172 19171->19173 19172->19173 19173->19152 19191 baf094 19174->19191 19176 baf235 19178 bb5be4 __Getctype 19177->19178 19179 bb63f3 __Getctype RtlAllocateHeap 19178->19179 19181 bb5bfb 19178->19181 19182 bb5c28 __Getctype 19179->19182 19180 bb5c8b 19180->19170 19181->19180 19183 bb0259 __Getctype RtlAllocateHeap 19181->19183 19184 bb5c68 19182->19184 19185 bb5c30 __Getctype 19182->19185 19186 bb5c95 19183->19186 19188 bb5a09 __Getctype RtlAllocateHeap 19184->19188 19187 bb6db3 ___std_exception_destroy RtlAllocateHeap 19185->19187 19187->19181 19189 bb5c73 19188->19189 19190 bb6db3 ___std_exception_destroy RtlAllocateHeap 19189->19190 19190->19181 19192 baf0c1 std::locale::_Setgloballocale 19191->19192 19193 baef23 std::locale::_Setgloballocale RtlAllocateHeap 19192->19193 19194 baf10a std::locale::_Setgloballocale 19193->19194 19194->19176 19209 b9d6e9 19195->19209 19206 ac21de Concurrency::cancel_current_task 19205->19206 19207 ba0651 ___std_exception_copy RtlAllocateHeap 19206->19207 19208 ac2213 19207->19208 19208->18938 19212 b9d4af 19209->19212 19211 b9d6fa Concurrency::cancel_current_task 19215 ac3010 19212->19215 19216 ba0651 ___std_exception_copy RtlAllocateHeap 19215->19216 19217 ac303d 19216->19217 19217->19211 19221 ba52ac __fread_nolock 19218->19221 19219 ba52b3 19220 bad23f __dosmaperr RtlAllocateHeap 19219->19220 19222 ba52b8 19220->19222 19221->19219 19223 ba52d3 19221->19223 19226 ba47a0 __fread_nolock RtlAllocateHeap 19222->19226 19224 ba52d8 19223->19224 19225 ba52e5 19223->19225 19227 bad23f __dosmaperr RtlAllocateHeap 19224->19227 19232 bb6688 19225->19232 19231 ba52c3 19226->19231 19227->19231 19229 ba52ee 19230 bad23f __dosmaperr RtlAllocateHeap 19229->19230 19229->19231 19230->19231 19231->18947 19233 bb6694 __fread_nolock std::_Lockit::_Lockit 19232->19233 19236 bb672c 19233->19236 19235 bb66af 19235->19229 19239 bb674f __fread_nolock 19236->19239 19237 bb6795 __fread_nolock 19237->19235 19238 bb63f3 __Getctype RtlAllocateHeap 19240 bb67b0 19238->19240 19239->19237 19239->19238 19241 bb6db3 ___std_exception_destroy RtlAllocateHeap 19240->19241 19241->19237 19244 ba8e99 __fread_nolock 19242->19244 19243 ba8e9f 19245 ba4723 __fread_nolock RtlAllocateHeap 19243->19245 19244->19243 19247 ba8ee2 __fread_nolock 19244->19247 19246 ba8eba 19245->19246 19246->18951 19249 ba9010 19247->19249 19250 ba9023 19249->19250 19251 ba9036 19249->19251 19250->19246 19258 ba8f37 19251->19258 19253 ba9059 19257 ba90e7 19253->19257 19262 ba55d3 19253->19262 19257->19246 19259 ba8f48 19258->19259 19261 ba8fa0 19258->19261 19259->19261 19271 bae13d 19259->19271 19261->19253 19263 ba55ec 19262->19263 19267 ba5613 19262->19267 19263->19267 19298 bb5f82 19263->19298 19265 ba5608 19305 bb538b 19265->19305 19268 bae17d 19267->19268 19269 bae05c __fread_nolock 2 API calls 19268->19269 19270 bae196 19269->19270 19270->19257 19272 bae151 __fread_nolock 19271->19272 19277 bae05c 19272->19277 19274 bae166 19275 ba44dc __fread_nolock RtlAllocateHeap 19274->19275 19276 bae175 19275->19276 19276->19261 19282 bba6de 19277->19282 19279 bae06e 19280 bae08a SetFilePointerEx 19279->19280 19281 bae076 __fread_nolock 19279->19281 19280->19281 19281->19274 19283 bba6eb 19282->19283 19284 bba700 19282->19284 19295 bad22c 19283->19295 19286 bad22c __dosmaperr RtlAllocateHeap 19284->19286 19290 bba725 19284->19290 19288 bba730 19286->19288 19291 bad23f __dosmaperr RtlAllocateHeap 19288->19291 19289 bad23f __dosmaperr RtlAllocateHeap 19292 bba6f8 19289->19292 19290->19279 19293 bba738 19291->19293 19292->19279 19294 ba47a0 __fread_nolock RtlAllocateHeap 19293->19294 19294->19292 19296 bb5d2c __dosmaperr RtlAllocateHeap 19295->19296 19297 bad231 19296->19297 19297->19289 19299 bb5f8e 19298->19299 19300 bb5fa3 19298->19300 19301 bad23f __dosmaperr RtlAllocateHeap 19299->19301 19300->19265 19302 bb5f93 19301->19302 19303 ba47a0 __fread_nolock RtlAllocateHeap 19302->19303 19304 bb5f9e 19303->19304 19304->19265 19307 bb5397 __fread_nolock 19305->19307 19306 bb53d8 19308 ba4723 __fread_nolock RtlAllocateHeap 19306->19308 19307->19306 19309 bb541e 19307->19309 19310 bb539f 19307->19310 19308->19310 19309->19310 19312 bb549c 19309->19312 19310->19267 19313 bb54c4 19312->19313 19325 bb54e7 __fread_nolock 19312->19325 19314 bb54c8 19313->19314 19316 bb5523 19313->19316 19315 ba4723 __fread_nolock RtlAllocateHeap 19314->19315 19315->19325 19317 bb5541 19316->19317 19318 bae17d 2 API calls 19316->19318 19326 bb4fe1 19317->19326 19318->19317 19321 bb5559 19321->19325 19331 bb4bb2 19321->19331 19322 bb55a0 19323 bb5609 WriteFile 19322->19323 19322->19325 19323->19325 19325->19310 19337 bc0d44 19326->19337 19328 bb4ff3 19329 bb5021 19328->19329 19346 ba9d10 19328->19346 19329->19321 19329->19322 19332 bb4c1a 19331->19332 19333 ba9d10 std::_Locinfo::_Locinfo_dtor 2 API calls 19332->19333 19336 bb4c2b std::locale::_Init std::_Locinfo::_Locinfo_dtor 19332->19336 19333->19336 19334 bb84be RtlAllocateHeap RtlAllocateHeap 19334->19336 19335 bb4ee1 _ValidateLocalCookies 19335->19325 19335->19335 19336->19334 19336->19335 19338 bc0d5e 19337->19338 19339 bc0d51 19337->19339 19342 bc0d6a 19338->19342 19343 bad23f __dosmaperr RtlAllocateHeap 19338->19343 19340 bad23f __dosmaperr RtlAllocateHeap 19339->19340 19341 bc0d56 19340->19341 19341->19328 19342->19328 19344 bc0d8b 19343->19344 19345 ba47a0 __fread_nolock RtlAllocateHeap 19344->19345 19345->19341 19347 ba4587 __fread_nolock RtlAllocateHeap 19346->19347 19348 ba9d20 19347->19348 19353 bb5ef3 19348->19353 19354 bb5f0a 19353->19354 19355 ba9d3d 19353->19355 19354->19355 19361 bbf4f3 19354->19361 19357 bb5f51 19355->19357 19358 bb5f68 19357->19358 19359 ba9d4a 19357->19359 19358->19359 19370 bbd81e 19358->19370 19359->19329 19362 bbf4ff __fread_nolock 19361->19362 19363 bb5bdb __Getctype RtlAllocateHeap 19362->19363 19365 bbf508 std::_Lockit::_Lockit 19363->19365 19364 bbf54e 19364->19355 19365->19364 19366 bbf574 __Getctype RtlAllocateHeap 19365->19366 19367 bbf537 __Getctype 19366->19367 19367->19364 19368 bb0259 __Getctype RtlAllocateHeap 19367->19368 19369 bbf573 19368->19369 19371 bb5bdb __Getctype RtlAllocateHeap 19370->19371 19372 bbd823 19371->19372 19373 bbd736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 19372->19373 19374 bbd82e 19373->19374 19374->19359 19376 ba480d __fread_nolock 19375->19376 19377 ba4814 19376->19377 19378 ba4835 __fread_nolock 19376->19378 19379 ba4723 __fread_nolock RtlAllocateHeap 19377->19379 19382 ba4910 19378->19382 19381 ba482d 19379->19381 19381->18957 19385 ba4942 19382->19385 19384 ba4922 19384->19381 19386 ba4979 19385->19386 19387 ba4951 19385->19387 19389 bb5f82 __fread_nolock RtlAllocateHeap 19386->19389 19388 ba4723 __fread_nolock RtlAllocateHeap 19387->19388 19397 ba496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19388->19397 19390 ba4982 19389->19390 19398 bae11f 19390->19398 19393 ba4a2c 19401 ba4cae 19393->19401 19395 ba4a43 19395->19397 19409 ba4ae3 19395->19409 19397->19384 19416 badf37 19398->19416 19400 ba49a0 19400->19393 19400->19395 19400->19397 19402 ba4cbd 19401->19402 19403 bb5f82 __fread_nolock RtlAllocateHeap 19402->19403 19404 ba4cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19403->19404 19405 bae11f 2 API calls 19404->19405 19408 ba4ce5 _ValidateLocalCookies 19404->19408 19406 ba4d39 19405->19406 19407 bae11f 2 API calls 19406->19407 19406->19408 19407->19408 19408->19397 19410 bb5f82 __fread_nolock RtlAllocateHeap 19409->19410 19411 ba4af6 19410->19411 19412 bae11f 2 API calls 19411->19412 19415 ba4b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19411->19415 19413 ba4b9d 19412->19413 19414 bae11f 2 API calls 19413->19414 19413->19415 19414->19415 19415->19397 19417 badf43 __fread_nolock 19416->19417 19418 badf86 19417->19418 19420 badfcc 19417->19420 19422 badf4b 19417->19422 19419 ba4723 __fread_nolock RtlAllocateHeap 19418->19419 19419->19422 19421 bae05c __fread_nolock 2 API calls 19420->19421 19420->19422 19421->19422 19422->19400 19424 b306a9 19423->19424 19426 b30585 19423->19426 19425 ac2270 RtlAllocateHeap 19424->19425 19427 b306ae 19425->19427 19429 b305e3 19426->19429 19430 b305f0 19426->19430 19433 b3059a 19426->19433 19428 ac21d0 Concurrency::cancel_current_task RtlAllocateHeap 19427->19428 19436 b305aa __fread_nolock std::locale::_Init 19428->19436 19429->19427 19429->19433 19435 b9f290 std::_Facet_Register RtlAllocateHeap 19430->19435 19430->19436 19431 b9f290 std::_Facet_Register RtlAllocateHeap 19431->19436 19432 ba47b0 RtlAllocateHeap 19434 b306b8 19432->19434 19433->19431 19435->19436 19436->19432 19437 b30667 __fread_nolock std::locale::_Init 19436->19437 19437->18963 19439 badc08 __fread_nolock 19438->19439 19440 badc1b __fread_nolock 19439->19440 19441 badc52 __fread_nolock 19439->19441 19446 badc40 __fread_nolock 19439->19446 19442 bad23f __dosmaperr RtlAllocateHeap 19440->19442 19447 bada06 19441->19447 19443 badc35 19442->19443 19445 ba47a0 __fread_nolock RtlAllocateHeap 19443->19445 19445->19446 19446->18967 19448 bada35 19447->19448 19450 bada18 __fread_nolock 19447->19450 19448->19446 19449 bada25 19451 bad23f __dosmaperr RtlAllocateHeap 19449->19451 19450->19448 19450->19449 19452 bada76 __fread_nolock 19450->19452 19458 bada2a 19451->19458 19452->19448 19454 badba1 __fread_nolock 19452->19454 19457 bb5f82 __fread_nolock RtlAllocateHeap 19452->19457 19460 bb4623 19452->19460 19519 ba8a2b 19452->19519 19453 ba47a0 __fread_nolock RtlAllocateHeap 19453->19448 19456 bad23f __dosmaperr RtlAllocateHeap 19454->19456 19456->19458 19457->19452 19458->19453 19461 bb464d 19460->19461 19462 bb4635 19460->19462 19464 bb498f 19461->19464 19468 bb4690 19461->19468 19463 bad22c __dosmaperr RtlAllocateHeap 19462->19463 19465 bb463a 19463->19465 19466 bad22c __dosmaperr RtlAllocateHeap 19464->19466 19467 bad23f __dosmaperr RtlAllocateHeap 19465->19467 19469 bb4994 19466->19469 19470 bb4642 19467->19470 19468->19470 19471 bb469b 19468->19471 19477 bb46cb 19468->19477 19472 bad23f __dosmaperr RtlAllocateHeap 19469->19472 19470->19452 19473 bad22c __dosmaperr RtlAllocateHeap 19471->19473 19474 bb46a8 19472->19474 19475 bb46a0 19473->19475 19476 ba47a0 __fread_nolock RtlAllocateHeap 19474->19476 19478 bad23f __dosmaperr RtlAllocateHeap 19475->19478 19476->19470 19479 bb46e4 19477->19479 19480 bb471f 19477->19480 19481 bb46f1 19477->19481 19478->19474 19479->19481 19507 bb470d 19479->19507 19533 bb6e2d 19480->19533 19482 bad22c __dosmaperr RtlAllocateHeap 19481->19482 19484 bb46f6 19482->19484 19486 bad23f __dosmaperr RtlAllocateHeap 19484->19486 19489 bb46fd 19486->19489 19487 bc0d44 __fread_nolock RtlAllocateHeap 19499 bb486b 19487->19499 19488 bb6db3 ___std_exception_destroy RtlAllocateHeap 19490 bb4739 19488->19490 19491 ba47a0 __fread_nolock RtlAllocateHeap 19489->19491 19493 bb6db3 ___std_exception_destroy RtlAllocateHeap 19490->19493 19518 bb4708 __fread_nolock 19491->19518 19492 bb48e3 ReadFile 19494 bb48fb 19492->19494 19495 bb4957 19492->19495 19496 bb4740 19493->19496 19494->19495 19505 bb48d4 19494->19505 19504 bb4964 19495->19504 19515 bb48b5 19495->19515 19497 bb474a 19496->19497 19498 bb4765 19496->19498 19500 bad23f __dosmaperr RtlAllocateHeap 19497->19500 19502 bae13d __fread_nolock 2 API calls 19498->19502 19499->19492 19503 bb489b 19499->19503 19506 bb474f 19500->19506 19501 bb6db3 ___std_exception_destroy RtlAllocateHeap 19501->19470 19502->19507 19503->19505 19503->19515 19508 bad23f __dosmaperr RtlAllocateHeap 19504->19508 19509 bb4920 19505->19509 19510 bb4937 19505->19510 19505->19518 19511 bad22c __dosmaperr RtlAllocateHeap 19506->19511 19507->19487 19512 bb4969 19508->19512 19544 bb4335 19509->19544 19510->19518 19554 bb417b 19510->19554 19511->19518 19516 bad22c __dosmaperr RtlAllocateHeap 19512->19516 19515->19518 19539 bad1e5 19515->19539 19516->19518 19518->19501 19520 ba8a3c 19519->19520 19523 ba8a38 std::locale::_Init 19519->19523 19521 ba8a43 19520->19521 19525 ba8a56 __fread_nolock 19520->19525 19522 bad23f __dosmaperr RtlAllocateHeap 19521->19522 19524 ba8a48 19522->19524 19523->19452 19526 ba47a0 __fread_nolock RtlAllocateHeap 19524->19526 19525->19523 19527 ba8a8d 19525->19527 19528 ba8a84 19525->19528 19526->19523 19527->19523 19531 bad23f __dosmaperr RtlAllocateHeap 19527->19531 19529 bad23f __dosmaperr RtlAllocateHeap 19528->19529 19530 ba8a89 19529->19530 19532 ba47a0 __fread_nolock RtlAllocateHeap 19530->19532 19531->19530 19532->19523 19534 bb6e6b 19533->19534 19535 bb6e3b __Getctype std::_Facet_Register 19533->19535 19537 bad23f __dosmaperr RtlAllocateHeap 19534->19537 19535->19534 19536 bb6e56 RtlAllocateHeap 19535->19536 19536->19535 19538 bb4730 19536->19538 19537->19538 19538->19488 19540 bad22c __dosmaperr RtlAllocateHeap 19539->19540 19541 bad1f0 __dosmaperr 19540->19541 19542 bad23f __dosmaperr RtlAllocateHeap 19541->19542 19543 bad203 19542->19543 19543->19518 19558 bb402e 19544->19558 19547 bb43c7 19548 bad23f __dosmaperr RtlAllocateHeap 19547->19548 19550 bb437d 19548->19550 19549 bb43d7 19551 bae13d __fread_nolock 2 API calls 19549->19551 19552 bb4391 __fread_nolock 19549->19552 19550->19518 19551->19552 19552->19550 19553 bad1e5 __dosmaperr RtlAllocateHeap 19552->19553 19553->19550 19555 bb41b5 19554->19555 19556 bb4246 19555->19556 19557 bae13d __fread_nolock 2 API calls 19555->19557 19556->19518 19557->19556 19559 bb4062 19558->19559 19560 bb40ce 19559->19560 19561 bae13d __fread_nolock 2 API calls 19559->19561 19560->19547 19560->19549 19560->19550 19560->19552 19561->19560 19563 ba8acf __fread_nolock 19562->19563 19564 ba8ad9 19563->19564 19566 ba8afc __fread_nolock 19563->19566 19565 ba4723 __fread_nolock RtlAllocateHeap 19564->19565 19567 ba8af4 19565->19567 19566->19567 19569 ba8b5a 19566->19569 19567->18971 19570 ba8b8a 19569->19570 19571 ba8b67 19569->19571 19573 ba55d3 4 API calls 19570->19573 19574 ba8b82 19570->19574 19572 ba4723 __fread_nolock RtlAllocateHeap 19571->19572 19572->19574 19575 ba8ba2 19573->19575 19574->19567 19583 bb6ded 19575->19583 19578 bb5f82 __fread_nolock RtlAllocateHeap 19579 ba8bb6 19578->19579 19587 bb4a3f 19579->19587 19582 bb6db3 ___std_exception_destroy RtlAllocateHeap 19582->19574 19584 ba8baa 19583->19584 19585 bb6e04 19583->19585 19584->19578 19585->19584 19586 bb6db3 ___std_exception_destroy RtlAllocateHeap 19585->19586 19586->19584 19588 bb4a68 19587->19588 19589 ba8bbd 19587->19589 19590 bb4ab7 19588->19590 19592 bb4a8f 19588->19592 19589->19574 19589->19582 19591 ba4723 __fread_nolock RtlAllocateHeap 19590->19591 19591->19589 19594 bb49ae 19592->19594 19595 bb49ba __fread_nolock 19594->19595 19597 bb49f9 19595->19597 19598 bb4b12 19595->19598 19597->19589 19599 bba6de __fread_nolock RtlAllocateHeap 19598->19599 19602 bb4b22 19599->19602 19600 bb4b28 19610 bba64d 19600->19610 19601 bb4b5a 19601->19600 19605 bba6de __fread_nolock RtlAllocateHeap 19601->19605 19602->19600 19602->19601 19604 bba6de __fread_nolock RtlAllocateHeap 19602->19604 19606 bb4b51 19604->19606 19607 bb4b66 FindCloseChangeNotification 19605->19607 19608 bba6de __fread_nolock RtlAllocateHeap 19606->19608 19607->19600 19608->19601 19609 bb4b80 __fread_nolock 19609->19597 19611 bba65c 19610->19611 19612 bad23f __dosmaperr RtlAllocateHeap 19611->19612 19614 bba686 19611->19614 19613 bba6c8 19612->19613 19615 bad22c __dosmaperr RtlAllocateHeap 19613->19615 19614->19609 19615->19614

                                  Executed Functions

                                  Function 00B23A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 133 b23a40-b23a52 134 b23a55-b23a61 133->134 136 b23a67-b23a6d 134->136 137 b23b28-b23b31 GetPEB 134->137 136->137 138 b23a73-b23a7f GetPEB 136->138 139 b23b34-b23b48 137->139 142 b23a80-b23a94 138->142 140 b23b4a-b23b4f 139->140 141 b23b99-b23b9b 139->141 140->141 143 b23b51-b23b59 140->143 141->139 144 b23a96-b23a9b 142->144 145 b23ae4-b23ae6 142->145 146 b23b60-b23b73 143->146 144->145 147 b23a9d-b23aa3 144->147 145->142 148 b23b92-b23b97 146->148 149 b23b75-b23b88 146->149 150 b23aa5-b23ab8 147->150 148->141 148->146 149->149 151 b23b8a-b23b90 149->151 152 b23aba 150->152 153 b23add-b23ae2 150->153 151->148 154 b23b9d-b23bc2 Sleep 151->154 155 b23ac0-b23ad3 152->155 153->145 153->150 154->134 155->155 156 b23ad5-b23adb 155->156 156->153 157 b23ae8-b23b0d Sleep 156->157 158 b23b13-b23b1a 157->158 158->137 159 b23b1c-b23b22 158->159 159->137 160 b23bc7-b23bd8 call ac6bd0 159->160 163 b23bda-b23bdc 160->163 164 b23bde 160->164 165 b23be0-b23bfd call ac6bd0 163->165 164->165
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00B23DB6), ref: 00B23B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00B23DB6), ref: 00B23BBA
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: 7e8f37ef7322ff1474acd68afaa316ee02e701272c2008aa4b3bd4c0cb3e1b1f
                                  • Instruction ID: b8e10b82d0dcbe38d74f3e00e66f4471a4a3ea86f263431015c1e22b68e126ca
                                  • Opcode Fuzzy Hash: 7e8f37ef7322ff1474acd68afaa316ee02e701272c2008aa4b3bd4c0cb3e1b1f
                                  • Instruction Fuzzy Hash: E651A935A042298FCB24CF58D8D4EADB7F1EF49B04B2945AAD449AF211D735EE06CB80
                                  Function 00ADE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 ade0a0-ade0d2 WSAStartup 1 ade0d8-ade102 call ac6bd0 * 2 0->1 2 ade1b7-ade1c0 0->2 7 ade10e-ade165 1->7 8 ade104-ade108 1->8 10 ade167-ade16d 7->10 11 ade1b1 7->11 8->2 8->7 12 ade16f 10->12 13 ade1c5-ade1cf 10->13 11->2 14 ade175-ade189 socket 12->14 13->11 17 ade1d1-ade1d9 13->17 14->11 16 ade18b-ade19b connect 14->16 18 ade19d-ade1a5 closesocket 16->18 19 ade1c1 16->19 18->14 20 ade1a7-ade1ab 18->20 19->13 20->11
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: ea351c3d571c8d037864970aa3527e47a49f91ba3061ab11db6bb6d8752128a1
                                  • Instruction ID: f2e6f66df55bae9c2cc492a5e7d0fab8d1d430ca488fcd9180b054d4d079cdea
                                  • Opcode Fuzzy Hash: ea351c3d571c8d037864970aa3527e47a49f91ba3061ab11db6bb6d8752128a1
                                  • Instruction Fuzzy Hash: F431B2716043016BD720EF258D89B2FB7E4EB85324F015F1EF9A99B2E0D37198148B92
                                  Function 00BB4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 21 bb4623-bb4633 22 bb464d-bb464f 21->22 23 bb4635-bb4648 call bad22c call bad23f 21->23 25 bb498f-bb499c call bad22c call bad23f 22->25 26 bb4655-bb465b 22->26 39 bb49a7 23->39 42 bb49a2 call ba47a0 25->42 26->25 28 bb4661-bb468a 26->28 28->25 31 bb4690-bb4699 28->31 34 bb469b-bb46ae call bad22c call bad23f 31->34 35 bb46b3-bb46b5 31->35 34->42 37 bb498b-bb498d 35->37 38 bb46bb-bb46bf 35->38 44 bb49aa-bb49ad 37->44 38->37 43 bb46c5-bb46c9 38->43 39->44 42->39 43->34 47 bb46cb-bb46e2 43->47 49 bb4717-bb471d 47->49 50 bb46e4-bb46e7 47->50 54 bb471f-bb4726 49->54 55 bb46f1-bb4708 call bad22c call bad23f call ba47a0 49->55 52 bb46e9-bb46ef 50->52 53 bb470d-bb4715 50->53 52->53 52->55 57 bb478a-bb47a9 53->57 58 bb472a-bb472b call bb6e2d 54->58 59 bb4728 54->59 86 bb48c2 55->86 60 bb47af-bb47bb 57->60 61 bb4865-bb486e call bc0d44 57->61 65 bb4730-bb4748 call bb6db3 * 2 58->65 59->58 60->61 64 bb47c1-bb47c3 60->64 75 bb48df 61->75 76 bb4870-bb4882 61->76 64->61 68 bb47c9-bb47ea 64->68 89 bb474a-bb4760 call bad23f call bad22c 65->89 90 bb4765-bb4788 call bae13d 65->90 68->61 72 bb47ec-bb4802 68->72 72->61 78 bb4804-bb4806 72->78 77 bb48e3-bb48f9 ReadFile 75->77 76->75 81 bb4884-bb4893 76->81 82 bb48fb-bb4901 77->82 83 bb4957-bb4962 77->83 78->61 84 bb4808-bb482b 78->84 81->75 93 bb4895-bb4899 81->93 82->83 87 bb4903 82->87 101 bb497b-bb497e 83->101 102 bb4964-bb4976 call bad23f call bad22c 83->102 84->61 88 bb482d-bb4843 84->88 91 bb48c5-bb48cf call bb6db3 86->91 95 bb4906-bb4918 87->95 88->61 96 bb4845-bb4847 88->96 89->86 90->57 91->44 93->77 100 bb489b-bb48b3 93->100 95->91 103 bb491a-bb491e 95->103 96->61 104 bb4849-bb4860 96->104 121 bb48b5-bb48ba 100->121 122 bb48d4-bb48dd 100->122 111 bb48bb-bb48c1 call bad1e5 101->111 112 bb4984-bb4986 101->112 102->86 109 bb4920-bb4930 call bb4335 103->109 110 bb4937-bb4944 103->110 104->61 129 bb4933-bb4935 109->129 118 bb4950-bb4955 call bb417b 110->118 119 bb4946 call bb448c 110->119 111->86 112->91 130 bb494b-bb494e 118->130 119->130 121->111 122->95 129->91 130->129
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2262e6f9c7f9ea63c333b4ff0014feb31fa748b8d72f497405e45016238625e2
                                  • Instruction ID: a2809ecebf8ae45f8d6b64abde92da3ac60c735a3f6cac99e0e76b93d7025444
                                  • Opcode Fuzzy Hash: 2262e6f9c7f9ea63c333b4ff0014feb31fa748b8d72f497405e45016238625e2
                                  • Instruction Fuzzy Hash: 3BB1BE70A04245AFDB119FA9D881BFEBBF5FF46304F1441D8E991AB292CBB09D41CB61
                                  Function 00ACA210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 168 aca210-aca2ab call b9f290 call ac2ae0 173 aca2b0-aca2bb 168->173 173->173 174 aca2bd-aca2c8 173->174 175 aca2cd-aca2de call ba5362 174->175 176 aca2ca 174->176 179 aca2e0-aca305 call ba9136 call ba4eeb call ba9136 175->179 180 aca351-aca357 175->180 176->175 198 aca30c-aca316 179->198 199 aca307 179->199 182 aca359-aca365 180->182 183 aca381-aca393 180->183 185 aca377-aca37e call b9f511 182->185 186 aca367-aca375 182->186 185->183 186->185 188 aca394-aca3ae call ba47b0 186->188 195 aca3b0-aca3bb 188->195 195->195 197 aca3bd-aca3c8 195->197 200 aca3cd-aca3df call ba5362 197->200 201 aca3ca 197->201 202 aca328-aca32f call b2cf60 198->202 203 aca318-aca31c 198->203 199->198 212 aca3fc-aca403 200->212 213 aca3e1-aca3f9 call ba9136 call ba4eeb call ba8be8 200->213 201->200 208 aca334-aca33a 202->208 206 aca31e 203->206 207 aca320-aca326 203->207 206->207 207->208 210 aca33c 208->210 211 aca33e-aca349 call badbdf call ba8be8 208->211 210->211 228 aca34e 211->228 214 aca42d-aca433 212->214 215 aca405-aca411 212->215 213->212 218 aca423-aca42a call b9f511 215->218 219 aca413-aca421 215->219 218->214 219->218 222 aca434-aca45e call ba47b0 219->222 235 aca46f-aca474 222->235 236 aca460-aca464 222->236 228->180 236->235 237 aca466-aca46e 236->237
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 491c5bff25c4fd66c5438e5458d5fe28bb42ae04bae2dc8f9790c077d9ccadd6
                                  • Instruction ID: 2af49b2fcfe37154c475c81d9fb146a7bd5a6ef492f41c73f9cf153fef17b809
                                  • Opcode Fuzzy Hash: 491c5bff25c4fd66c5438e5458d5fe28bb42ae04bae2dc8f9790c077d9ccadd6
                                  • Instruction Fuzzy Hash: AB714970900248ABDF18DF68CC49FAEBBE8EF42704F1085ADF8059B782D7B59941C791
                                  Function 00BB549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 238 bb549c-bb54be 239 bb56b1 238->239 240 bb54c4-bb54c6 238->240 241 bb56b3-bb56b7 239->241 242 bb54c8-bb54e7 call ba4723 240->242 243 bb54f2-bb5515 240->243 251 bb54ea-bb54ed 242->251 245 bb551b-bb5521 243->245 246 bb5517-bb5519 243->246 245->242 247 bb5523-bb5534 245->247 246->245 246->247 249 bb5547-bb5557 call bb4fe1 247->249 250 bb5536-bb5544 call bae17d 247->250 256 bb5559-bb555f 249->256 257 bb55a0-bb55b2 249->257 250->249 251->241 260 bb5588-bb559e call bb4bb2 256->260 261 bb5561-bb5564 256->261 258 bb5609-bb5629 WriteFile 257->258 259 bb55b4-bb55ba 257->259 262 bb562b-bb5631 258->262 263 bb5634 258->263 265 bb55bc-bb55bf 259->265 266 bb55f5-bb5607 call bb505e 259->266 277 bb5581-bb5583 260->277 267 bb556f-bb557e call bb4f79 261->267 268 bb5566-bb5569 261->268 262->263 270 bb5637-bb5642 263->270 271 bb55e1-bb55f3 call bb5222 265->271 272 bb55c1-bb55c4 265->272 289 bb55dc-bb55df 266->289 267->277 268->267 273 bb5649-bb564c 268->273 278 bb56ac-bb56af 270->278 279 bb5644-bb5647 270->279 271->289 280 bb55ca-bb55d7 call bb5139 272->280 281 bb564f-bb5651 272->281 273->281 277->270 278->241 279->273 280->289 286 bb567f-bb568b 281->286 287 bb5653-bb5658 281->287 292 bb568d-bb5693 286->292 293 bb5695-bb56a7 286->293 290 bb565a-bb566c 287->290 291 bb5671-bb567a call bad208 287->291 289->277 290->251 291->251 292->239 292->293 293->251
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00BA9087,?,00000000,00000000,00000000,?,00000000,?,00ACA3EB,00BA9087,00000000,00ACA3EB,?,?), ref: 00BB5621
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: b3f7848445e4d9e4a7948e17f0a2d7d98be47050824453030acdc83325684106
                                  • Instruction ID: cc105b2dd402bf5be2e2caf916676e31dd5205403435688d90398d4d4547985e
                                  • Opcode Fuzzy Hash: b3f7848445e4d9e4a7948e17f0a2d7d98be47050824453030acdc83325684106
                                  • Instruction Fuzzy Hash: ED61A071904519AFDF219FA8C884FFEBBFAEF19304F140185E805A7215D7B1D941CBA2
                                  Function 00BA4942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 296 ba4942-ba494f 297 ba4979-ba498d call bb5f82 296->297 298 ba4951-ba4974 call ba4723 296->298 303 ba498f 297->303 304 ba4992-ba499b call bae11f 297->304 305 ba4ae0-ba4ae2 298->305 303->304 307 ba49a0-ba49af 304->307 308 ba49bf-ba49c8 307->308 309 ba49b1 307->309 312 ba49ca-ba49d7 308->312 313 ba49dc-ba4a10 308->313 310 ba4a89-ba4a8e 309->310 311 ba49b7-ba49b9 309->311 314 ba4ade-ba4adf 310->314 311->308 311->310 315 ba4adc 312->315 316 ba4a6d-ba4a79 313->316 317 ba4a12-ba4a1c 313->317 314->305 315->314 318 ba4a7b-ba4a82 316->318 319 ba4a90-ba4a93 316->319 320 ba4a1e-ba4a2a 317->320 321 ba4a43-ba4a4f 317->321 318->310 323 ba4a96-ba4a9e 319->323 320->321 324 ba4a2c-ba4a3e call ba4cae 320->324 321->319 322 ba4a51-ba4a6b call ba4e59 321->322 322->323 326 ba4ada 323->326 327 ba4aa0-ba4aa6 323->327 324->314 326->315 330 ba4aa8-ba4abc call ba4ae3 327->330 331 ba4abe-ba4ac2 327->331 330->314 334 ba4ac4-ba4ad2 call bc4a10 331->334 335 ba4ad5-ba4ad7 331->335 334->335 335->326
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: acc89347469fc5a875324cb00f4bf7697ee50aa0afe06201ec885c46d77ea7c0
                                  • Instruction ID: c18e70237fb1df0c665182a74bc3c1e1dcac99ba557a6aaa654356e0ea53842e
                                  • Opcode Fuzzy Hash: acc89347469fc5a875324cb00f4bf7697ee50aa0afe06201ec885c46d77ea7c0
                                  • Instruction Fuzzy Hash: 1651A770A04108AFDB14CF58C885AAEBFF5EF8A354F248199F8499B252D3B1DE51CB94
                                  Function 04E008EE Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 339 4e008ee-4e009df 349 4e009f8-4e00a0e GetCurrentHwProfileW 339->349 350 4e00a18-4e00a69 349->350 354 4e00a6f-4e00a9b call 4e00a9d 350->354 358 4e00aa2-4e00aaa 354->358 359 4e00a9d-4e00a9e 354->359 360 4e00ab0-4e00ad0 call 4e00adc 358->360 359->360 360->354 364 4e00ad2-4e00ad4 360->364 364->354 365 4e00ad6-4e00ada 364->365
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 6110236343f483a4cac5439f032dfe86e70fd6a65b15f8ee02af50dbe643a1dd
                                  • Instruction ID: 92585638a1d3e98580d777c9a1bbf4278a2dba0e946cc9b8e970ee5822b0d7b3
                                  • Opcode Fuzzy Hash: 6110236343f483a4cac5439f032dfe86e70fd6a65b15f8ee02af50dbe643a1dd
                                  • Instruction Fuzzy Hash: D631E1F724C124BCF14281857B50BF766BEE7D2770770E52AB15792582F6902EC82572
                                  Function 04E008F7 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 366 4e008f7-4e009df 375 4e009f8-4e00a0e GetCurrentHwProfileW 366->375 376 4e00a18-4e00a69 375->376 380 4e00a6f-4e00a9b call 4e00a9d 376->380 384 4e00aa2-4e00aaa 380->384 385 4e00a9d-4e00a9e 380->385 386 4e00ab0-4e00ad0 call 4e00adc 384->386 385->386 386->380 390 4e00ad2-4e00ad4 386->390 390->380 391 4e00ad6-4e00ada 390->391
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f760d1a5df6af00205d433dd51e7c782a39e2962356e07c5fc9f7f9f2e3f71ce
                                  • Instruction ID: 6f4c8be37910e5b42576a374e5650742923ea55aa4170d8adb7432c8dac3caa1
                                  • Opcode Fuzzy Hash: f760d1a5df6af00205d433dd51e7c782a39e2962356e07c5fc9f7f9f2e3f71ce
                                  • Instruction Fuzzy Hash: 0C31EFF724C225BCF14282857B50BF7A6BEE7D2770730E52AB09381182F6902EC86572
                                  Function 04E00900 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 392 4e00900-4e009df 401 4e009f8-4e00a0e GetCurrentHwProfileW 392->401 402 4e00a18-4e00a69 401->402 406 4e00a6f-4e00a9b call 4e00a9d 402->406 410 4e00aa2-4e00aaa 406->410 411 4e00a9d-4e00a9e 406->411 412 4e00ab0-4e00ad0 call 4e00adc 410->412 411->412 412->406 416 4e00ad2-4e00ad4 412->416 416->406 417 4e00ad6-4e00ada 416->417
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 4ff13e9081d9e885d6fda6d12247fb9ccf3f059d4e9f4248f8649dfe8c490817
                                  • Instruction ID: 4ec83e34b3d533832cfc248d2926dac6f055146d1f3d9e819fcdc733188a8546
                                  • Opcode Fuzzy Hash: 4ff13e9081d9e885d6fda6d12247fb9ccf3f059d4e9f4248f8649dfe8c490817
                                  • Instruction Fuzzy Hash: 1931DFFB24C225BCF14281857B50BF76ABEE7D3770B30E52AB15791582F6902EC86132
                                  Function 00B30560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 418 b30560-b3057f 419 b30585-b30598 418->419 420 b306a9 call ac2270 418->420 421 b305c0-b305c8 419->421 422 b3059a 419->422 427 b306ae call ac21d0 420->427 424 b305d1-b305d5 421->424 425 b305ca-b305cf 421->425 426 b3059c-b305a1 422->426 428 b305d7 424->428 429 b305d9-b305e1 424->429 425->426 430 b305a4-b305a5 call b9f290 426->430 432 b306b3-b306b8 call ba47b0 427->432 428->429 433 b305e3-b305e8 429->433 434 b305f0-b305f2 429->434 440 b305aa-b305af 430->440 433->427 437 b305ee 433->437 438 b30601 434->438 439 b305f4-b305ff call b9f290 434->439 437->430 443 b30603-b30629 438->443 439->443 440->432 444 b305b5-b305be 440->444 446 b30680-b306a6 call ba0f70 call ba14f0 443->446 447 b3062b-b30655 call ba0f70 call ba14f0 443->447 444->443 456 b30657-b30665 447->456 457 b30669-b3067d call b9f511 447->457 456->432 458 b30667 456->458 458->457
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B306AE
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 6654e9d136040b5eab32869f4265f139173806e9cb1ef6a4250f309ba01b183c
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 6E410572A041189FCB05EF68D9916AE7BE5EF89310F2501E9F805EB306DB30DD608BE1
                                  Function 04E0091A Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 461 4e0091a-4e009df 469 4e009f8-4e00a0e GetCurrentHwProfileW 461->469 470 4e00a18-4e00a69 469->470 474 4e00a6f-4e00a9b call 4e00a9d 470->474 478 4e00aa2-4e00aaa 474->478 479 4e00a9d-4e00a9e 474->479 480 4e00ab0-4e00ad0 call 4e00adc 478->480 479->480 480->474 484 4e00ad2-4e00ad4 480->484 484->474 485 4e00ad6-4e00ada 484->485
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 0866c50e18fb08f989207f2de8344b3ea71708578e6ec5f2af8b1dfb4ac41e0a
                                  • Instruction ID: 8d119a35eb19e195297fc71b83ebb3799f3bff59241e6fb17968143a5b107fae
                                  • Opcode Fuzzy Hash: 0866c50e18fb08f989207f2de8344b3ea71708578e6ec5f2af8b1dfb4ac41e0a
                                  • Instruction Fuzzy Hash: EC2126F724C125ADF24282957B50BF76BBDEBD2730730E527A193921C2F6D02AC86172
                                  Function 04E00968 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 486 4e00968-4e0096a 487 4e00971-4e009df 486->487 488 4e0096c-4e00970 486->488 495 4e009f8-4e00a0e GetCurrentHwProfileW 487->495 488->487 496 4e00a18-4e00a69 495->496 500 4e00a6f-4e00a9b call 4e00a9d 496->500 504 4e00aa2-4e00aaa 500->504 505 4e00a9d-4e00a9e 500->505 506 4e00ab0-4e00ad0 call 4e00adc 504->506 505->506 506->500 510 4e00ad2-4e00ad4 506->510 510->500 511 4e00ad6-4e00ada 510->511
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 389ed5da9f217f74a1885c71d7bb550ceca6c95c4dbbc25810e8ff6c66ce898b
                                  • Instruction ID: df0cdcf0f76508b43a6fe48568e2508638273afb8825b13406f1bc95b54abdc2
                                  • Opcode Fuzzy Hash: 389ed5da9f217f74a1885c71d7bb550ceca6c95c4dbbc25810e8ff6c66ce898b
                                  • Instruction Fuzzy Hash: 1F2143B724C124ADF24292497B50BF6ABBDF7C3730730E426E0A786182FA902BC42561
                                  Function 04E00983 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 512 4e00983-4e009df 517 4e009f8-4e00a0e GetCurrentHwProfileW 512->517 518 4e00a18-4e00a69 517->518 522 4e00a6f-4e00a9b call 4e00a9d 518->522 526 4e00aa2-4e00aaa 522->526 527 4e00a9d-4e00a9e 522->527 528 4e00ab0-4e00ad0 call 4e00adc 526->528 527->528 528->522 532 4e00ad2-4e00ad4 528->532 532->522 533 4e00ad6-4e00ada 532->533
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2589e61b0a0826e0dc950f9fcce6701fd86bb665ecc24e41c99a40e84187add9
                                  • Instruction ID: f2e93716acb8cfb32b84eca4a8309390542317d27f6510511ae69709ac43c414
                                  • Opcode Fuzzy Hash: 2589e61b0a0826e0dc950f9fcce6701fd86bb665ecc24e41c99a40e84187add9
                                  • Instruction Fuzzy Hash: 4A1166BB38C121BCF24291857B54BF76BBDE7C3B30730E926A09381582F6906AC42161
                                  Function 04E009C1 Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 534 4e009c1-4e009c5 535 4e009c7-4e009df 534->535 536 4e0098a-4e009bc 534->536 540 4e009f8-4e00a0e GetCurrentHwProfileW 535->540 536->535 541 4e00a18-4e00a69 540->541 545 4e00a6f-4e00a9b call 4e00a9d 541->545 549 4e00aa2-4e00aaa 545->549 550 4e00a9d-4e00a9e 545->550 551 4e00ab0-4e00ad0 call 4e00adc 549->551 550->551 551->545 555 4e00ad2-4e00ad4 551->555 555->545 556 4e00ad6-4e00ada 555->556
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 72f65172c7c1ab1f9c6ed2d2c060094bea38ed7a60590c14a71ec3f3851aa226
                                  • Instruction ID: 131a36c04930f846dad583d2dd6426ccbbf639a2128e937dfdeb883ac27cfd8c
                                  • Opcode Fuzzy Hash: 72f65172c7c1ab1f9c6ed2d2c060094bea38ed7a60590c14a71ec3f3851aa226
                                  • Instruction Fuzzy Hash: 151166BB38C121ACF24291457A40BF66BBDE7C3730330E927E0A781182F6902AC42561
                                  Function 04E009D0 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 557 4e009d0-4e00a0e GetCurrentHwProfileW 560 4e00a18-4e00a69 557->560 564 4e00a6f-4e00a9b call 4e00a9d 560->564 568 4e00aa2-4e00aaa 564->568 569 4e00a9d-4e00a9e 564->569 570 4e00ab0-4e00ad0 call 4e00adc 568->570 569->570 570->564 574 4e00ad2-4e00ad4 570->574 574->564 575 4e00ad6-4e00ada 574->575
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 534382049625dfeab4189cd0b333dd1da4212f5afdd2689c2d3d6700fed0819b
                                  • Instruction ID: 0a81f44ccd3539ad4b9c823ebfc566c8f66b55b548425a288bc7d1899ff4b7b0
                                  • Opcode Fuzzy Hash: 534382049625dfeab4189cd0b333dd1da4212f5afdd2689c2d3d6700fed0819b
                                  • Instruction Fuzzy Hash: E321ADB374D224ADE71286547A90BF67BF8EB83730730E577D0D3561C2F6502AC59262
                                  Function 04E009AA Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(00000003), ref: 04E00A05
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315067438.0000000004E00000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E00000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e00000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 9055a3f240717d28bcc06a0170b07516fbd986518f6ba5766aa409f46de8c34e
                                  • Instruction ID: 7daa1f8bf6d234c83489545631c4b4d0b68ebbecffe198ea3e8685388009e09a
                                  • Opcode Fuzzy Hash: 9055a3f240717d28bcc06a0170b07516fbd986518f6ba5766aa409f46de8c34e
                                  • Instruction Fuzzy Hash: C9115CB734C225ACE14155457A50BF76BFDE793730770F526A0E3951C2FA903AC06561
                                  Function 00BB4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00BB49F9,00000000,CF830579,00BF1140,0000000C,00BB4AB5,00BA8BBD,?), ref: 00BB4B68
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 129f40e953f03c94d3509c939a35b55a7af99e4c4c1863386a8b0ea4f8ea8b14
                                  • Instruction ID: 649340c334db28511bb5b58db9cfdbe9c4d309f5ece93363266fc891adabbee7
                                  • Opcode Fuzzy Hash: 129f40e953f03c94d3509c939a35b55a7af99e4c4c1863386a8b0ea4f8ea8b14
                                  • Instruction Fuzzy Hash: 7B116B33A4412417D73526746841BFE7BC9DB827B4F2902C9FA158B0D3EFE0DC419155
                                  Function 00BAE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00BF0DF8,00ACA3EB,00000002,00ACA3EB,00000000,?,?,?,00BAE166,00000000,?,00ACA3EB,00000002,00BF0DF8), ref: 00BAE098
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: b277a1abf79e1dedb1d8d980294e35c0644f3d856d5a2b1161cada07466bd057
                                  • Instruction ID: 187a37f1f68b113ba117fa90c046308b37dbaa23cab00e23edeed27ca9c0e6b2
                                  • Opcode Fuzzy Hash: b277a1abf79e1dedb1d8d980294e35c0644f3d856d5a2b1161cada07466bd057
                                  • Instruction Fuzzy Hash: F6014E32614114AFCF159F54CC46C9E3B99DB82334F240188FC519B1D0E6B1ED41DBD0
                                  Function 00B9F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC220E
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: b859dd82a4120a5fa9326d0f09865fb01e21d37ef7c9801e0945d7cd010f2441
                                  • Instruction ID: 31db5da4e7167cf896e25b0c62d1466188283e0b1377cbf0636a470b80f114ec
                                  • Opcode Fuzzy Hash: b859dd82a4120a5fa9326d0f09865fb01e21d37ef7c9801e0945d7cd010f2441
                                  • Instruction Fuzzy Hash: 23012B7650430EABCF14AFACD801AAA77ECDA01320F5444B9FA19DB691EB70E9548790
                                  Function 00BB63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00BA91F7,00000000,?,00BB5D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00BAD244,00BA89C3,00BA91F7,00000000), ref: 00BB6435
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 191de1944743328cd3f2d23b95d3bff07c32ffeb8608f1e9e38b3d0c8ede4dcd
                                  • Instruction ID: 4b66ecf0727c0744beef30b31ee63505b4b19ee02ac6fc45d4427817fd181679
                                  • Opcode Fuzzy Hash: 191de1944743328cd3f2d23b95d3bff07c32ffeb8608f1e9e38b3d0c8ede4dcd
                                  • Instruction Fuzzy Hash: 04F0E931505E24679B216B669C16BFB3BC8DF81764F2580D2EC0497280CEF4DC1086F1
                                  Function 00BB6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00BBD635,4D88C033,?,00BBD635,00000220,?,00BB57EF,4D88C033), ref: 00BB6E60
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 70738a5c0981e7d8a39397df4415cf2681f110c7a68f1cd81e3b4c43e52d4ef2
                                  • Instruction ID: 33359292537173386a24d6f70caee569159cc8d72045dd71dec6d2ec3723a2bf
                                  • Opcode Fuzzy Hash: 70738a5c0981e7d8a39397df4415cf2681f110c7a68f1cd81e3b4c43e52d4ef2
                                  • Instruction Fuzzy Hash: 0FE0ED391416216BDA3122AACD10BFB77C8DF927A0F1505E1EC0593090CFE8CC0087A4
                                  Function 04E10105 Relevance: .1, Instructions: 104COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ad10b2369af0c0044a194b176dd5419ef266f8ce6be2bda1a020df9ba1fef615
                                  • Instruction ID: 68a5805eebc927bf56808d0bd782666b866a6b3e50a71a4d8bac76db2e37ba94
                                  • Opcode Fuzzy Hash: ad10b2369af0c0044a194b176dd5419ef266f8ce6be2bda1a020df9ba1fef615
                                  • Instruction Fuzzy Hash: 942190F72CC610EFC2421B5546442F13B1AFB57330730651AE1438BE23F6EA22C4E251
                                  Function 04E10198 Relevance: .1, Instructions: 86COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a7a35ad923ee7976f778f0b03e694f3b8d295506c3614267f39406ab5126772f
                                  • Instruction ID: e6d5e414d38cafc0f37012baea49da77e29c29c91ad8c30b3fdbb2f44aeaff9a
                                  • Opcode Fuzzy Hash: a7a35ad923ee7976f778f0b03e694f3b8d295506c3614267f39406ab5126772f
                                  • Instruction Fuzzy Hash: E6119EB32CC710DAC1031A6546953F27F56AB27334B302117D1038BEA3F6EA32C4E642
                                  Function 04E101CC Relevance: .1, Instructions: 71COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 49cdfe8f01866cfd63ac3e429cf8063f82cec484e948c79671f2061da49fe446
                                  • Instruction ID: 04316ecea6b4ad7c3bdade7fa5a3c9a2cc6c9b65c55d0365db2eb42ec383d923
                                  • Opcode Fuzzy Hash: 49cdfe8f01866cfd63ac3e429cf8063f82cec484e948c79671f2061da49fe446
                                  • Instruction Fuzzy Hash: D5115CB378D290DED342056454860F07F54BB2763532854DED9829BD63F26521C9E353
                                  Function 04E10182 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec2a5289a9352bf58ade794cdd24e9fc20d199a1138060aa4521ef3afc88c3e4
                                  • Instruction ID: 20eedcec60548cfdb5c188155193de8d247b6e1e1b5f23f2555c43c66d696290
                                  • Opcode Fuzzy Hash: ec2a5289a9352bf58ade794cdd24e9fc20d199a1138060aa4521ef3afc88c3e4
                                  • Instruction Fuzzy Hash: 94F0A4B73C8220EEC082159642916F2295E77673307307106B94796E63B69E2AD4F156
                                  Function 04E101B4 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: aef011f1a666b264dff270d5fb0635265589cf0eea5d040d8beb28812373b88d
                                  • Instruction ID: 1825f8e522d2c02a9b6b56146904d832633670f41525d75569b301a2764bda38
                                  • Opcode Fuzzy Hash: aef011f1a666b264dff270d5fb0635265589cf0eea5d040d8beb28812373b88d
                                  • Instruction Fuzzy Hash: DEF0E0B77CC310DEC08214A542D42F27A5F67673307307146A54396FA375DA36D4F556
                                  Function 04E1024B Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8d6f61f4767c2a249728aebc4e65e89074842d8d95b8f36da42feb85c4133787
                                  • Instruction ID: 68a5b61039f01c3f99fc014de18ed99642a70380b5d37051c5600b459103f9c0
                                  • Opcode Fuzzy Hash: 8d6f61f4767c2a249728aebc4e65e89074842d8d95b8f36da42feb85c4133787
                                  • Instruction Fuzzy Hash: 9BE068E78CD2119F92064A8145812F5BF8EB7B3224330601FF0C393E53C5AA0284E362
                                  Function 04E10209 Relevance: .0, Instructions: 35COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a3a654cbcdb250ac1b8dc4aca6442abe2c2ca5497f33dae294002eb60a5e89c6
                                  • Instruction ID: d7821627f10b43c36d3ee567fc76c1be331318f07eb961853774795051ceab91
                                  • Opcode Fuzzy Hash: a3a654cbcdb250ac1b8dc4aca6442abe2c2ca5497f33dae294002eb60a5e89c6
                                  • Instruction Fuzzy Hash: 27E0E5B668C3219EC181A5A201C81F23586BB37134360625E255346EE3B5AA32C4E546
                                  Function 04E10232 Relevance: .0, Instructions: 26COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4723eb72d54c0fe132aba835d5ce662ed3ea8e08c3db51e1fceb65b2a78b68d0
                                  • Instruction ID: 6dc556070eafb9b4c9adf274b5464286aa74c2436c22b55aa01a0b12713cc68d
                                  • Opcode Fuzzy Hash: 4723eb72d54c0fe132aba835d5ce662ed3ea8e08c3db51e1fceb65b2a78b68d0
                                  • Instruction Fuzzy Hash: 14D02BB358C210D5804215A202852F1364A6777230330A20B250342FB335AA23C4F157
                                  Function 04E10241 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3315120693.0000000004E10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_4e10000_MPGPH131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 399997e5bb31944305a77b2ceab65f17307023c5d8c910fa8e19078acc4cc669
                                  • Instruction ID: 1b1da12fadefa277f4f99196c2bd2eeff6fc688c479c403ff7db4e4c294b0d14
                                  • Opcode Fuzzy Hash: 399997e5bb31944305a77b2ceab65f17307023c5d8c910fa8e19078acc4cc669
                                  • Instruction Fuzzy Hash: DAD0A7B759C711D5C0465A9102842F2764DA773231330B657395392EB3B5DB22C8F557

                                  Non-executed Functions

                                  Function 00BA84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 85fb7a385549add2261a335dbe85095800b94224ab5cabc2f4b36f67bf465112
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: BC022B71E052199BDF14CFA9C9806AEBBF1FF49314F2482A9D919E7780DB31AD418B90
                                  Function 00B2F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B2F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00B2F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2FA08
                                  • std::_Facet_Register.LIBCPMT ref: 00B2FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: 27fc1ea46a1138264f80f2fba7d44894dcb94915ffdf6505b84a48f03be709bc
                                  • Instruction ID: 4cfbeec4d1450ac204fe8f61323992ea968922fe3836065a1ce99eccef71ded6
                                  • Opcode Fuzzy Hash: 27fc1ea46a1138264f80f2fba7d44894dcb94915ffdf6505b84a48f03be709bc
                                  • Instruction Fuzzy Hash: 176168B1D00259DBEF10DFA5E845BAEBBF4AF14750F1441B8E819AB341EB34E905CBA1
                                  Function 00B2DE70 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2DED6
                                  • std::_Facet_Register.LIBCPMT ref: 00B2DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B2DF7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID: HT}
                                  • API String ID: 2081738530-1907069115
                                  • Opcode ID: 5f80820928cbcb0542637db3f1c9cde7fe022feb55b4c730a96c04bb0b7027fc
                                  • Instruction ID: 8fd36bc807609bc677973bf11204981e3ed0825472d475b7b62f01ca31e5d29f
                                  • Opcode Fuzzy Hash: 5f80820928cbcb0542637db3f1c9cde7fe022feb55b4c730a96c04bb0b7027fc
                                  • Instruction Fuzzy Hash: 0541E2719002299FCF14DF58E985AAEBBF4FB14720F2442A9E8196B352DB31AD01CBD5
                                  Function 00AC39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00AC3A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AC3AA4
                                  • __Getctype.LIBCPMT ref: 00AC3ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AC3AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00AC3B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: f222bffe6cc8bb618aa29c7b635bc48fd543be8222f4f0e8a105be71c4b7f434
                                  • Instruction ID: f9e5782c862bcdbf26a80af3162d4fa32c92a4611b1a6a77564cd264c69b3dc4
                                  • Opcode Fuzzy Hash: f222bffe6cc8bb618aa29c7b635bc48fd543be8222f4f0e8a105be71c4b7f434
                                  • Instruction Fuzzy Hash: 4E5130B2D012489BDF14DFA5D985F9EBBF8AF14310F1480A9E809AB341E775DE04CBA1
                                  Function 00BA2E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00BA2E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00BA2F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 8b0a68fb37b8baebe0f52324572a0dab609c93fba674c4c7baef137ba043c79b
                                  • Instruction ID: 0032578aad216d509f3a6039e8b86530cdfeecb1d2a05d415d2faafc4479176d
                                  • Opcode Fuzzy Hash: 8b0a68fb37b8baebe0f52324572a0dab609c93fba674c4c7baef137ba043c79b
                                  • Instruction Fuzzy Hash: 15418F34A08209AFCF10DF6CC885A9EBBF5EF46314F1480A6E9149B752D732DE55CB91
                                  Function 00AC4C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC4F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC4FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC50C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 00AC504C
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 06d683135217b3344a21e517b03c3dc3e840dfab4d10ead830902ccdb3f44286
                                  • Instruction ID: 9b3039e7a2e3af20509614b8547becf26240ed36361e3a1678be40fb7994a856
                                  • Opcode Fuzzy Hash: 06d683135217b3344a21e517b03c3dc3e840dfab4d10ead830902ccdb3f44286
                                  • Instruction Fuzzy Hash: 32E111719002049FCB28DF68D855FAEBBF9FF48700F108A6DE45693781EB74A904CBA5
                                  Function 00AC7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC7B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 1a2114e8b9b3736c364a3e400db2fcb3f4236e2e221efafcf4100f5af4914074
                                  • Instruction ID: 868ec8f48a8d822f2879e11f6785519944aa2dbb59df82fabee5a92982ae1761
                                  • Opcode Fuzzy Hash: 1a2114e8b9b3736c364a3e400db2fcb3f4236e2e221efafcf4100f5af4914074
                                  • Instruction Fuzzy Hash: AFC157B19042488FDB58CFA8D984BADBBF5FB48310F14866DE419EB791E774A9808F50
                                  Function 00AC73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC75BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC75CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 5b2fd3fd5aeaf37cdea0c19e163b6c93dd1afd29d140096dc08917175e95084e
                                  • Instruction ID: 7552dc4c190d2e6e3f5277bd6b53dd518d3c5f6cd3f8d0d07af43a1de15d7c98
                                  • Opcode Fuzzy Hash: 5b2fd3fd5aeaf37cdea0c19e163b6c93dd1afd29d140096dc08917175e95084e
                                  • Instruction Fuzzy Hash: A561D071A042099FDB08DF68DD84BADBBF6FF49310F24866CE415A7B81D774AA408B91
                                  Function 00AC3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 64760899284bdc203de92c878f8312882bc4cd5316fd6182ce6ef5f97b07c997
                                  • Instruction ID: be76d91f285865abd0e8caba9114032320570ca9839f811d1adec0f6e370f693
                                  • Opcode Fuzzy Hash: 64760899284bdc203de92c878f8312882bc4cd5316fd6182ce6ef5f97b07c997
                                  • Instruction Fuzzy Hash: 8141A2B2900209AFCB14DF68C845FAEB7F9EB49310F14C56EF915D7641E770AA058BA0
                                  Function 00AC3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: bd54f41b935f528c61754060c0528d737e060ea44de3b68a8a2ca6c75aa1808f
                                  • Instruction ID: 4052d86fbc2483f60695960b666e890c5b9235b1ab82e33ed48b401c2b000177
                                  • Opcode Fuzzy Hash: bd54f41b935f528c61754060c0528d737e060ea44de3b68a8a2ca6c75aa1808f
                                  • Instruction Fuzzy Hash: AF21D5B39043056FCB14DF58D805F96B7ECAB05310F18C8AEFA698B641E774EA148B95
                                  Function 00AC6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC7340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: d1576440caa8bf982ce85922cf1aafd28daf7567ec881baa5e8f51bfed4d1b1e
                                  • Instruction ID: 98165fa6fdffd12f03b0085b610bc1e49b6807c8020d74e7c807f955d15bf237
                                  • Opcode Fuzzy Hash: d1576440caa8bf982ce85922cf1aafd28daf7567ec881baa5e8f51bfed4d1b1e
                                  • Instruction Fuzzy Hash: 90E150719042488FDB18CF68C895BADBBF1BF49300F2582ADE419EB792D7749A81CF51
                                  Function 00AC6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC6F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC6F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 188976cc905c12027eb910c332698a03c9ae67cea862253f61415ea200413fd6
                                  • Instruction ID: 9d8d296db0fd236ba86c21df8e0317791b4f559ab2f08deb56668f41edbd6a9c
                                  • Opcode Fuzzy Hash: 188976cc905c12027eb910c332698a03c9ae67cea862253f61415ea200413fd6
                                  • Instruction Fuzzy Hash: 3E91D370A002089FDB18CF68D985BAEBBF6EF49300F20856DE415EB792D775E941CB51
                                  Function 00B3E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B3E491
                                  Strings
                                  • type must be string, but is , xrefs: 00B3E4F8
                                  • type must be boolean, but is , xrefs: 00B3E582
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3306984601.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000006.00000002.3306924399.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3306984601.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307574257.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3307631002.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308404955.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000006.00000002.3308895930.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 1109152b339f7ba311d3b3f7e0792c7070ed3f9327311d212eae57a9ff48b696
                                  • Instruction ID: f633a4be1f317d805fed688ebf9235a045cb569f613c424180b95ccfa796bf4c
                                  • Opcode Fuzzy Hash: 1109152b339f7ba311d3b3f7e0792c7070ed3f9327311d212eae57a9ff48b696
                                  • Instruction Fuzzy Hash: D64168B1900248AFDB14EBA4E902BAE77E8DB14310F1446F9F429D77C2EB35E944C796

                                  Execution Graph

                                  Execution Coverage:3.1%
                                  Dynamic/Decrypted Code Coverage:1.5%
                                  Signature Coverage:0%
                                  Total number of Nodes:537
                                  Total number of Limit Nodes:64
                                  execution_graph 19478 5570313 19479 557031a 19478->19479 19482 5570369 19479->19482 19483 557038b GetCurrentHwProfileW 19482->19483 19485 55703b9 19483->19485 19370 ade0a0 WSAStartup 19371 ade0d8 19370->19371 19372 ade1a7 19370->19372 19371->19372 19373 ade175 socket 19371->19373 19373->19372 19374 ade18b connect 19373->19374 19374->19372 19375 ade19d closesocket 19374->19375 19375->19372 19375->19373 18719 bad168 18720 bad17b __fread_nolock 18719->18720 18725 bacf4a 18720->18725 18722 bad190 18733 ba44dc 18722->18733 18726 bacf58 18725->18726 18727 bacf80 18725->18727 18726->18727 18728 bacf87 18726->18728 18729 bacf65 18726->18729 18727->18722 18739 bacea3 18728->18739 18743 ba4723 18729->18743 18732 bacfbf 18732->18722 18734 ba44e8 18733->18734 18735 ba44ff 18734->18735 18736 ba4587 __fread_nolock RtlAllocateHeap 18734->18736 18737 ba4512 18735->18737 18738 ba4587 __fread_nolock RtlAllocateHeap 18735->18738 18736->18735 18738->18737 18740 baceaf __fread_nolock 18739->18740 18750 bacefe 18740->18750 18742 baceca 18742->18732 18744 ba4733 18743->18744 18747 ba473a __fread_nolock __Getctype 18743->18747 18745 ba4541 __fread_nolock RtlAllocateHeap 18744->18745 18745->18747 18746 ba4748 18746->18727 18747->18746 18748 ba46ec __fread_nolock RtlAllocateHeap 18747->18748 18749 ba47ac 18748->18749 18749->18727 18757 bb8644 18750->18757 18777 bb8606 18757->18777 18759 bacf16 18764 bacfc1 18759->18764 18760 bb8655 18760->18759 18785 bb6e2d 18760->18785 18766 bacfd3 18764->18766 18768 bacf34 18764->18768 18765 bacfe1 18767 ba4723 __fread_nolock RtlAllocateHeap 18765->18767 18766->18765 18766->18768 18771 bad017 std::locale::_Init 18766->18771 18767->18768 18773 bb86ef 18768->18773 18770 bb5f82 __fread_nolock RtlAllocateHeap 18770->18771 18771->18768 18771->18770 18846 ba55d3 18771->18846 18852 bb538b 18771->18852 18774 bb86fa 18773->18774 18775 bacf40 18773->18775 18774->18775 18776 ba55d3 4 API calls 18774->18776 18775->18742 18776->18775 18780 bb8612 18777->18780 18778 bb8640 18778->18760 18779 bb863c 18779->18760 18780->18778 18780->18779 18795 bb5f82 18780->18795 18782 bb862d 18802 bc0d44 18782->18802 18784 bb8633 18784->18760 18786 bb6e6b 18785->18786 18787 bb6e3b __dosmaperr std::_Facet_Register 18785->18787 18788 bad23f __dosmaperr RtlAllocateHeap 18786->18788 18787->18786 18789 bb6e56 RtlAllocateHeap 18787->18789 18790 bb6e69 18788->18790 18789->18787 18789->18790 18791 bb6db3 18790->18791 18792 bb6dbe __dosmaperr 18791->18792 18794 bb6de8 18791->18794 18793 bad23f __dosmaperr RtlAllocateHeap 18792->18793 18792->18794 18793->18794 18794->18759 18796 bb5f8e 18795->18796 18797 bb5fa3 18795->18797 18811 bad23f 18796->18811 18797->18782 18803 bc0d5e 18802->18803 18804 bc0d51 18802->18804 18806 bc0d6a 18803->18806 18807 bad23f __dosmaperr RtlAllocateHeap 18803->18807 18805 bad23f __dosmaperr RtlAllocateHeap 18804->18805 18808 bc0d56 18805->18808 18806->18784 18809 bc0d8b 18807->18809 18808->18784 18810 ba47a0 __fread_nolock RtlAllocateHeap 18809->18810 18810->18808 18817 bb5d2c 18811->18817 18814 ba47a0 18840 ba46ec 18814->18840 18819 bb5d35 __dosmaperr 18817->18819 18818 bad244 18818->18814 18819->18818 18828 bb63f3 18819->18828 18821 bb5d79 __dosmaperr 18822 bb5db9 18821->18822 18823 bb5d81 __dosmaperr 18821->18823 18832 bb5a09 18822->18832 18824 bb6db3 ___std_exception_destroy RtlAllocateHeap 18823->18824 18824->18818 18827 bb6db3 ___std_exception_destroy RtlAllocateHeap 18827->18818 18831 bb6400 __dosmaperr std::_Facet_Register 18828->18831 18829 bb642b RtlAllocateHeap 18830 bb643e __dosmaperr 18829->18830 18829->18831 18830->18821 18831->18829 18831->18830 18833 bb5a77 __dosmaperr 18832->18833 18836 bb59af 18833->18836 18835 bb5aa0 18835->18827 18837 bb59bb __fread_nolock std::_Lockit::_Lockit 18836->18837 18838 bb5b90 __dosmaperr RtlAllocateHeap 18837->18838 18839 bb59dd __dosmaperr 18838->18839 18839->18835 18841 ba46fe __fread_nolock 18840->18841 18842 ba4723 __fread_nolock RtlAllocateHeap 18841->18842 18843 ba4716 18842->18843 18844 ba44dc __fread_nolock RtlAllocateHeap 18843->18844 18845 ba4721 18844->18845 18845->18782 18847 ba55ec 18846->18847 18848 ba5613 18846->18848 18847->18848 18849 bb5f82 __fread_nolock RtlAllocateHeap 18847->18849 18848->18771 18850 ba5608 18849->18850 18851 bb538b 4 API calls 18850->18851 18851->18848 18855 bb5397 __fread_nolock 18852->18855 18853 bb539f 18853->18771 18854 bb53d8 18856 ba4723 __fread_nolock RtlAllocateHeap 18854->18856 18855->18853 18855->18854 18857 bb541e 18855->18857 18856->18853 18857->18853 18859 bb549c 18857->18859 18860 bb54c4 18859->18860 18872 bb54e7 __fread_nolock 18859->18872 18861 bb54c8 18860->18861 18863 bb5523 18860->18863 18862 ba4723 __fread_nolock RtlAllocateHeap 18861->18862 18862->18872 18864 bb5541 18863->18864 18878 bae17d 18863->18878 18873 bb4fe1 18864->18873 18868 bb5559 18868->18872 18881 bb4bb2 18868->18881 18869 bb55a0 18870 bb5609 WriteFile 18869->18870 18869->18872 18870->18872 18872->18853 18874 bc0d44 __fread_nolock RtlAllocateHeap 18873->18874 18876 bb4ff3 18874->18876 18875 bb5021 18875->18868 18875->18869 18876->18875 18887 ba9d10 18876->18887 18933 bae05c 18878->18933 18880 bae196 18880->18864 18882 bb4c1a 18881->18882 18883 ba9d10 std::_Locinfo::_Locinfo_ctor 2 API calls 18882->18883 18886 bb4c2b std::locale::_Init std::_Locinfo::_Locinfo_ctor 18882->18886 18883->18886 18884 bb84be RtlAllocateHeap RtlAllocateHeap 18884->18886 18885 bb4ee1 _ValidateLocalCookies 18885->18872 18885->18885 18886->18884 18886->18885 18894 ba4587 18887->18894 18895 ba459a 18894->18895 18896 ba4591 18894->18896 18901 bb5ef3 18895->18901 18909 ba4541 18896->18909 18902 bb5f0a 18901->18902 18903 ba9d3d 18901->18903 18902->18903 18919 bbf4f3 18902->18919 18905 bb5f51 18903->18905 18906 bb5f68 18905->18906 18907 ba9d4a 18905->18907 18906->18907 18928 bbd81e 18906->18928 18907->18875 18910 ba4550 18909->18910 18911 bb5ddd __fread_nolock RtlAllocateHeap 18910->18911 18912 ba4572 18911->18912 18912->18895 18913 bb0259 18912->18913 18914 bb025e std::locale::_Setgloballocale 18913->18914 18915 bbc7c6 std::locale::_Setgloballocale RtlAllocateHeap 18914->18915 18917 bb0269 std::locale::_Setgloballocale 18914->18917 18915->18917 18916 baf224 std::locale::_Setgloballocale RtlAllocateHeap 18918 bb029c 18916->18918 18917->18916 18920 bbf4ff __fread_nolock 18919->18920 18921 bb5bdb __Getctype RtlAllocateHeap 18920->18921 18923 bbf508 std::_Lockit::_Lockit 18921->18923 18922 bbf54e 18922->18903 18923->18922 18924 bbf574 __Getctype RtlAllocateHeap 18923->18924 18925 bbf537 __Getctype 18924->18925 18925->18922 18926 bb0259 __Getctype RtlAllocateHeap 18925->18926 18927 bbf573 18926->18927 18929 bb5bdb __Getctype RtlAllocateHeap 18928->18929 18930 bbd823 18929->18930 18931 bbd736 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 18930->18931 18932 bbd82e 18931->18932 18932->18907 18938 bba6de 18933->18938 18935 bae06e 18936 bae08a SetFilePointerEx 18935->18936 18937 bae076 __fread_nolock 18935->18937 18936->18937 18937->18880 18939 bba6eb 18938->18939 18940 bba700 18938->18940 18951 bad22c 18939->18951 18942 bad22c __dosmaperr RtlAllocateHeap 18940->18942 18944 bba725 18940->18944 18945 bba730 18942->18945 18944->18935 18948 bad23f __dosmaperr RtlAllocateHeap 18945->18948 18946 bad23f __dosmaperr RtlAllocateHeap 18947 bba6f8 18946->18947 18947->18935 18949 bba738 18948->18949 18950 ba47a0 __fread_nolock RtlAllocateHeap 18949->18950 18950->18947 18952 bb5d2c __dosmaperr RtlAllocateHeap 18951->18952 18953 bad231 18952->18953 18953->18946 18954 5570383 18955 557038b GetCurrentHwProfileW 18954->18955 18957 55703b9 18955->18957 18712 b23a40 18715 b23a55 18712->18715 18713 b23b28 GetPEB 18713->18715 18714 b23a73 GetPEB 18714->18715 18715->18713 18715->18714 18716 b23b9d Sleep 18715->18716 18717 b23ae8 Sleep 18715->18717 18718 b23bc7 18715->18718 18716->18715 18717->18715 18958 aca210 18991 b9f290 18958->18991 18960 aca248 18996 ac2ae0 18960->18996 18962 aca28b 19012 ba5362 18962->19012 18965 aca377 18968 aca34e 18968->18965 19041 ba47b0 18968->19041 18972 ba9136 4 API calls 18973 aca2fc 18972->18973 18978 aca318 18973->18978 19027 b2cf60 18973->19027 19032 badbdf 18978->19032 18993 ac21d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 18991->18993 18992 b9f2af 18992->18960 18993->18992 19044 ba0651 18993->19044 18997 ac2ba5 18996->18997 18998 ac2af6 18996->18998 19062 ac2270 18997->19062 19001 ac2b02 std::locale::_Init 18998->19001 19002 ac2b2a 18998->19002 19006 ac2b6e 18998->19006 19007 ac2b65 18998->19007 19000 ac2baa 19072 ac21d0 19000->19072 19001->18962 19004 b9f290 std::_Facet_Register RtlAllocateHeap 19002->19004 19005 ac2b3d 19004->19005 19008 ba47b0 RtlAllocateHeap 19005->19008 19011 ac2b46 std::locale::_Init 19005->19011 19009 b9f290 std::_Facet_Register RtlAllocateHeap 19006->19009 19006->19011 19007->19000 19007->19002 19010 ac2bb4 19008->19010 19009->19011 19011->18962 19085 ba52a0 19012->19085 19014 aca2d7 19014->18968 19015 ba9136 19014->19015 19016 ba9149 __fread_nolock 19015->19016 19109 ba8e8d 19016->19109 19018 ba915e 19019 ba44dc __fread_nolock RtlAllocateHeap 19018->19019 19020 aca2ea 19019->19020 19021 ba4eeb 19020->19021 19022 ba4efe __fread_nolock 19021->19022 19135 ba4801 19022->19135 19024 ba4f0a 19025 ba44dc __fread_nolock RtlAllocateHeap 19024->19025 19026 aca2f0 19025->19026 19026->18972 19028 b2cfa7 19027->19028 19031 b2cf78 __fread_nolock 19027->19031 19183 b30560 19028->19183 19030 b2cfba 19030->18978 19031->18978 19198 badbfc 19032->19198 19034 aca348 19035 ba8be8 19034->19035 19036 ba8bfb __fread_nolock 19035->19036 19316 ba8ac3 19036->19316 19038 ba8c07 19039 ba44dc __fread_nolock RtlAllocateHeap 19038->19039 19040 ba8c13 19039->19040 19040->18968 19042 ba46ec __fread_nolock RtlAllocateHeap 19041->19042 19043 ba47bf __Getctype 19042->19043 19045 ac2213 19044->19045 19046 ba065e ___std_exception_copy 19044->19046 19045->18960 19046->19045 19047 ba068b 19046->19047 19050 bb56b8 19046->19050 19059 bad7d6 19047->19059 19051 bb56d4 19050->19051 19052 bb56c6 19050->19052 19053 bad23f __dosmaperr RtlAllocateHeap 19051->19053 19052->19051 19057 bb56ec 19052->19057 19054 bb56dc 19053->19054 19056 ba47a0 __fread_nolock RtlAllocateHeap 19054->19056 19055 bb56e6 19055->19047 19056->19055 19057->19055 19058 bad23f __dosmaperr RtlAllocateHeap 19057->19058 19058->19054 19060 bb6db3 ___std_exception_destroy RtlAllocateHeap 19059->19060 19061 bad7ee 19060->19061 19061->19045 19076 b9d6e9 19062->19076 19073 ac21de Concurrency::cancel_current_task 19072->19073 19074 ba0651 ___std_exception_copy RtlAllocateHeap 19073->19074 19075 ac2213 19074->19075 19075->19005 19079 b9d4af 19076->19079 19078 b9d6fa Concurrency::cancel_current_task 19082 ac3010 19079->19082 19083 ba0651 ___std_exception_copy RtlAllocateHeap 19082->19083 19084 ac303d 19083->19084 19084->19078 19088 ba52ac __fread_nolock 19085->19088 19086 ba52b3 19087 bad23f __dosmaperr RtlAllocateHeap 19086->19087 19089 ba52b8 19087->19089 19088->19086 19090 ba52d3 19088->19090 19091 ba47a0 __fread_nolock RtlAllocateHeap 19089->19091 19092 ba52d8 19090->19092 19093 ba52e5 19090->19093 19098 ba52c3 19091->19098 19095 bad23f __dosmaperr RtlAllocateHeap 19092->19095 19099 bb6688 19093->19099 19095->19098 19096 ba52ee 19097 bad23f __dosmaperr RtlAllocateHeap 19096->19097 19096->19098 19097->19098 19098->19014 19100 bb6694 __fread_nolock std::_Lockit::_Lockit 19099->19100 19103 bb672c 19100->19103 19102 bb66af 19102->19096 19106 bb674f __fread_nolock 19103->19106 19104 bb6795 __fread_nolock 19104->19102 19105 bb63f3 __dosmaperr RtlAllocateHeap 19107 bb67b0 19105->19107 19106->19104 19106->19105 19108 bb6db3 ___std_exception_destroy RtlAllocateHeap 19107->19108 19108->19104 19112 ba8e99 __fread_nolock 19109->19112 19110 ba8e9f 19111 ba4723 __fread_nolock RtlAllocateHeap 19110->19111 19115 ba8eba 19111->19115 19112->19110 19113 ba8ee2 __fread_nolock 19112->19113 19116 ba9010 19113->19116 19115->19018 19117 ba9023 19116->19117 19118 ba9036 19116->19118 19117->19115 19125 ba8f37 19118->19125 19120 ba90e7 19120->19115 19121 ba9059 19121->19120 19122 ba55d3 4 API calls 19121->19122 19123 ba9087 19122->19123 19124 bae17d 2 API calls 19123->19124 19124->19120 19126 ba8fa0 19125->19126 19127 ba8f48 19125->19127 19126->19121 19127->19126 19129 bae13d 19127->19129 19130 bae151 __fread_nolock 19129->19130 19131 bae05c __fread_nolock 2 API calls 19130->19131 19132 bae166 19131->19132 19133 ba44dc __fread_nolock RtlAllocateHeap 19132->19133 19134 bae175 19133->19134 19134->19126 19136 ba480d __fread_nolock 19135->19136 19137 ba4814 19136->19137 19138 ba4835 __fread_nolock 19136->19138 19139 ba4723 __fread_nolock RtlAllocateHeap 19137->19139 19142 ba4910 19138->19142 19140 ba482d 19139->19140 19140->19024 19145 ba4942 19142->19145 19144 ba4922 19144->19140 19146 ba4979 19145->19146 19147 ba4951 19145->19147 19149 bb5f82 __fread_nolock RtlAllocateHeap 19146->19149 19148 ba4723 __fread_nolock RtlAllocateHeap 19147->19148 19156 ba496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19148->19156 19150 ba4982 19149->19150 19158 bae11f 19150->19158 19153 ba4a2c 19161 ba4cae 19153->19161 19155 ba4a43 19155->19156 19169 ba4ae3 19155->19169 19156->19144 19176 badf37 19158->19176 19160 ba49a0 19160->19153 19160->19155 19160->19156 19162 ba4cbd 19161->19162 19163 bb5f82 __fread_nolock RtlAllocateHeap 19162->19163 19164 ba4cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19163->19164 19165 bae11f 2 API calls 19164->19165 19168 ba4ce5 _ValidateLocalCookies 19164->19168 19166 ba4d39 19165->19166 19167 bae11f 2 API calls 19166->19167 19166->19168 19167->19168 19168->19156 19170 bb5f82 __fread_nolock RtlAllocateHeap 19169->19170 19171 ba4af6 19170->19171 19172 bae11f 2 API calls 19171->19172 19175 ba4b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19171->19175 19173 ba4b9d 19172->19173 19174 bae11f 2 API calls 19173->19174 19173->19175 19174->19175 19175->19156 19177 badf43 __fread_nolock 19176->19177 19178 badf86 19177->19178 19180 badfcc 19177->19180 19181 badf4b 19177->19181 19179 ba4723 __fread_nolock RtlAllocateHeap 19178->19179 19179->19181 19180->19181 19182 bae05c __fread_nolock 2 API calls 19180->19182 19181->19160 19182->19181 19184 b306a9 19183->19184 19188 b30585 19183->19188 19185 ac2270 RtlAllocateHeap 19184->19185 19186 b306ae 19185->19186 19187 ac21d0 Concurrency::cancel_current_task RtlAllocateHeap 19186->19187 19196 b305aa __fread_nolock std::locale::_Init 19187->19196 19190 b305e3 19188->19190 19191 b305f0 19188->19191 19193 b3059a 19188->19193 19189 b9f290 std::_Facet_Register RtlAllocateHeap 19189->19196 19190->19186 19190->19193 19194 b9f290 std::_Facet_Register RtlAllocateHeap 19191->19194 19191->19196 19192 ba47b0 RtlAllocateHeap 19195 b306b8 19192->19195 19193->19189 19194->19196 19196->19192 19197 b30667 __fread_nolock std::locale::_Init 19196->19197 19197->19030 19200 badc08 __fread_nolock 19198->19200 19199 badc40 __fread_nolock 19199->19034 19200->19199 19201 badc52 __fread_nolock 19200->19201 19202 badc1b __fread_nolock 19200->19202 19207 bada06 19201->19207 19203 bad23f __dosmaperr RtlAllocateHeap 19202->19203 19204 badc35 19203->19204 19206 ba47a0 __fread_nolock RtlAllocateHeap 19204->19206 19206->19199 19210 bada18 __fread_nolock 19207->19210 19213 bada35 19207->19213 19208 bada25 19209 bad23f __dosmaperr RtlAllocateHeap 19208->19209 19211 bada2a 19209->19211 19210->19208 19210->19213 19215 bada76 __fread_nolock 19210->19215 19212 ba47a0 __fread_nolock RtlAllocateHeap 19211->19212 19212->19213 19213->19199 19214 badba1 __fread_nolock 19218 bad23f __dosmaperr RtlAllocateHeap 19214->19218 19215->19213 19215->19214 19217 bb5f82 __fread_nolock RtlAllocateHeap 19215->19217 19220 bb4623 19215->19220 19279 ba8a2b 19215->19279 19217->19215 19218->19211 19221 bb464d 19220->19221 19222 bb4635 19220->19222 19224 bb498f 19221->19224 19227 bb4690 19221->19227 19223 bad22c __dosmaperr RtlAllocateHeap 19222->19223 19226 bb463a 19223->19226 19225 bad22c __dosmaperr RtlAllocateHeap 19224->19225 19228 bb4994 19225->19228 19229 bad23f __dosmaperr RtlAllocateHeap 19226->19229 19230 bb469b 19227->19230 19232 bb4642 19227->19232 19238 bb46cb 19227->19238 19231 bad23f __dosmaperr RtlAllocateHeap 19228->19231 19229->19232 19233 bad22c __dosmaperr RtlAllocateHeap 19230->19233 19234 bb46a8 19231->19234 19232->19215 19235 bb46a0 19233->19235 19237 ba47a0 __fread_nolock RtlAllocateHeap 19234->19237 19236 bad23f __dosmaperr RtlAllocateHeap 19235->19236 19236->19234 19237->19232 19239 bb46e4 19238->19239 19240 bb471f 19238->19240 19241 bb46f1 19238->19241 19239->19241 19265 bb470d 19239->19265 19243 bb6e2d std::_Locinfo::_Locinfo_ctor 2 API calls 19240->19243 19242 bad22c __dosmaperr RtlAllocateHeap 19241->19242 19244 bb46f6 19242->19244 19247 bb4730 19243->19247 19245 bad23f __dosmaperr RtlAllocateHeap 19244->19245 19248 bb46fd 19245->19248 19246 bc0d44 __fread_nolock RtlAllocateHeap 19252 bb486b 19246->19252 19249 bb6db3 ___std_exception_destroy RtlAllocateHeap 19247->19249 19250 ba47a0 __fread_nolock RtlAllocateHeap 19248->19250 19251 bb4739 19249->19251 19278 bb4708 __fread_nolock 19250->19278 19254 bb6db3 ___std_exception_destroy RtlAllocateHeap 19251->19254 19253 bb48e3 ReadFile 19252->19253 19266 bb489b 19252->19266 19255 bb48fb 19253->19255 19256 bb4957 19253->19256 19257 bb4740 19254->19257 19255->19256 19258 bb48d4 19255->19258 19267 bb4964 19256->19267 19276 bb48b5 19256->19276 19259 bb474a 19257->19259 19260 bb4765 19257->19260 19270 bb4920 19258->19270 19271 bb4937 19258->19271 19258->19278 19261 bad23f __dosmaperr RtlAllocateHeap 19259->19261 19263 bae13d __fread_nolock 2 API calls 19260->19263 19264 bb474f 19261->19264 19262 bb6db3 ___std_exception_destroy RtlAllocateHeap 19262->19232 19263->19265 19268 bad22c __dosmaperr RtlAllocateHeap 19264->19268 19265->19246 19266->19258 19266->19276 19269 bad23f __dosmaperr RtlAllocateHeap 19267->19269 19268->19278 19273 bb4969 19269->19273 19298 bb4335 19270->19298 19271->19278 19308 bb417b 19271->19308 19277 bad22c __dosmaperr RtlAllocateHeap 19273->19277 19276->19278 19293 bad1e5 19276->19293 19277->19278 19278->19262 19280 ba8a3c 19279->19280 19284 ba8a38 std::locale::_Init 19279->19284 19281 ba8a43 19280->19281 19286 ba8a56 __fread_nolock 19280->19286 19282 bad23f __dosmaperr RtlAllocateHeap 19281->19282 19283 ba8a48 19282->19283 19285 ba47a0 __fread_nolock RtlAllocateHeap 19283->19285 19284->19215 19285->19284 19286->19284 19287 ba8a8d 19286->19287 19288 ba8a84 19286->19288 19287->19284 19290 bad23f __dosmaperr RtlAllocateHeap 19287->19290 19289 bad23f __dosmaperr RtlAllocateHeap 19288->19289 19291 ba8a89 19289->19291 19290->19291 19292 ba47a0 __fread_nolock RtlAllocateHeap 19291->19292 19292->19284 19294 bad22c __dosmaperr RtlAllocateHeap 19293->19294 19295 bad1f0 __dosmaperr 19294->19295 19296 bad23f __dosmaperr RtlAllocateHeap 19295->19296 19297 bad203 19296->19297 19297->19278 19312 bb402e 19298->19312 19301 bb43d7 19305 bb4391 __fread_nolock 19301->19305 19306 bae13d __fread_nolock 2 API calls 19301->19306 19302 bb43c7 19304 bad23f __dosmaperr RtlAllocateHeap 19302->19304 19303 bb437d 19303->19278 19304->19303 19305->19303 19307 bad1e5 __dosmaperr RtlAllocateHeap 19305->19307 19306->19305 19307->19303 19309 bb41b5 19308->19309 19310 bb4246 19309->19310 19311 bae13d __fread_nolock 2 API calls 19309->19311 19310->19278 19311->19310 19313 bb4062 19312->19313 19314 bb40ce 19313->19314 19315 bae13d __fread_nolock 2 API calls 19313->19315 19314->19301 19314->19302 19314->19303 19314->19305 19315->19314 19317 ba8acf __fread_nolock 19316->19317 19318 ba8ad9 19317->19318 19320 ba8afc __fread_nolock 19317->19320 19319 ba4723 __fread_nolock RtlAllocateHeap 19318->19319 19322 ba8af4 19319->19322 19320->19322 19323 ba8b5a 19320->19323 19322->19038 19324 ba8b8a 19323->19324 19325 ba8b67 19323->19325 19327 ba8b82 19324->19327 19328 ba55d3 4 API calls 19324->19328 19326 ba4723 __fread_nolock RtlAllocateHeap 19325->19326 19326->19327 19327->19322 19329 ba8ba2 19328->19329 19337 bb6ded 19329->19337 19332 bb5f82 __fread_nolock RtlAllocateHeap 19333 ba8bb6 19332->19333 19341 bb4a3f 19333->19341 19336 bb6db3 ___std_exception_destroy RtlAllocateHeap 19336->19327 19338 bb6e04 19337->19338 19340 ba8baa 19337->19340 19339 bb6db3 ___std_exception_destroy RtlAllocateHeap 19338->19339 19338->19340 19339->19340 19340->19332 19342 bb4a68 19341->19342 19345 ba8bbd 19341->19345 19343 bb4ab7 19342->19343 19346 bb4a8f 19342->19346 19344 ba4723 __fread_nolock RtlAllocateHeap 19343->19344 19344->19345 19345->19327 19345->19336 19348 bb49ae 19346->19348 19349 bb49ba __fread_nolock 19348->19349 19351 bb49f9 19349->19351 19352 bb4b12 19349->19352 19351->19345 19353 bba6de __fread_nolock RtlAllocateHeap 19352->19353 19355 bb4b22 19353->19355 19357 bba6de __fread_nolock RtlAllocateHeap 19355->19357 19362 bb4b5a 19355->19362 19363 bb4b28 19355->19363 19356 bba6de __fread_nolock RtlAllocateHeap 19358 bb4b66 FindCloseChangeNotification 19356->19358 19359 bb4b51 19357->19359 19358->19363 19360 bba6de __fread_nolock RtlAllocateHeap 19359->19360 19360->19362 19361 bb4b80 __fread_nolock 19361->19351 19362->19356 19362->19363 19364 bba64d 19363->19364 19365 bba65c 19364->19365 19366 bad23f __dosmaperr RtlAllocateHeap 19365->19366 19369 bba686 19365->19369 19367 bba6c8 19366->19367 19368 bad22c __dosmaperr RtlAllocateHeap 19367->19368 19368->19369 19369->19361

                                  Executed Functions

                                  Function 00B23A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 133 b23a40-b23a52 134 b23a55-b23a61 133->134 136 b23a67-b23a6d 134->136 137 b23b28-b23b31 GetPEB 134->137 136->137 139 b23a73-b23a7f GetPEB 136->139 138 b23b34-b23b48 137->138 140 b23b4a-b23b4f 138->140 141 b23b99-b23b9b 138->141 142 b23a80-b23a94 139->142 140->141 143 b23b51-b23b59 140->143 141->138 144 b23a96-b23a9b 142->144 145 b23ae4-b23ae6 142->145 146 b23b60-b23b73 143->146 144->145 147 b23a9d-b23aa3 144->147 145->142 148 b23b92-b23b97 146->148 149 b23b75-b23b88 146->149 150 b23aa5-b23ab8 147->150 148->141 148->146 149->149 151 b23b8a-b23b90 149->151 152 b23aba 150->152 153 b23add-b23ae2 150->153 151->148 154 b23b9d-b23bc2 Sleep 151->154 155 b23ac0-b23ad3 152->155 153->145 153->150 154->134 155->155 156 b23ad5-b23adb 155->156 156->153 157 b23ae8-b23b0d Sleep 156->157 158 b23b13-b23b1a 157->158 158->137 159 b23b1c-b23b22 158->159 159->137 160 b23bc7-b23bd8 call ac6bd0 159->160 163 b23bda-b23bdc 160->163 164 b23bde 160->164 165 b23be0-b23bfd call ac6bd0 163->165 164->165
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,00B23DB6), ref: 00B23B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,00B23DB6), ref: 00B23BBA
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: aef241a17ee97245d0f1123c6a95867acdd04326fbcc9dd2bd27b259776eb388
                                  • Instruction ID: a843aa4309982644a69a25c7a80f5f1bb068c8fb54b4ed55c4e080ecd21d8127
                                  • Opcode Fuzzy Hash: aef241a17ee97245d0f1123c6a95867acdd04326fbcc9dd2bd27b259776eb388
                                  • Instruction Fuzzy Hash: EC51AA35A042298FCB14CF58D4D4EADB7F1EF49B04B2945EAD449AF211D735EE06CB80
                                  Function 00ADE0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 ade0a0-ade0d2 WSAStartup 1 ade0d8-ade102 call ac6bd0 * 2 0->1 2 ade1b7-ade1c0 0->2 7 ade10e-ade165 1->7 8 ade104-ade108 1->8 10 ade167-ade16d 7->10 11 ade1b1 7->11 8->2 8->7 12 ade16f 10->12 13 ade1c5-ade1cf 10->13 11->2 14 ade175-ade189 socket 12->14 13->11 17 ade1d1-ade1d9 13->17 14->11 16 ade18b-ade19b connect 14->16 18 ade19d-ade1a5 closesocket 16->18 19 ade1c1 16->19 18->14 20 ade1a7-ade1ab 18->20 19->13 20->11
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: 922273a58053b07d95fac71f11eb4c4c160724667c6182dfe0d3870a99245821
                                  • Instruction ID: 840066c4a30562c6850c60a9cc864742e4ce87d882d83aa376e0e9ad759c22e1
                                  • Opcode Fuzzy Hash: 922273a58053b07d95fac71f11eb4c4c160724667c6182dfe0d3870a99245821
                                  • Instruction Fuzzy Hash: A931B2716043016BD720EF258C49B2BB7E4EB85734F025F1EF9A99B2E0D37198048B92
                                  Function 00BB4623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 21 bb4623-bb4633 22 bb464d-bb464f 21->22 23 bb4635-bb4648 call bad22c call bad23f 21->23 25 bb498f-bb499c call bad22c call bad23f 22->25 26 bb4655-bb465b 22->26 41 bb49a7 23->41 44 bb49a2 call ba47a0 25->44 26->25 27 bb4661-bb468a 26->27 27->25 30 bb4690-bb4699 27->30 33 bb469b-bb46ae call bad22c call bad23f 30->33 34 bb46b3-bb46b5 30->34 33->44 39 bb498b-bb498d 34->39 40 bb46bb-bb46bf 34->40 42 bb49aa-bb49ad 39->42 40->39 45 bb46c5-bb46c9 40->45 41->42 44->41 45->33 48 bb46cb-bb46e2 45->48 50 bb4717-bb471d 48->50 51 bb46e4-bb46e7 48->51 52 bb471f-bb4726 50->52 53 bb46f1-bb4708 call bad22c call bad23f call ba47a0 50->53 54 bb46e9-bb46ef 51->54 55 bb470d-bb4715 51->55 57 bb472a-bb4748 call bb6e2d call bb6db3 * 2 52->57 58 bb4728 52->58 82 bb48c2 53->82 54->53 54->55 56 bb478a-bb47a9 55->56 60 bb47af-bb47bb 56->60 61 bb4865-bb486e call bc0d44 56->61 91 bb474a-bb4760 call bad23f call bad22c 57->91 92 bb4765-bb4788 call bae13d 57->92 58->57 60->61 66 bb47c1-bb47c3 60->66 73 bb48df 61->73 74 bb4870-bb4882 61->74 66->61 70 bb47c9-bb47ea 66->70 70->61 75 bb47ec-bb4802 70->75 79 bb48e3-bb48f9 ReadFile 73->79 74->73 78 bb4884-bb4893 74->78 75->61 80 bb4804-bb4806 75->80 78->73 96 bb4895-bb4899 78->96 83 bb48fb-bb4901 79->83 84 bb4957-bb4962 79->84 80->61 85 bb4808-bb482b 80->85 87 bb48c5-bb48cf call bb6db3 82->87 83->84 89 bb4903 83->89 105 bb497b-bb497e 84->105 106 bb4964-bb4976 call bad23f call bad22c 84->106 85->61 90 bb482d-bb4843 85->90 87->42 98 bb4906-bb4918 89->98 90->61 99 bb4845-bb4847 90->99 91->82 92->56 96->79 104 bb489b-bb48b3 96->104 98->87 107 bb491a-bb491e 98->107 99->61 100 bb4849-bb4860 99->100 100->61 124 bb48b5-bb48ba 104->124 125 bb48d4-bb48dd 104->125 108 bb48bb-bb48c1 call bad1e5 105->108 109 bb4984-bb4986 105->109 106->82 112 bb4920-bb4930 call bb4335 107->112 113 bb4937-bb4944 107->113 108->82 109->87 128 bb4933-bb4935 112->128 115 bb4950-bb4955 call bb417b 113->115 116 bb4946 call bb448c 113->116 129 bb494b-bb494e 115->129 116->129 124->108 125->98 128->87 129->128
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e352905b24fd4a01fc60f3f0e5ad6473ee5152ff122656261f079821cdecb45d
                                  • Instruction ID: d8ea44cfa1093fbd383d1a45ab8972013d78da97d1c8da740b3abaa708d664af
                                  • Opcode Fuzzy Hash: e352905b24fd4a01fc60f3f0e5ad6473ee5152ff122656261f079821cdecb45d
                                  • Instruction Fuzzy Hash: 6FB1AD70A04245AFDB119FA9D881BFEBBF5FF46310F1441D8E885AB292CBB09D41CB61
                                  Function 00ACA210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 168 aca210-aca2ab call b9f290 call ac2ae0 173 aca2b0-aca2bb 168->173 173->173 174 aca2bd-aca2c8 173->174 175 aca2cd-aca2de call ba5362 174->175 176 aca2ca 174->176 179 aca2e0-aca305 call ba9136 call ba4eeb call ba9136 175->179 180 aca351-aca357 175->180 176->175 197 aca30c-aca316 179->197 198 aca307 179->198 181 aca359-aca365 180->181 182 aca381-aca393 180->182 184 aca377-aca37e call b9f511 181->184 185 aca367-aca375 181->185 184->182 185->184 187 aca394-aca3ae call ba47b0 185->187 196 aca3b0-aca3bb 187->196 196->196 199 aca3bd-aca3c8 196->199 200 aca328-aca32f call b2cf60 197->200 201 aca318-aca31c 197->201 198->197 202 aca3cd-aca3df call ba5362 199->202 203 aca3ca 199->203 208 aca334-aca33a 200->208 204 aca31e 201->204 205 aca320-aca326 201->205 210 aca3fc-aca403 202->210 211 aca3e1-aca3f9 call ba9136 call ba4eeb call ba8be8 202->211 203->202 204->205 205->208 212 aca33c 208->212 213 aca33e-aca349 call badbdf call ba8be8 208->213 215 aca42d-aca433 210->215 216 aca405-aca411 210->216 211->210 212->213 229 aca34e 213->229 219 aca423-aca42a call b9f511 216->219 220 aca413-aca421 216->220 219->215 220->219 223 aca434-aca45e call ba47b0 220->223 235 aca46f-aca474 223->235 236 aca460-aca464 223->236 229->180 236->235 237 aca466-aca46e 236->237
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 8f101fd2b624b52a65f3d30a2859025330979bfc9a43f787bfbb76aa40c6a653
                                  • Instruction ID: 4ddd15a23553c89ac603e9c2f195f5c7c09e4d5ae479fcc3ed78259f9e79b757
                                  • Opcode Fuzzy Hash: 8f101fd2b624b52a65f3d30a2859025330979bfc9a43f787bfbb76aa40c6a653
                                  • Instruction Fuzzy Hash: FD714970900248AFDB18DF68CC49BAEBBE8EF42304F1085ADF8059B782D7B599418791
                                  Function 00BB549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 238 bb549c-bb54be 239 bb56b1 238->239 240 bb54c4-bb54c6 238->240 243 bb56b3-bb56b7 239->243 241 bb54c8-bb54e7 call ba4723 240->241 242 bb54f2-bb5515 240->242 249 bb54ea-bb54ed 241->249 245 bb551b-bb5521 242->245 246 bb5517-bb5519 242->246 245->241 248 bb5523-bb5534 245->248 246->245 246->248 250 bb5547-bb5557 call bb4fe1 248->250 251 bb5536-bb5544 call bae17d 248->251 249->243 256 bb5559-bb555f 250->256 257 bb55a0-bb55b2 250->257 251->250 258 bb5588-bb559e call bb4bb2 256->258 259 bb5561-bb5564 256->259 260 bb5609-bb5629 WriteFile 257->260 261 bb55b4-bb55ba 257->261 279 bb5581-bb5583 258->279 262 bb556f-bb557e call bb4f79 259->262 263 bb5566-bb5569 259->263 265 bb562b-bb5631 260->265 266 bb5634 260->266 267 bb55bc-bb55bf 261->267 268 bb55f5-bb5607 call bb505e 261->268 262->279 263->262 269 bb5649-bb564c 263->269 265->266 273 bb5637-bb5642 266->273 274 bb55e1-bb55f3 call bb5222 267->274 275 bb55c1-bb55c4 267->275 288 bb55dc-bb55df 268->288 284 bb564f-bb5651 269->284 281 bb56ac-bb56af 273->281 282 bb5644-bb5647 273->282 274->288 283 bb55ca-bb55d7 call bb5139 275->283 275->284 279->273 281->243 282->269 283->288 285 bb567f-bb568b 284->285 286 bb5653-bb5658 284->286 292 bb568d-bb5693 285->292 293 bb5695-bb56a7 285->293 290 bb565a-bb566c 286->290 291 bb5671-bb567a call bad208 286->291 288->279 290->249 291->249 292->239 292->293 293->249
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00BA9087,?,00000000,00000000,00000000,?,00000000,?,00ACA3EB,00BA9087,00000000,00ACA3EB,?,?), ref: 00BB5621
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: e3e0ad0f7779209529994720295bf935ab0803d4561b36daaf5272cd3f4a1309
                                  • Instruction ID: ef5516619814fcbb1cf06c47010ed9a222c758ca34246c27d098581c9c74b6ea
                                  • Opcode Fuzzy Hash: e3e0ad0f7779209529994720295bf935ab0803d4561b36daaf5272cd3f4a1309
                                  • Instruction Fuzzy Hash: 1361A071904519AFDF219FA8C884FFEBBFAEF19304F140185E805A7256D7B1D901CBA2
                                  Function 00BA4942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 296 ba4942-ba494f 297 ba4979-ba498d call bb5f82 296->297 298 ba4951-ba4974 call ba4723 296->298 304 ba498f 297->304 305 ba4992-ba499b call bae11f 297->305 303 ba4ae0-ba4ae2 298->303 304->305 307 ba49a0-ba49af 305->307 308 ba49bf-ba49c8 307->308 309 ba49b1 307->309 310 ba49ca-ba49d7 308->310 311 ba49dc-ba4a10 308->311 312 ba4a89-ba4a8e 309->312 313 ba49b7-ba49b9 309->313 314 ba4adc 310->314 315 ba4a6d-ba4a79 311->315 316 ba4a12-ba4a1c 311->316 317 ba4ade-ba4adf 312->317 313->308 313->312 314->317 320 ba4a7b-ba4a82 315->320 321 ba4a90-ba4a93 315->321 318 ba4a1e-ba4a2a 316->318 319 ba4a43-ba4a4f 316->319 317->303 318->319 322 ba4a2c-ba4a3e call ba4cae 318->322 319->321 323 ba4a51-ba4a6b call ba4e59 319->323 320->312 324 ba4a96-ba4a9e 321->324 322->317 323->324 325 ba4ada 324->325 326 ba4aa0-ba4aa6 324->326 325->314 329 ba4aa8-ba4abc call ba4ae3 326->329 330 ba4abe-ba4ac2 326->330 329->317 334 ba4ac4-ba4ad2 call bc4a10 330->334 335 ba4ad5-ba4ad7 330->335 334->335 335->325
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: acc89347469fc5a875324cb00f4bf7697ee50aa0afe06201ec885c46d77ea7c0
                                  • Instruction ID: c18e70237fb1df0c665182a74bc3c1e1dcac99ba557a6aaa654356e0ea53842e
                                  • Opcode Fuzzy Hash: acc89347469fc5a875324cb00f4bf7697ee50aa0afe06201ec885c46d77ea7c0
                                  • Instruction Fuzzy Hash: 1651A770A04108AFDB14CF58C885AAEBFF5EF8A354F248199F8499B252D3B1DE51CB94
                                  Function 00B30560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 339 b30560-b3057f 340 b30585-b30598 339->340 341 b306a9 call ac2270 339->341 342 b305c0-b305c8 340->342 343 b3059a 340->343 346 b306ae call ac21d0 341->346 347 b305d1-b305d5 342->347 348 b305ca-b305cf 342->348 345 b3059c-b305a1 343->345 349 b305a4-b305a5 call b9f290 345->349 354 b306b3-b306b8 call ba47b0 346->354 351 b305d7 347->351 352 b305d9-b305e1 347->352 348->345 357 b305aa-b305af 349->357 351->352 355 b305e3-b305e8 352->355 356 b305f0-b305f2 352->356 355->346 359 b305ee 355->359 360 b30601 356->360 361 b305f4-b305ff call b9f290 356->361 357->354 364 b305b5-b305be 357->364 359->349 363 b30603-b30629 360->363 361->363 367 b30680-b306a6 call ba0f70 call ba14f0 363->367 368 b3062b-b30655 call ba0f70 call ba14f0 363->368 364->363 377 b30657-b30665 368->377 378 b30669-b3067d call b9f511 368->378 377->354 379 b30667 377->379 379->378
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B306AE
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: 6654e9d136040b5eab32869f4265f139173806e9cb1ef6a4250f309ba01b183c
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 6E410572A041189FCB05EF68D9916AE7BE5EF89310F2501E9F805EB306DB30DD608BE1
                                  Function 00BB4B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 382 bb4b12-bb4b26 call bba6de 385 bb4b28-bb4b2a 382->385 386 bb4b2c-bb4b34 382->386 387 bb4b7a-bb4b9a call bba64d 385->387 388 bb4b3f-bb4b42 386->388 389 bb4b36-bb4b3d 386->389 398 bb4bac 387->398 399 bb4b9c-bb4baa call bad208 387->399 392 bb4b60-bb4b70 call bba6de FindCloseChangeNotification 388->392 393 bb4b44-bb4b48 388->393 389->388 391 bb4b4a-bb4b5e call bba6de * 2 389->391 391->385 391->392 392->385 401 bb4b72-bb4b78 392->401 393->391 393->392 403 bb4bae-bb4bb1 398->403 399->403 401->387
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00BB49F9,00000000,CF830579,00BF1140,0000000C,00BB4AB5,00BA8BBD,?), ref: 00BB4B68
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 6431941980fe41d3696a15763b609874c80909a1119346da4c6408c81620d1c5
                                  • Instruction ID: 8758e33e51304caeaa6f453f59656ed0b492967e3a7ea864ecc3ac028d9b3a22
                                  • Opcode Fuzzy Hash: 6431941980fe41d3696a15763b609874c80909a1119346da4c6408c81620d1c5
                                  • Instruction Fuzzy Hash: 87114833A441141BDA3426355845BFE7BC9DB827B0F2902CDFA598B1C3EFE0DC419195
                                  Function 00BAE05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 408 bae05c-bae074 call bba6de 411 bae08a-bae0a0 SetFilePointerEx 408->411 412 bae076-bae07d 408->412 414 bae0a2-bae0b3 call bad208 411->414 415 bae0b5-bae0bf 411->415 413 bae084-bae088 412->413 416 bae0db-bae0de 413->416 414->413 415->413 417 bae0c1-bae0d6 415->417 417->416
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00BF0DF8,00ACA3EB,00000002,00ACA3EB,00000000,?,?,?,00BAE166,00000000,?,00ACA3EB,00000002,00BF0DF8), ref: 00BAE098
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 2ca6be806fad8905e2281db48e5e1ac61a4ed3b3de57e080da914dfcaca430a4
                                  • Instruction ID: 94ee7f894395841b7f2da91ff391fd39f9d8c7fdeedb3bd7ef08b20fdbc14eab
                                  • Opcode Fuzzy Hash: 2ca6be806fad8905e2281db48e5e1ac61a4ed3b3de57e080da914dfcaca430a4
                                  • Instruction Fuzzy Hash: 9C01DB32614155AFCF159F55CC46D9E3BAADB82330F240188F861972D1E6B1ED51DBD0
                                  Function 00B9F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 421 b9f290-b9f293 422 b9f2a2-b9f2a5 call badf2c 421->422 424 b9f2aa-b9f2ad 422->424 425 b9f2af-b9f2b0 424->425 426 b9f295-b9f2a0 call bb17d8 424->426 426->422 429 b9f2b1-b9f2b5 426->429 430 b9f2bb 429->430 431 ac21d0-ac2220 call ac21b0 call ba0efb call ba0651 429->431 430->430
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC220E
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: b859dd82a4120a5fa9326d0f09865fb01e21d37ef7c9801e0945d7cd010f2441
                                  • Instruction ID: 31db5da4e7167cf896e25b0c62d1466188283e0b1377cbf0636a470b80f114ec
                                  • Opcode Fuzzy Hash: b859dd82a4120a5fa9326d0f09865fb01e21d37ef7c9801e0945d7cd010f2441
                                  • Instruction Fuzzy Hash: 23012B7650430EABCF14AFACD801AAA77ECDA01320F5444B9FA19DB691EB70E9548790
                                  Function 00BB63F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 438 bb63f3-bb63fe 439 bb640c-bb6412 438->439 440 bb6400-bb640a 438->440 442 bb642b-bb643c RtlAllocateHeap 439->442 443 bb6414-bb6415 439->443 440->439 441 bb6440-bb644b call bad23f 440->441 449 bb644d-bb644f 441->449 445 bb643e 442->445 446 bb6417-bb641e call bb3f93 442->446 443->442 445->449 446->441 451 bb6420-bb6429 call bb17d8 446->451 451->441 451->442
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00BA91F7,00000000,?,00BB5D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00BAD244,00BA89C3,00BA91F7,00000000), ref: 00BB6435
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 191de1944743328cd3f2d23b95d3bff07c32ffeb8608f1e9e38b3d0c8ede4dcd
                                  • Instruction ID: 4b66ecf0727c0744beef30b31ee63505b4b19ee02ac6fc45d4427817fd181679
                                  • Opcode Fuzzy Hash: 191de1944743328cd3f2d23b95d3bff07c32ffeb8608f1e9e38b3d0c8ede4dcd
                                  • Instruction Fuzzy Hash: 04F0E931505E24679B216B669C16BFB3BC8DF81764F2580D2EC0497280CEF4DC1086F1
                                  Function 00BB6E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 454 bb6e2d-bb6e39 455 bb6e6b-bb6e76 call bad23f 454->455 456 bb6e3b-bb6e3d 454->456 463 bb6e78-bb6e7a 455->463 458 bb6e3f-bb6e40 456->458 459 bb6e56-bb6e67 RtlAllocateHeap 456->459 458->459 460 bb6e69 459->460 461 bb6e42-bb6e49 call bb3f93 459->461 460->463 461->455 466 bb6e4b-bb6e54 call bb17d8 461->466 466->455 466->459
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00BBD635,4D88C033,?,00BBD635,00000220,?,00BB57EF,4D88C033), ref: 00BB6E60
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: 70738a5c0981e7d8a39397df4415cf2681f110c7a68f1cd81e3b4c43e52d4ef2
                                  • Instruction ID: 33359292537173386a24d6f70caee569159cc8d72045dd71dec6d2ec3723a2bf
                                  • Opcode Fuzzy Hash: 70738a5c0981e7d8a39397df4415cf2681f110c7a68f1cd81e3b4c43e52d4ef2
                                  • Instruction Fuzzy Hash: 0FE0ED391416216BDA3122AACD10BFB77C8DF927A0F1505E1EC0593090CFE8CC0087A4
                                  Function 05570383 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 469 5570383-55703b4 GetCurrentHwProfileW call 55703c3 473 55703b9 469->473
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055703A3
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3314301778.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_5570000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 374ab46cafe290cb9f3895f30733fe7b59d841c1cb193db65b6be0194bcf701e
                                  • Instruction ID: d07907324e48fef77cec1acd97f62b2426450db361f944bcd7c4adcc520db02e
                                  • Opcode Fuzzy Hash: 374ab46cafe290cb9f3895f30733fe7b59d841c1cb193db65b6be0194bcf701e
                                  • Instruction Fuzzy Hash: 88E0689610C3246FDB03D17921E84B23BE7EC6313032804766081831E1EA5590845401
                                  Function 05570369 Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 474 5570369-557038e 476 557039f-55703b4 GetCurrentHwProfileW call 55703c3 474->476 478 55703b9 476->478
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 055703A3
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3314301778.0000000005570000.00000040.00001000.00020000.00000000.sdmp, Offset: 05570000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_5570000_MPGPH131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: dc8d5de9b7ef88dc34fb7a8142d4832e68d754ab555b383ff57f47de160038eb
                                  • Instruction ID: 1b41e5fdf89c00d4193b472be70fff32a6527050ae5b13e49961ffad57ad482b
                                  • Opcode Fuzzy Hash: dc8d5de9b7ef88dc34fb7a8142d4832e68d754ab555b383ff57f47de160038eb
                                  • Instruction Fuzzy Hash: 32E0C2EA00C3216F6203E1E912884F52DCFEC2323033114B630E2C56D1EAD44841A836

                                  Non-executed Functions

                                  Function 00BA84A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: 85fb7a385549add2261a335dbe85095800b94224ab5cabc2f4b36f67bf465112
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: BC022B71E052199BDF14CFA9C9806AEBBF1FF49314F2482A9D919E7780DB31AD418B90
                                  Function 00B2F810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2F833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2F855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2F875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2F89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2F90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00B2F959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00B2F973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2FA08
                                  • std::_Facet_Register.LIBCPMT ref: 00B2FA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: 27fc1ea46a1138264f80f2fba7d44894dcb94915ffdf6505b84a48f03be709bc
                                  • Instruction ID: 4cfbeec4d1450ac204fe8f61323992ea968922fe3836065a1ce99eccef71ded6
                                  • Opcode Fuzzy Hash: 27fc1ea46a1138264f80f2fba7d44894dcb94915ffdf6505b84a48f03be709bc
                                  • Instruction Fuzzy Hash: 176168B1D00259DBEF10DFA5E845BAEBBF4AF14750F1441B8E819AB341EB34E905CBA1
                                  Function 00AC39F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00AC3A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00AC3AA4
                                  • __Getctype.LIBCPMT ref: 00AC3ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00AC3AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00AC3B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: f222bffe6cc8bb618aa29c7b635bc48fd543be8222f4f0e8a105be71c4b7f434
                                  • Instruction ID: f9e5782c862bcdbf26a80af3162d4fa32c92a4611b1a6a77564cd264c69b3dc4
                                  • Opcode Fuzzy Hash: f222bffe6cc8bb618aa29c7b635bc48fd543be8222f4f0e8a105be71c4b7f434
                                  • Instruction Fuzzy Hash: 4E5130B2D012489BDF14DFA5D985F9EBBF8AF14310F1480A9E809AB341E775DE04CBA1
                                  Function 00BA2E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00BA2E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00BA2F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00BA2F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 8b0a68fb37b8baebe0f52324572a0dab609c93fba674c4c7baef137ba043c79b
                                  • Instruction ID: 0032578aad216d509f3a6039e8b86530cdfeecb1d2a05d415d2faafc4479176d
                                  • Opcode Fuzzy Hash: 8b0a68fb37b8baebe0f52324572a0dab609c93fba674c4c7baef137ba043c79b
                                  • Instruction Fuzzy Hash: 15418F34A08209AFCF10DF6CC885A9EBBF5EF46314F1480A6E9149B752D732DE55CB91
                                  Function 00B2DE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2DE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00B2DEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2DED6
                                  • std::_Facet_Register.LIBCPMT ref: 00B2DF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00B2DF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B2DF7B
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: 5f80820928cbcb0542637db3f1c9cde7fe022feb55b4c730a96c04bb0b7027fc
                                  • Instruction ID: 8fd36bc807609bc677973bf11204981e3ed0825472d475b7b62f01ca31e5d29f
                                  • Opcode Fuzzy Hash: 5f80820928cbcb0542637db3f1c9cde7fe022feb55b4c730a96c04bb0b7027fc
                                  • Instruction Fuzzy Hash: 0541E2719002299FCF14DF58E985AAEBBF4FB14720F2442A9E8196B352DB31AD01CBD5
                                  Function 00AC4C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC4F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC4FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC50C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 00AC504C
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 06d683135217b3344a21e517b03c3dc3e840dfab4d10ead830902ccdb3f44286
                                  • Instruction ID: 9b3039e7a2e3af20509614b8547becf26240ed36361e3a1678be40fb7994a856
                                  • Opcode Fuzzy Hash: 06d683135217b3344a21e517b03c3dc3e840dfab4d10ead830902ccdb3f44286
                                  • Instruction Fuzzy Hash: 32E111719002049FCB28DF68D855FAEBBF9FF48700F108A6DE45693781EB74A904CBA5
                                  Function 00AC7820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC7B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 1a2114e8b9b3736c364a3e400db2fcb3f4236e2e221efafcf4100f5af4914074
                                  • Instruction ID: 868ec8f48a8d822f2879e11f6785519944aa2dbb59df82fabee5a92982ae1761
                                  • Opcode Fuzzy Hash: 1a2114e8b9b3736c364a3e400db2fcb3f4236e2e221efafcf4100f5af4914074
                                  • Instruction Fuzzy Hash: AFC157B19042488FDB58CFA8D984BADBBF5FB48310F14866DE419EB791E774A9808F50
                                  Function 00AC73B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC75BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC75CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 5b2fd3fd5aeaf37cdea0c19e163b6c93dd1afd29d140096dc08917175e95084e
                                  • Instruction ID: 7552dc4c190d2e6e3f5277bd6b53dd518d3c5f6cd3f8d0d07af43a1de15d7c98
                                  • Opcode Fuzzy Hash: 5b2fd3fd5aeaf37cdea0c19e163b6c93dd1afd29d140096dc08917175e95084e
                                  • Instruction Fuzzy Hash: A561D071A042099FDB08DF68DD84BADBBF6FF49310F24866CE415A7B81D774AA408B91
                                  Function 00AC3D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 64760899284bdc203de92c878f8312882bc4cd5316fd6182ce6ef5f97b07c997
                                  • Instruction ID: be76d91f285865abd0e8caba9114032320570ca9839f811d1adec0f6e370f693
                                  • Opcode Fuzzy Hash: 64760899284bdc203de92c878f8312882bc4cd5316fd6182ce6ef5f97b07c997
                                  • Instruction Fuzzy Hash: 8141A2B2900209AFCB14DF68C845FAEB7F9EB49310F14C56EF915D7641E770AA058BA0
                                  Function 00AC3DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC3E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: bd54f41b935f528c61754060c0528d737e060ea44de3b68a8a2ca6c75aa1808f
                                  • Instruction ID: 4052d86fbc2483f60695960b666e890c5b9235b1ab82e33ed48b401c2b000177
                                  • Opcode Fuzzy Hash: bd54f41b935f528c61754060c0528d737e060ea44de3b68a8a2ca6c75aa1808f
                                  • Instruction Fuzzy Hash: AF21D5B39043056FCB14DF58D805F96B7ECAB05310F18C8AEFA698B641E774EA148B95
                                  Function 00AC6F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00AC7340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: d1576440caa8bf982ce85922cf1aafd28daf7567ec881baa5e8f51bfed4d1b1e
                                  • Instruction ID: 98165fa6fdffd12f03b0085b610bc1e49b6807c8020d74e7c807f955d15bf237
                                  • Opcode Fuzzy Hash: d1576440caa8bf982ce85922cf1aafd28daf7567ec881baa5e8f51bfed4d1b1e
                                  • Instruction Fuzzy Hash: 90E150719042488FDB18CF68C895BADBBF1BF49300F2582ADE419EB792D7749A81CF51
                                  Function 00AC6C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC6F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00AC6F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 188976cc905c12027eb910c332698a03c9ae67cea862253f61415ea200413fd6
                                  • Instruction ID: 9d8d296db0fd236ba86c21df8e0317791b4f559ab2f08deb56668f41edbd6a9c
                                  • Opcode Fuzzy Hash: 188976cc905c12027eb910c332698a03c9ae67cea862253f61415ea200413fd6
                                  • Instruction Fuzzy Hash: 3E91D370A002089FDB18CF68D985BAEBBF6EF49300F20856DE415EB792D775E941CB51
                                  Function 00B3E440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 00B3E491
                                  Strings
                                  • type must be string, but is , xrefs: 00B3E4F8
                                  • type must be boolean, but is , xrefs: 00B3E582
                                  Memory Dump Source
                                  • Source File: 00000007.00000002.3306270230.0000000000AC1000.00000040.00000001.01000000.00000005.sdmp, Offset: 00AC0000, based on PE: true
                                  • Associated: 00000007.00000002.3306173101.0000000000AC0000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306270230.0000000000BF3000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306741677.0000000000BF8000.00000004.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000BFC000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000D81000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000E71000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EA6000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EB2000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3306828991.0000000000EC0000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3307908013.0000000000EC1000.00000080.00000001.01000000.00000005.sdmpDownload File
                                  • Associated: 00000007.00000002.3308222938.000000000106A000.00000040.00000001.01000000.00000005.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_7_2_ac0000_MPGPH131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 1109152b339f7ba311d3b3f7e0792c7070ed3f9327311d212eae57a9ff48b696
                                  • Instruction ID: f633a4be1f317d805fed688ebf9235a045cb569f613c424180b95ccfa796bf4c
                                  • Opcode Fuzzy Hash: 1109152b339f7ba311d3b3f7e0792c7070ed3f9327311d212eae57a9ff48b696
                                  • Instruction Fuzzy Hash: D64168B1900248AFDB14EBA4E902BAE77E8DB14310F1446F9F429D77C2EB35E944C796

                                  Execution Graph

                                  Execution Coverage:2.9%
                                  Dynamic/Decrypted Code Coverage:1.8%
                                  Signature Coverage:0%
                                  Total number of Nodes:661
                                  Total number of Limit Nodes:69
                                  execution_graph 19591 4c106c4 19593 4c106db 19591->19593 19594 4c10761 19593->19594 19597 4c10764 19593->19597 19600 4c10777 19594->19600 19598 4c1076e 19597->19598 19599 4c10777 GetCurrentHwProfileW 19597->19599 19599->19598 19601 4c10783 GetCurrentHwProfileW 19600->19601 19602 4c1079a 19601->19602 18801 97a210 18834 a4f290 18801->18834 18803 97a248 18839 972ae0 18803->18839 18805 97a28b 18855 a55362 18805->18855 18809 97a377 18812 97a34e 18812->18809 18884 a547b0 18812->18884 18815 a59136 4 API calls 18816 97a2fc 18815->18816 18821 97a318 18816->18821 18870 9dcf60 18816->18870 18875 a5dbdf 18821->18875 18836 9721d0 Concurrency::cancel_current_task ___std_exception_copy std::_Facet_Register 18834->18836 18835 a4f2af 18835->18803 18836->18835 18887 a50651 18836->18887 18840 972ba5 18839->18840 18846 972af6 18839->18846 19105 972270 18840->19105 18842 972b02 std::_Locinfo::_Locinfo_ctor 18842->18805 18843 972b2a 18847 a4f290 std::_Facet_Register RtlAllocateHeap 18843->18847 18844 972baa 19115 9721d0 18844->19115 18846->18842 18846->18843 18849 972b65 18846->18849 18850 972b6e 18846->18850 18848 972b3d 18847->18848 18851 a547b0 RtlAllocateHeap 18848->18851 18854 972b46 std::_Locinfo::_Locinfo_ctor 18848->18854 18849->18843 18849->18844 18853 a4f290 std::_Facet_Register RtlAllocateHeap 18850->18853 18850->18854 18852 972bb4 18851->18852 18853->18854 18854->18805 19128 a552a0 18855->19128 18857 97a2d7 18857->18812 18858 a59136 18857->18858 18859 a59149 ___std_exception_copy 18858->18859 19152 a58e8d 18859->19152 18861 a5915e 18862 a544dc ___std_exception_copy RtlAllocateHeap 18861->18862 18863 97a2ea 18862->18863 18864 a54eeb 18863->18864 18865 a54efe ___std_exception_copy 18864->18865 19285 a54801 18865->19285 18867 a54f0a 18868 a544dc ___std_exception_copy RtlAllocateHeap 18867->18868 18869 97a2f0 18868->18869 18869->18815 18871 9dcfa7 18870->18871 18873 9dcf78 __fread_nolock 18870->18873 19333 9e0560 18871->19333 18873->18821 18874 9dcfba 18874->18821 19348 a5dbfc 18875->19348 18877 97a348 18878 a58be8 18877->18878 18879 a58bfb ___std_exception_copy 18878->18879 19472 a58ac3 18879->19472 18881 a58c07 18882 a544dc ___std_exception_copy RtlAllocateHeap 18881->18882 18883 a58c13 18882->18883 18883->18812 18885 a546ec ___std_exception_copy RtlAllocateHeap 18884->18885 18886 a547bf __Getctype 18885->18886 18888 a5065e ___std_exception_copy 18887->18888 18892 972213 18887->18892 18889 a5068b 18888->18889 18888->18892 18893 a656b8 18888->18893 18902 a5d7d6 18889->18902 18892->18803 18894 a656c6 18893->18894 18895 a656d4 18893->18895 18894->18895 18897 a656ec 18894->18897 18905 a5d23f 18895->18905 18899 a656e6 18897->18899 18900 a5d23f __dosmaperr RtlAllocateHeap 18897->18900 18899->18889 18901 a656dc 18900->18901 18908 a547a0 18901->18908 18903 a66db3 __freea RtlAllocateHeap 18902->18903 18904 a5d7ee 18903->18904 18904->18892 18911 a65d2c 18905->18911 19016 a546ec 18908->19016 18912 a65d35 __dosmaperr 18911->18912 18919 a5d244 18912->18919 18922 a663f3 18912->18922 18914 a65d79 __dosmaperr 18915 a65d81 __dosmaperr 18914->18915 18916 a65db9 18914->18916 18926 a66db3 18915->18926 18930 a65a09 18916->18930 18919->18901 18921 a66db3 __freea RtlAllocateHeap 18921->18919 18925 a66400 __dosmaperr std::_Facet_Register 18922->18925 18923 a6642b RtlAllocateHeap 18924 a6643e __dosmaperr 18923->18924 18923->18925 18924->18914 18925->18923 18925->18924 18927 a66dbe __dosmaperr 18926->18927 18929 a66de8 18926->18929 18928 a5d23f __dosmaperr RtlAllocateHeap 18927->18928 18927->18929 18928->18929 18929->18919 18931 a65a77 __dosmaperr 18930->18931 18934 a659af 18931->18934 18933 a65aa0 18933->18921 18935 a659bb __fread_nolock std::_Lockit::_Lockit 18934->18935 18938 a65b90 18935->18938 18937 a659dd __dosmaperr 18937->18933 18939 a65b9f __Getctype 18938->18939 18941 a65bc6 __Getctype 18938->18941 18939->18941 18942 a6f2a7 18939->18942 18941->18937 18944 a6f327 18942->18944 18945 a6f2bd 18942->18945 18946 a66db3 __freea RtlAllocateHeap 18944->18946 18969 a6f375 18944->18969 18945->18944 18950 a66db3 __freea RtlAllocateHeap 18945->18950 18952 a6f2f0 18945->18952 18947 a6f349 18946->18947 18948 a66db3 __freea RtlAllocateHeap 18947->18948 18953 a6f35c 18948->18953 18949 a66db3 __freea RtlAllocateHeap 18954 a6f31c 18949->18954 18956 a6f2e5 18950->18956 18951 a6f383 18955 a6f3e3 18951->18955 18962 a66db3 RtlAllocateHeap __freea 18951->18962 18957 a66db3 __freea RtlAllocateHeap 18952->18957 18968 a6f312 18952->18968 18958 a66db3 __freea RtlAllocateHeap 18953->18958 18959 a66db3 __freea RtlAllocateHeap 18954->18959 18960 a66db3 __freea RtlAllocateHeap 18955->18960 18970 a6e5ab 18956->18970 18963 a6f307 18957->18963 18964 a6f36a 18958->18964 18959->18944 18965 a6f3e9 18960->18965 18962->18951 18998 a6ea0a 18963->18998 18967 a66db3 __freea RtlAllocateHeap 18964->18967 18965->18941 18967->18969 18968->18949 19010 a6f418 18969->19010 18971 a6e5bc 18970->18971 18997 a6e6a5 18970->18997 18972 a66db3 __freea RtlAllocateHeap 18971->18972 18974 a6e5cd 18971->18974 18972->18974 18973 a6e5df 18976 a6e5f1 18973->18976 18977 a66db3 __freea RtlAllocateHeap 18973->18977 18974->18973 18975 a66db3 __freea RtlAllocateHeap 18974->18975 18975->18973 18978 a6e603 18976->18978 18980 a66db3 __freea RtlAllocateHeap 18976->18980 18977->18976 18979 a6e615 18978->18979 18981 a66db3 __freea RtlAllocateHeap 18978->18981 18982 a6e627 18979->18982 18983 a66db3 __freea RtlAllocateHeap 18979->18983 18980->18978 18981->18979 18984 a6e639 18982->18984 18985 a66db3 __freea RtlAllocateHeap 18982->18985 18983->18982 18986 a6e64b 18984->18986 18988 a66db3 __freea RtlAllocateHeap 18984->18988 18985->18984 18987 a6e65d 18986->18987 18989 a66db3 __freea RtlAllocateHeap 18986->18989 18990 a6e66f 18987->18990 18991 a66db3 __freea RtlAllocateHeap 18987->18991 18988->18986 18989->18987 18992 a6e681 18990->18992 18993 a66db3 __freea RtlAllocateHeap 18990->18993 18991->18990 18994 a6e693 18992->18994 18995 a66db3 __freea RtlAllocateHeap 18992->18995 18993->18992 18996 a66db3 __freea RtlAllocateHeap 18994->18996 18994->18997 18995->18994 18996->18997 18997->18952 18999 a6ea17 18998->18999 19000 a6ea6f 18998->19000 19001 a6ea27 18999->19001 19002 a66db3 __freea RtlAllocateHeap 18999->19002 19000->18968 19003 a6ea39 19001->19003 19005 a66db3 __freea RtlAllocateHeap 19001->19005 19002->19001 19004 a6ea4b 19003->19004 19006 a66db3 __freea RtlAllocateHeap 19003->19006 19007 a6ea5d 19004->19007 19008 a66db3 __freea RtlAllocateHeap 19004->19008 19005->19003 19006->19004 19007->19000 19009 a66db3 __freea RtlAllocateHeap 19007->19009 19008->19007 19009->19000 19011 a6f444 19010->19011 19012 a6f425 19010->19012 19011->18951 19012->19011 19013 a6ef31 __Getctype RtlAllocateHeap 19012->19013 19014 a6f43e 19013->19014 19015 a66db3 __freea RtlAllocateHeap 19014->19015 19015->19011 19017 a546fe ___std_exception_copy 19016->19017 19022 a54723 19017->19022 19019 a54716 19029 a544dc 19019->19029 19023 a54733 19022->19023 19024 a5473a ___std_exception_copy __Getctype 19022->19024 19035 a54541 19023->19035 19026 a54748 19024->19026 19027 a546ec ___std_exception_copy RtlAllocateHeap 19024->19027 19026->19019 19028 a547ac 19027->19028 19028->19019 19030 a544e8 19029->19030 19031 a544ff 19030->19031 19050 a54587 19030->19050 19033 a54512 19031->19033 19034 a54587 ___std_exception_copy RtlAllocateHeap 19031->19034 19033->18899 19034->19033 19036 a54550 19035->19036 19039 a65ddd 19036->19039 19040 a65df0 __dosmaperr 19039->19040 19041 a663f3 __dosmaperr RtlAllocateHeap 19040->19041 19049 a54572 19040->19049 19042 a65e20 __dosmaperr 19041->19042 19043 a65e5c 19042->19043 19044 a65e28 __dosmaperr 19042->19044 19045 a65a09 __dosmaperr RtlAllocateHeap 19043->19045 19046 a66db3 __freea RtlAllocateHeap 19044->19046 19047 a65e67 19045->19047 19046->19049 19048 a66db3 __freea RtlAllocateHeap 19047->19048 19048->19049 19049->19024 19051 a54591 19050->19051 19052 a5459a 19050->19052 19053 a54541 ___std_exception_copy RtlAllocateHeap 19051->19053 19052->19031 19054 a54596 19053->19054 19054->19052 19057 a60259 19054->19057 19058 a6025e std::locale::_Setgloballocale 19057->19058 19062 a60269 std::locale::_Setgloballocale 19058->19062 19063 a6c7c6 19058->19063 19084 a5f224 19062->19084 19064 a6c7d2 __fread_nolock 19063->19064 19065 a65d2c __dosmaperr RtlAllocateHeap 19064->19065 19066 a6c822 19064->19066 19070 a6c803 std::locale::_Setgloballocale 19064->19070 19072 a6c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 19064->19072 19065->19070 19067 a5d23f __dosmaperr RtlAllocateHeap 19066->19067 19069 a6c827 19067->19069 19068 a6c80c 19068->19062 19071 a547a0 ___std_exception_copy RtlAllocateHeap 19069->19071 19070->19066 19070->19068 19070->19072 19071->19068 19073 a6c8a7 19072->19073 19074 a6c9a4 std::_Lockit::~_Lockit 19072->19074 19076 a6c8d5 std::locale::_Setgloballocale 19072->19076 19073->19076 19087 a65bdb 19073->19087 19075 a5f224 std::locale::_Setgloballocale RtlAllocateHeap 19074->19075 19077 a6c9b7 19075->19077 19076->19068 19079 a65bdb __Getctype RtlAllocateHeap 19076->19079 19082 a6c92a 19076->19082 19079->19082 19081 a65bdb __Getctype RtlAllocateHeap 19081->19076 19082->19068 19083 a65bdb __Getctype RtlAllocateHeap 19082->19083 19083->19068 19101 a5f094 19084->19101 19086 a5f235 19088 a65be4 __dosmaperr 19087->19088 19089 a663f3 __dosmaperr RtlAllocateHeap 19088->19089 19090 a65bfb 19088->19090 19092 a65c28 __dosmaperr 19089->19092 19091 a65c8b 19090->19091 19093 a60259 __Getctype RtlAllocateHeap 19090->19093 19091->19081 19094 a65c30 __dosmaperr 19092->19094 19095 a65c68 19092->19095 19096 a65c95 19093->19096 19098 a66db3 __freea RtlAllocateHeap 19094->19098 19097 a65a09 __dosmaperr RtlAllocateHeap 19095->19097 19099 a65c73 19097->19099 19098->19090 19100 a66db3 __freea RtlAllocateHeap 19099->19100 19100->19090 19102 a5f0c1 std::locale::_Setgloballocale 19101->19102 19103 a5ef23 std::locale::_Setgloballocale RtlAllocateHeap 19102->19103 19104 a5f10a std::locale::_Setgloballocale 19103->19104 19104->19086 19119 a4d6e9 19105->19119 19116 9721de Concurrency::cancel_current_task 19115->19116 19117 a50651 ___std_exception_copy RtlAllocateHeap 19116->19117 19118 972213 19117->19118 19118->18848 19122 a4d4af 19119->19122 19121 a4d6fa Concurrency::cancel_current_task 19125 973010 19122->19125 19126 a50651 ___std_exception_copy RtlAllocateHeap 19125->19126 19127 97303d 19126->19127 19127->19121 19130 a552ac __fread_nolock 19128->19130 19129 a552b3 19131 a5d23f __dosmaperr RtlAllocateHeap 19129->19131 19130->19129 19132 a552d3 19130->19132 19133 a552b8 19131->19133 19134 a552e5 19132->19134 19135 a552d8 19132->19135 19136 a547a0 ___std_exception_copy RtlAllocateHeap 19133->19136 19142 a66688 19134->19142 19137 a5d23f __dosmaperr RtlAllocateHeap 19135->19137 19141 a552c3 19136->19141 19137->19141 19139 a552ee 19140 a5d23f __dosmaperr RtlAllocateHeap 19139->19140 19139->19141 19140->19141 19141->18857 19143 a66694 __fread_nolock std::_Lockit::_Lockit 19142->19143 19146 a6672c 19143->19146 19145 a666af 19145->19139 19151 a6674f __fread_nolock 19146->19151 19147 a663f3 __dosmaperr RtlAllocateHeap 19148 a667b0 19147->19148 19149 a66db3 __freea RtlAllocateHeap 19148->19149 19150 a66795 __fread_nolock 19149->19150 19150->19145 19151->19147 19151->19150 19154 a58e99 __fread_nolock 19152->19154 19153 a58e9f 19155 a54723 ___std_exception_copy RtlAllocateHeap 19153->19155 19154->19153 19156 a58ee2 __fread_nolock 19154->19156 19158 a58eba 19155->19158 19159 a59010 19156->19159 19158->18861 19160 a59036 19159->19160 19161 a59023 19159->19161 19168 a58f37 19160->19168 19161->19158 19163 a590e7 19163->19158 19164 a59059 19164->19163 19172 a555d3 19164->19172 19169 a58fa0 19168->19169 19170 a58f48 19168->19170 19169->19164 19170->19169 19181 a5e13d 19170->19181 19173 a555ec 19172->19173 19177 a55613 19172->19177 19173->19177 19208 a65f82 19173->19208 19175 a55608 19215 a6538b 19175->19215 19178 a5e17d 19177->19178 19179 a5e05c __fread_nolock 2 API calls 19178->19179 19180 a5e196 19179->19180 19180->19163 19182 a5e151 ___std_exception_copy 19181->19182 19187 a5e05c 19182->19187 19184 a5e166 19185 a544dc ___std_exception_copy RtlAllocateHeap 19184->19185 19186 a5e175 19185->19186 19186->19169 19192 a6a6de 19187->19192 19189 a5e06e 19190 a5e08a SetFilePointerEx 19189->19190 19191 a5e076 __fread_nolock 19189->19191 19190->19191 19191->19184 19193 a6a6eb 19192->19193 19196 a6a700 19192->19196 19205 a5d22c 19193->19205 19197 a5d22c __dosmaperr RtlAllocateHeap 19196->19197 19199 a6a725 19196->19199 19200 a6a730 19197->19200 19198 a5d23f __dosmaperr RtlAllocateHeap 19201 a6a6f8 19198->19201 19199->19189 19202 a5d23f __dosmaperr RtlAllocateHeap 19200->19202 19201->19189 19203 a6a738 19202->19203 19204 a547a0 ___std_exception_copy RtlAllocateHeap 19203->19204 19204->19201 19206 a65d2c __dosmaperr RtlAllocateHeap 19205->19206 19207 a5d231 19206->19207 19207->19198 19209 a65fa3 19208->19209 19210 a65f8e 19208->19210 19209->19175 19211 a5d23f __dosmaperr RtlAllocateHeap 19210->19211 19212 a65f93 19211->19212 19213 a547a0 ___std_exception_copy RtlAllocateHeap 19212->19213 19214 a65f9e 19213->19214 19214->19175 19216 a65397 __fread_nolock 19215->19216 19217 a653d8 19216->19217 19219 a6541e 19216->19219 19221 a6539f 19216->19221 19218 a54723 ___std_exception_copy RtlAllocateHeap 19217->19218 19218->19221 19219->19221 19222 a6549c 19219->19222 19221->19177 19223 a654c4 19222->19223 19235 a654e7 __fread_nolock 19222->19235 19224 a654c8 19223->19224 19226 a65523 19223->19226 19225 a54723 ___std_exception_copy RtlAllocateHeap 19224->19225 19225->19235 19227 a65541 19226->19227 19228 a5e17d 2 API calls 19226->19228 19236 a64fe1 19227->19236 19228->19227 19231 a655a0 19233 a65609 WriteFile 19231->19233 19231->19235 19232 a65559 19232->19235 19241 a64bb2 19232->19241 19233->19235 19235->19221 19247 a70d44 19236->19247 19238 a64ff3 19239 a65021 19238->19239 19256 a59d10 19238->19256 19239->19231 19239->19232 19242 a64c1a 19241->19242 19243 a59d10 std::_Locinfo::_Locinfo_ctor 2 API calls 19242->19243 19246 a64c2b std::_Locinfo::_Locinfo_ctor 19242->19246 19243->19246 19244 a684be RtlAllocateHeap RtlAllocateHeap 19244->19246 19245 a64ee1 _ValidateLocalCookies 19245->19235 19245->19245 19246->19244 19246->19245 19248 a70d51 19247->19248 19249 a70d5e 19247->19249 19250 a5d23f __dosmaperr RtlAllocateHeap 19248->19250 19252 a70d6a 19249->19252 19253 a5d23f __dosmaperr RtlAllocateHeap 19249->19253 19251 a70d56 19250->19251 19251->19238 19252->19238 19254 a70d8b 19253->19254 19255 a547a0 ___std_exception_copy RtlAllocateHeap 19254->19255 19255->19251 19257 a54587 ___std_exception_copy RtlAllocateHeap 19256->19257 19258 a59d20 19257->19258 19263 a65ef3 19258->19263 19264 a59d3d 19263->19264 19265 a65f0a 19263->19265 19267 a65f51 19264->19267 19265->19264 19271 a6f4f3 19265->19271 19268 a59d4a 19267->19268 19269 a65f68 19267->19269 19268->19239 19269->19268 19280 a6d81e 19269->19280 19272 a6f4ff __fread_nolock 19271->19272 19273 a65bdb __Getctype RtlAllocateHeap 19272->19273 19275 a6f508 std::_Lockit::_Lockit 19273->19275 19274 a6f54e 19274->19264 19275->19274 19276 a6f574 __Getctype RtlAllocateHeap 19275->19276 19277 a6f537 __Getctype 19276->19277 19277->19274 19278 a60259 __Getctype RtlAllocateHeap 19277->19278 19279 a6f573 19278->19279 19281 a65bdb __Getctype RtlAllocateHeap 19280->19281 19282 a6d823 19281->19282 19283 a6d736 std::_Locinfo::_Locinfo_ctor RtlAllocateHeap RtlAllocateHeap 19282->19283 19284 a6d82e 19283->19284 19284->19268 19286 a5480d __fread_nolock 19285->19286 19287 a54814 19286->19287 19289 a54835 __fread_nolock 19286->19289 19288 a54723 ___std_exception_copy RtlAllocateHeap 19287->19288 19291 a5482d 19288->19291 19292 a54910 19289->19292 19291->18867 19295 a54942 19292->19295 19294 a54922 19294->19291 19296 a54951 19295->19296 19297 a54979 19295->19297 19298 a54723 ___std_exception_copy RtlAllocateHeap 19296->19298 19299 a65f82 __fread_nolock RtlAllocateHeap 19297->19299 19305 a5496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19298->19305 19300 a54982 19299->19300 19308 a5e11f 19300->19308 19303 a54a2c 19311 a54cae 19303->19311 19305->19294 19306 a54a43 19306->19305 19319 a54ae3 19306->19319 19326 a5df37 19308->19326 19310 a549a0 19310->19303 19310->19305 19310->19306 19312 a54cbd 19311->19312 19313 a65f82 __fread_nolock RtlAllocateHeap 19312->19313 19314 a54cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19313->19314 19315 a5e11f 2 API calls 19314->19315 19318 a54ce5 _ValidateLocalCookies 19314->19318 19316 a54d39 19315->19316 19317 a5e11f 2 API calls 19316->19317 19316->19318 19317->19318 19318->19305 19320 a65f82 __fread_nolock RtlAllocateHeap 19319->19320 19321 a54af6 19320->19321 19322 a5e11f 2 API calls 19321->19322 19325 a54b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19321->19325 19323 a54b9d 19322->19323 19324 a5e11f 2 API calls 19323->19324 19323->19325 19324->19325 19325->19305 19329 a5df43 __fread_nolock 19326->19329 19327 a5df4b 19327->19310 19328 a5df86 19330 a54723 ___std_exception_copy RtlAllocateHeap 19328->19330 19329->19327 19329->19328 19331 a5dfcc 19329->19331 19330->19327 19331->19327 19332 a5e05c __fread_nolock 2 API calls 19331->19332 19332->19327 19334 9e06a9 19333->19334 19338 9e0585 19333->19338 19335 972270 RtlAllocateHeap 19334->19335 19336 9e06ae 19335->19336 19337 9721d0 Concurrency::cancel_current_task RtlAllocateHeap 19336->19337 19346 9e05aa __fread_nolock std::_Locinfo::_Locinfo_ctor 19337->19346 19340 9e05e3 19338->19340 19341 9e05f0 19338->19341 19343 9e059a 19338->19343 19339 a4f290 std::_Facet_Register RtlAllocateHeap 19339->19346 19340->19336 19340->19343 19344 a4f290 std::_Facet_Register RtlAllocateHeap 19341->19344 19341->19346 19342 a547b0 RtlAllocateHeap 19345 9e06b8 19342->19345 19343->19339 19344->19346 19346->19342 19347 9e0667 __fread_nolock std::_Locinfo::_Locinfo_ctor 19346->19347 19347->18874 19349 a5dc08 __fread_nolock 19348->19349 19350 a5dc52 __fread_nolock 19349->19350 19351 a5dc1b __fread_nolock 19349->19351 19356 a5dc40 __fread_nolock 19349->19356 19357 a5da06 19350->19357 19352 a5d23f __dosmaperr RtlAllocateHeap 19351->19352 19353 a5dc35 19352->19353 19355 a547a0 ___std_exception_copy RtlAllocateHeap 19353->19355 19355->19356 19356->18877 19361 a5da18 __fread_nolock 19357->19361 19363 a5da35 19357->19363 19358 a5da25 19359 a5d23f __dosmaperr RtlAllocateHeap 19358->19359 19360 a5da2a 19359->19360 19362 a547a0 ___std_exception_copy RtlAllocateHeap 19360->19362 19361->19358 19361->19363 19368 a5da76 __fread_nolock 19361->19368 19362->19363 19363->19356 19364 a5dba1 __fread_nolock 19366 a5d23f __dosmaperr RtlAllocateHeap 19364->19366 19366->19360 19367 a65f82 __fread_nolock RtlAllocateHeap 19367->19368 19368->19363 19368->19364 19368->19367 19370 a64623 19368->19370 19429 a58a2b 19368->19429 19371 a64635 19370->19371 19372 a6464d 19370->19372 19373 a5d22c __dosmaperr RtlAllocateHeap 19371->19373 19374 a6498f 19372->19374 19378 a64690 19372->19378 19375 a6463a 19373->19375 19376 a5d22c __dosmaperr RtlAllocateHeap 19374->19376 19377 a5d23f __dosmaperr RtlAllocateHeap 19375->19377 19379 a64994 19376->19379 19380 a64642 19377->19380 19378->19380 19381 a6469b 19378->19381 19387 a646cb 19378->19387 19382 a5d23f __dosmaperr RtlAllocateHeap 19379->19382 19380->19368 19384 a5d22c __dosmaperr RtlAllocateHeap 19381->19384 19383 a646a8 19382->19383 19386 a547a0 ___std_exception_copy RtlAllocateHeap 19383->19386 19385 a646a0 19384->19385 19388 a5d23f __dosmaperr RtlAllocateHeap 19385->19388 19386->19380 19389 a646e4 19387->19389 19390 a646f1 19387->19390 19391 a6471f 19387->19391 19388->19383 19389->19390 19417 a6470d 19389->19417 19392 a5d22c __dosmaperr RtlAllocateHeap 19390->19392 19443 a66e2d 19391->19443 19394 a646f6 19392->19394 19396 a5d23f __dosmaperr RtlAllocateHeap 19394->19396 19399 a646fd 19396->19399 19397 a70d44 __fread_nolock RtlAllocateHeap 19404 a6486b 19397->19404 19398 a66db3 __freea RtlAllocateHeap 19400 a64739 19398->19400 19401 a547a0 ___std_exception_copy RtlAllocateHeap 19399->19401 19403 a66db3 __freea RtlAllocateHeap 19400->19403 19428 a64708 __fread_nolock 19401->19428 19402 a648e3 ReadFile 19405 a64957 19402->19405 19406 a648fb 19402->19406 19407 a64740 19403->19407 19404->19402 19414 a6489b 19404->19414 19415 a64964 19405->19415 19425 a648b5 19405->19425 19406->19405 19408 a648d4 19406->19408 19409 a64765 19407->19409 19410 a6474a 19407->19410 19419 a64937 19408->19419 19420 a64920 19408->19420 19408->19428 19413 a5e13d __fread_nolock 2 API calls 19409->19413 19411 a5d23f __dosmaperr RtlAllocateHeap 19410->19411 19416 a6474f 19411->19416 19412 a66db3 __freea RtlAllocateHeap 19412->19380 19413->19417 19414->19408 19414->19425 19418 a5d23f __dosmaperr RtlAllocateHeap 19415->19418 19421 a5d22c __dosmaperr RtlAllocateHeap 19416->19421 19417->19397 19422 a64969 19418->19422 19419->19428 19464 a6417b 19419->19464 19454 a64335 19420->19454 19421->19428 19426 a5d22c __dosmaperr RtlAllocateHeap 19422->19426 19425->19428 19449 a5d1e5 19425->19449 19426->19428 19428->19412 19430 a58a3c 19429->19430 19439 a58a38 std::_Locinfo::_Locinfo_ctor 19429->19439 19431 a58a43 19430->19431 19433 a58a56 __fread_nolock 19430->19433 19432 a5d23f __dosmaperr RtlAllocateHeap 19431->19432 19434 a58a48 19432->19434 19436 a58a84 19433->19436 19437 a58a8d 19433->19437 19433->19439 19435 a547a0 ___std_exception_copy RtlAllocateHeap 19434->19435 19435->19439 19438 a5d23f __dosmaperr RtlAllocateHeap 19436->19438 19437->19439 19441 a5d23f __dosmaperr RtlAllocateHeap 19437->19441 19440 a58a89 19438->19440 19439->19368 19442 a547a0 ___std_exception_copy RtlAllocateHeap 19440->19442 19441->19440 19442->19439 19444 a66e6b 19443->19444 19445 a66e3b __dosmaperr std::_Facet_Register 19443->19445 19446 a5d23f __dosmaperr RtlAllocateHeap 19444->19446 19445->19444 19447 a66e56 RtlAllocateHeap 19445->19447 19448 a64730 19446->19448 19447->19445 19447->19448 19448->19398 19450 a5d22c __dosmaperr RtlAllocateHeap 19449->19450 19451 a5d1f0 __dosmaperr 19450->19451 19452 a5d23f __dosmaperr RtlAllocateHeap 19451->19452 19453 a5d203 19452->19453 19453->19428 19468 a6402e 19454->19468 19456 a6437d 19456->19428 19458 a643d7 19461 a5e13d __fread_nolock 2 API calls 19458->19461 19462 a64391 __fread_nolock 19458->19462 19459 a643c7 19460 a5d23f __dosmaperr RtlAllocateHeap 19459->19460 19460->19456 19461->19462 19462->19456 19463 a5d1e5 __dosmaperr RtlAllocateHeap 19462->19463 19463->19456 19466 a641b5 19464->19466 19465 a64246 19465->19428 19466->19465 19467 a5e13d __fread_nolock 2 API calls 19466->19467 19467->19465 19469 a64062 19468->19469 19470 a640ce 19469->19470 19471 a5e13d __fread_nolock 2 API calls 19469->19471 19470->19456 19470->19458 19470->19459 19470->19462 19471->19470 19473 a58acf __fread_nolock 19472->19473 19474 a58ad9 19473->19474 19477 a58afc __fread_nolock 19473->19477 19475 a54723 ___std_exception_copy RtlAllocateHeap 19474->19475 19476 a58af4 19475->19476 19476->18881 19477->19476 19479 a58b5a 19477->19479 19480 a58b67 19479->19480 19481 a58b8a 19479->19481 19482 a54723 ___std_exception_copy RtlAllocateHeap 19480->19482 19483 a555d3 4 API calls 19481->19483 19490 a58b82 19481->19490 19482->19490 19484 a58ba2 19483->19484 19493 a66ded 19484->19493 19487 a65f82 __fread_nolock RtlAllocateHeap 19488 a58bb6 19487->19488 19497 a64a3f 19488->19497 19490->19476 19492 a66db3 __freea RtlAllocateHeap 19492->19490 19494 a66e04 19493->19494 19495 a58baa 19493->19495 19494->19495 19496 a66db3 __freea RtlAllocateHeap 19494->19496 19495->19487 19496->19495 19498 a58bbd 19497->19498 19500 a64a68 19497->19500 19498->19490 19498->19492 19499 a64ab7 19501 a54723 ___std_exception_copy RtlAllocateHeap 19499->19501 19500->19499 19502 a64a8f 19500->19502 19501->19498 19504 a649ae 19502->19504 19505 a649ba __fread_nolock 19504->19505 19507 a649f9 19505->19507 19508 a64b12 19505->19508 19507->19498 19509 a6a6de __fread_nolock RtlAllocateHeap 19508->19509 19512 a64b22 19509->19512 19510 a64b28 19520 a6a64d 19510->19520 19512->19510 19513 a64b5a 19512->19513 19514 a6a6de __fread_nolock RtlAllocateHeap 19512->19514 19513->19510 19515 a6a6de __fread_nolock RtlAllocateHeap 19513->19515 19516 a64b51 19514->19516 19517 a64b66 FindCloseChangeNotification 19515->19517 19518 a6a6de __fread_nolock RtlAllocateHeap 19516->19518 19517->19510 19518->19513 19519 a64b80 __fread_nolock 19519->19507 19521 a6a65c 19520->19521 19522 a5d23f __dosmaperr RtlAllocateHeap 19521->19522 19525 a6a686 19521->19525 19523 a6a6c8 19522->19523 19524 a5d22c __dosmaperr RtlAllocateHeap 19523->19524 19524->19525 19525->19519 19539 a5d168 19540 a5d17b ___std_exception_copy 19539->19540 19545 a5cf4a 19540->19545 19542 a5d190 19543 a544dc ___std_exception_copy RtlAllocateHeap 19542->19543 19544 a5d19d 19543->19544 19546 a5cf80 19545->19546 19547 a5cf58 19545->19547 19546->19542 19547->19546 19548 a5cf65 19547->19548 19549 a5cf87 19547->19549 19550 a54723 ___std_exception_copy RtlAllocateHeap 19548->19550 19553 a5cea3 19549->19553 19550->19546 19552 a5cfbf 19552->19542 19554 a5ceaf __fread_nolock 19553->19554 19557 a5cefe 19554->19557 19556 a5ceca 19556->19552 19564 a68644 19557->19564 19584 a68606 19564->19584 19566 a5cf16 19571 a5cfc1 19566->19571 19567 a68655 19567->19566 19568 a66e2d std::_Locinfo::_Locinfo_ctor 2 API calls 19567->19568 19569 a686ae 19568->19569 19570 a66db3 __freea RtlAllocateHeap 19569->19570 19570->19566 19574 a5cfd3 19571->19574 19575 a5cf34 19571->19575 19572 a5cfe1 19573 a54723 ___std_exception_copy RtlAllocateHeap 19572->19573 19573->19575 19574->19572 19574->19575 19578 a5d017 std::_Locinfo::_Locinfo_ctor 19574->19578 19580 a686ef 19575->19580 19576 a555d3 4 API calls 19576->19578 19577 a65f82 __fread_nolock RtlAllocateHeap 19577->19578 19578->19575 19578->19576 19578->19577 19579 a6538b 4 API calls 19578->19579 19579->19578 19581 a686fa 19580->19581 19583 a5cf40 19580->19583 19582 a555d3 4 API calls 19581->19582 19581->19583 19582->19583 19583->19556 19585 a68612 19584->19585 19586 a6863c 19585->19586 19587 a65f82 __fread_nolock RtlAllocateHeap 19585->19587 19586->19567 19588 a6862d 19587->19588 19589 a70d44 __fread_nolock RtlAllocateHeap 19588->19589 19590 a68633 19589->19590 19590->19567 19532 9d3a40 19535 9d3a55 19532->19535 19533 9d3b28 GetPEB 19533->19535 19534 9d3a73 GetPEB 19534->19535 19535->19533 19535->19534 19536 9d3b9d Sleep 19535->19536 19537 9d3ae8 Sleep 19535->19537 19538 9d3bc7 19535->19538 19536->19535 19537->19535 18798 4c10777 18799 4c10783 GetCurrentHwProfileW 18798->18799 18800 4c1079a 18799->18800 19526 98e0a0 WSAStartup 19527 98e0d8 19526->19527 19531 98e1a7 19526->19531 19528 98e175 socket 19527->19528 19527->19531 19529 98e18b connect 19528->19529 19528->19531 19530 98e19d closesocket 19529->19530 19529->19531 19530->19528 19530->19531

                                  Executed Functions

                                  Function 009D3A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 133 9d3a40-9d3a52 134 9d3a55-9d3a61 133->134 136 9d3b28-9d3b31 GetPEB 134->136 137 9d3a67-9d3a6d 134->137 138 9d3b34-9d3b48 136->138 137->136 139 9d3a73-9d3a7f GetPEB 137->139 140 9d3b99-9d3b9b 138->140 141 9d3b4a-9d3b4f 138->141 142 9d3a80-9d3a94 139->142 140->138 141->140 143 9d3b51-9d3b59 141->143 144 9d3ae4-9d3ae6 142->144 145 9d3a96-9d3a9b 142->145 146 9d3b60-9d3b73 143->146 144->142 145->144 147 9d3a9d-9d3aa3 145->147 148 9d3b75-9d3b88 146->148 149 9d3b92-9d3b97 146->149 150 9d3aa5-9d3ab8 147->150 148->148 151 9d3b8a-9d3b90 148->151 149->140 149->146 152 9d3add-9d3ae2 150->152 153 9d3aba 150->153 151->149 154 9d3b9d-9d3bc2 Sleep 151->154 152->144 152->150 155 9d3ac0-9d3ad3 153->155 154->134 155->155 156 9d3ad5-9d3adb 155->156 156->152 157 9d3ae8-9d3b0d Sleep 156->157 158 9d3b13-9d3b1a 157->158 158->136 159 9d3b1c-9d3b22 158->159 159->136 160 9d3bc7-9d3bd8 call 976bd0 159->160 163 9d3bde 160->163 164 9d3bda-9d3bdc 160->164 165 9d3be0-9d3bfd call 976bd0 163->165 164->165
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,009D3DB6), ref: 009D3B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,009D3DB6), ref: 009D3BBA
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: e56891dd38a70376b920cd370b51b52a32c08d9c619c39c54c3e76d6581a63ca
                                  • Instruction ID: 96011418f801ff0ddb25ca1aeab65524751f667dc1fe500e3356119b915fe111
                                  • Opcode Fuzzy Hash: e56891dd38a70376b920cd370b51b52a32c08d9c619c39c54c3e76d6581a63ca
                                  • Instruction Fuzzy Hash: FE51A835A842198FCB24CF98C8D0EBAB3B9EF45705B28C59AD445AF351D735EE05CB81
                                  Function 0098E0A0 Relevance: 6.1, APIs: 4, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 98e0a0-98e0d2 WSAStartup 1 98e0d8-98e102 call 976bd0 * 2 0->1 2 98e1b7-98e1c0 0->2 7 98e10e-98e165 1->7 8 98e104-98e108 1->8 10 98e1b1 7->10 11 98e167-98e16d 7->11 8->2 8->7 10->2 12 98e16f 11->12 13 98e1c5-98e1cf 11->13 14 98e175-98e189 socket 12->14 13->10 17 98e1d1-98e1d9 13->17 14->10 16 98e18b-98e19b connect 14->16 18 98e19d-98e1a5 closesocket 16->18 19 98e1c1 16->19 18->14 20 98e1a7-98e1ab 18->20 19->13 20->10
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID:
                                  • API String ID: 3098855095-0
                                  • Opcode ID: e4ad4b7d373d7cf34e08a74833548af83ea9f25b4ff99304a2c4c32c9eeab7b9
                                  • Instruction ID: 1e50f72f70db71204d25c6c43c813d5db6f7064918dd7c92240c699c05e1c34a
                                  • Opcode Fuzzy Hash: e4ad4b7d373d7cf34e08a74833548af83ea9f25b4ff99304a2c4c32c9eeab7b9
                                  • Instruction Fuzzy Hash: EE31A1726083016FD720AF658C99B2BB7E8EB85734F115F1DF9A8963E0D37598048B92
                                  Function 00A64623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 21 a64623-a64633 22 a64635-a64648 call a5d22c call a5d23f 21->22 23 a6464d-a6464f 21->23 40 a649a7 22->40 25 a64655-a6465b 23->25 26 a6498f-a6499c call a5d22c call a5d23f 23->26 25->26 28 a64661-a6468a 25->28 42 a649a2 call a547a0 26->42 28->26 31 a64690-a64699 28->31 34 a646b3-a646b5 31->34 35 a6469b-a646ae call a5d22c call a5d23f 31->35 38 a6498b-a6498d 34->38 39 a646bb-a646bf 34->39 35->42 44 a649aa-a649ad 38->44 39->38 43 a646c5-a646c9 39->43 40->44 42->40 43->35 47 a646cb-a646e2 43->47 49 a64717-a6471d 47->49 50 a646e4-a646e7 47->50 54 a646f1-a64708 call a5d22c call a5d23f call a547a0 49->54 55 a6471f-a64726 49->55 52 a6470d-a64715 50->52 53 a646e9-a646ef 50->53 59 a6478a-a647a9 52->59 53->52 53->54 86 a648c2 54->86 56 a6472a-a64748 call a66e2d call a66db3 * 2 55->56 57 a64728 55->57 90 a64765-a64788 call a5e13d 56->90 91 a6474a-a64760 call a5d23f call a5d22c 56->91 57->56 60 a64865-a6486e call a70d44 59->60 61 a647af-a647bb 59->61 75 a64870-a64882 60->75 76 a648df 60->76 61->60 64 a647c1-a647c3 61->64 64->60 68 a647c9-a647ea 64->68 68->60 72 a647ec-a64802 68->72 72->60 78 a64804-a64806 72->78 75->76 81 a64884-a64893 75->81 77 a648e3-a648f9 ReadFile 76->77 82 a64957-a64962 77->82 83 a648fb-a64901 77->83 78->60 84 a64808-a6482b 78->84 81->76 93 a64895-a64899 81->93 101 a64964-a64976 call a5d23f call a5d22c 82->101 102 a6497b-a6497e 82->102 83->82 88 a64903 83->88 84->60 89 a6482d-a64843 84->89 92 a648c5-a648cf call a66db3 86->92 95 a64906-a64918 88->95 89->60 96 a64845-a64847 89->96 90->59 91->86 92->44 93->77 100 a6489b-a648b3 93->100 95->92 103 a6491a-a6491e 95->103 96->60 104 a64849-a64860 96->104 121 a648d4-a648dd 100->121 122 a648b5-a648ba 100->122 101->86 111 a64984-a64986 102->111 112 a648bb-a648c1 call a5d1e5 102->112 109 a64937-a64944 103->109 110 a64920-a64930 call a64335 103->110 104->60 118 a64946 call a6448c 109->118 119 a64950-a64955 call a6417b 109->119 130 a64933-a64935 110->130 111->92 112->86 131 a6494b-a6494e 118->131 119->131 121->95 122->112 130->92 131->130
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b9471816ad183e4072d86bde9caab6c303d7200abb614fd37e1fe2f6f7585a92
                                  • Instruction ID: 60baa6d24c3899841f72a000eb63d0ca8d00ad98d922bd03530e5347faa0219d
                                  • Opcode Fuzzy Hash: b9471816ad183e4072d86bde9caab6c303d7200abb614fd37e1fe2f6f7585a92
                                  • Instruction Fuzzy Hash: 01B1F371E04349AFEB11DFA8D881BAEBBB1BF4E314F144158E954AB382C7719D42CB60
                                  Function 0097A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 168 97a210-97a2ab call a4f290 call 972ae0 173 97a2b0-97a2bb 168->173 173->173 174 97a2bd-97a2c8 173->174 175 97a2cd-97a2de call a55362 174->175 176 97a2ca 174->176 179 97a351-97a357 175->179 180 97a2e0-97a305 call a59136 call a54eeb call a59136 175->180 176->175 182 97a381-97a393 179->182 183 97a359-97a365 179->183 198 97a307 180->198 199 97a30c-97a316 180->199 185 97a377-97a37e call a4f511 183->185 186 97a367-97a375 183->186 185->182 186->185 188 97a394-97a3ae call a547b0 186->188 195 97a3b0-97a3bb 188->195 195->195 197 97a3bd-97a3c8 195->197 200 97a3cd-97a3df call a55362 197->200 201 97a3ca 197->201 198->199 202 97a328-97a32f call 9dcf60 199->202 203 97a318-97a31c 199->203 212 97a3e1-97a3f9 call a59136 call a54eeb call a58be8 200->212 213 97a3fc-97a403 200->213 201->200 209 97a334-97a33a 202->209 205 97a320-97a326 203->205 206 97a31e 203->206 205->209 206->205 210 97a33e-97a349 call a5dbdf call a58be8 209->210 211 97a33c 209->211 228 97a34e 210->228 211->210 212->213 216 97a405-97a411 213->216 217 97a42d-97a433 213->217 220 97a423-97a42a call a4f511 216->220 221 97a413-97a421 216->221 220->217 221->220 222 97a434-97a45e call a547b0 221->222 235 97a460-97a464 222->235 236 97a46f-97a474 222->236 228->179 235->236 237 97a466-97a46e 235->237
                                  APIs
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: ebba9b5c1f73132d745a023ada7eb5f3e56ab24057562a7ccd3c1161bda8c495
                                  • Instruction ID: fcddcf7f82cd06ecc44d21ee6dba7edfd77afb2af18734544624bda01fbf3ea0
                                  • Opcode Fuzzy Hash: ebba9b5c1f73132d745a023ada7eb5f3e56ab24057562a7ccd3c1161bda8c495
                                  • Instruction Fuzzy Hash: 09716B71900205AFDB14DF68CD45BAEBBE8FF81704F10856DF8099B282E7B5DA44CB92
                                  Function 00A6549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 238 a6549c-a654be 239 a654c4-a654c6 238->239 240 a656b1 238->240 242 a654f2-a65515 239->242 243 a654c8-a654e7 call a54723 239->243 241 a656b3-a656b7 240->241 245 a65517-a65519 242->245 246 a6551b-a65521 242->246 251 a654ea-a654ed 243->251 245->246 248 a65523-a65534 245->248 246->243 246->248 249 a65536-a65544 call a5e17d 248->249 250 a65547-a65557 call a64fe1 248->250 249->250 256 a655a0-a655b2 250->256 257 a65559-a6555f 250->257 251->241 258 a655b4-a655ba 256->258 259 a65609-a65629 WriteFile 256->259 260 a65561-a65564 257->260 261 a65588-a6559e call a64bb2 257->261 262 a655f5-a65607 call a6505e 258->262 263 a655bc-a655bf 258->263 266 a65634 259->266 267 a6562b-a65631 259->267 264 a65566-a65569 260->264 265 a6556f-a6557e call a64f79 260->265 277 a65581-a65583 261->277 289 a655dc-a655df 262->289 270 a655e1-a655f3 call a65222 263->270 271 a655c1-a655c4 263->271 264->265 272 a65649-a6564c 264->272 265->277 269 a65637-a65642 266->269 267->266 278 a65644-a65647 269->278 279 a656ac-a656af 269->279 270->289 280 a6564f-a65651 271->280 281 a655ca-a655d7 call a65139 271->281 272->280 277->269 278->272 279->241 286 a65653-a65658 280->286 287 a6567f-a6568b 280->287 281->289 290 a65671-a6567a call a5d208 286->290 291 a6565a-a6566c 286->291 292 a65695-a656a7 287->292 293 a6568d-a65693 287->293 289->277 290->251 291->251 292->251 293->240 293->292
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00A59087,?,00000000,00000000,00000000,?,00000000,?,0097A3EB,00A59087,00000000,0097A3EB,?,?), ref: 00A65621
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 6ede1ab7756e6832f3ad09db64df0161ae9e3b6320570533dbf1d1d8e5764392
                                  • Instruction ID: 42907795745cb78e1a12761c3a1ba64e237075381966769782e641aa1180c025
                                  • Opcode Fuzzy Hash: 6ede1ab7756e6832f3ad09db64df0161ae9e3b6320570533dbf1d1d8e5764392
                                  • Instruction Fuzzy Hash: F161B3B6D04519AFDF11DFB8CD48EEEBBBAAF09304F180189E801A7255D772D911CBA0
                                  Function 04C10777 Relevance: 1.7, APIs: 1, Instructions: 174COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 296 4c10777-4c1078f GetCurrentHwProfileW 298 4c1079a-4c10a10 call 4c109f7 296->298
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(?), ref: 04C10786
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3314632522.0000000004C10000.00000040.00001000.00020000.00000000.sdmp, Offset: 04C10000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_4c10000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 8f4e15db1ee904c50b18ea0fd959d6a0ffb4b0261cb37f29b8d81a0980258d5f
                                  • Instruction ID: 15b3c3287398d9236a98e5cf06ed107e77a018f2e20a52616671357cfb32811c
                                  • Opcode Fuzzy Hash: 8f4e15db1ee904c50b18ea0fd959d6a0ffb4b0261cb37f29b8d81a0980258d5f
                                  • Instruction Fuzzy Hash: 9C31E1EB34D111BDB10281832B24AFA6B2FE6D77307388476F907D1922F6C46AC975B0
                                  Function 00A54942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 329 a54942-a5494f 330 a54951-a54974 call a54723 329->330 331 a54979-a5498d call a65f82 329->331 336 a54ae0-a54ae2 330->336 337 a54992-a5499b call a5e11f 331->337 338 a5498f 331->338 340 a549a0-a549af 337->340 338->337 341 a549b1 340->341 342 a549bf-a549c8 340->342 345 a549b7-a549b9 341->345 346 a54a89-a54a8e 341->346 343 a549dc-a54a10 342->343 344 a549ca-a549d7 342->344 348 a54a12-a54a1c 343->348 349 a54a6d-a54a79 343->349 347 a54adc 344->347 345->342 345->346 350 a54ade-a54adf 346->350 347->350 351 a54a43-a54a4f 348->351 352 a54a1e-a54a2a 348->352 353 a54a90-a54a93 349->353 354 a54a7b-a54a82 349->354 350->336 351->353 356 a54a51-a54a6b call a54e59 351->356 352->351 355 a54a2c-a54a3e call a54cae 352->355 357 a54a96-a54a9e 353->357 354->346 355->350 356->357 358 a54aa0-a54aa6 357->358 359 a54ada 357->359 362 a54abe-a54ac2 358->362 363 a54aa8-a54abc call a54ae3 358->363 359->347 367 a54ad5-a54ad7 362->367 368 a54ac4-a54ad2 call a74a10 362->368 363->350 367->359 368->367
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb3d1853bb73271abcc082419a7637254e54dd437727159dfa2d75c0e4455a09
                                  • Instruction ID: f7733db2ea583a5b7cb528d6510cef07c4aa86e6b92de43dfbaf766b49299466
                                  • Opcode Fuzzy Hash: fb3d1853bb73271abcc082419a7637254e54dd437727159dfa2d75c0e4455a09
                                  • Instruction Fuzzy Hash: ED51C670A00108AFDB54CF58CC81AAABFB1FF4D369F248158FD499B252D3319E85CB90
                                  Function 009E0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 372 9e0560-9e057f 373 9e06a9 call 972270 372->373 374 9e0585-9e0598 372->374 379 9e06ae call 9721d0 373->379 375 9e059a 374->375 376 9e05c0-9e05c8 374->376 378 9e059c-9e05a1 375->378 380 9e05ca-9e05cf 376->380 381 9e05d1-9e05d5 376->381 382 9e05a4-9e05a5 call a4f290 378->382 387 9e06b3-9e06b8 call a547b0 379->387 380->378 384 9e05d9-9e05e1 381->384 385 9e05d7 381->385 392 9e05aa-9e05af 382->392 388 9e05e3-9e05e8 384->388 389 9e05f0-9e05f2 384->389 385->384 388->379 394 9e05ee 388->394 390 9e05f4-9e05ff call a4f290 389->390 391 9e0601 389->391 396 9e0603-9e0629 390->396 391->396 392->387 397 9e05b5-9e05be 392->397 394->382 400 9e062b-9e0655 call a50f70 call a514f0 396->400 401 9e0680-9e06a6 call a50f70 call a514f0 396->401 397->396 410 9e0669-9e067d call a4f511 400->410 411 9e0657-9e0665 400->411 411->387 412 9e0667 411->412 412->410
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 009E06AE
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: bfb87c6db5d751a9a300851af93400cfbac8374cbaa6342a9cb56f901a48dcec
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 7241E572A001549FCB16DF69D9806AE7BA9BFC8310F140669FC05DB306DB70DDA08BE1
                                  Function 00A64B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 415 a64b12-a64b26 call a6a6de 418 a64b2c-a64b34 415->418 419 a64b28-a64b2a 415->419 421 a64b36-a64b3d 418->421 422 a64b3f-a64b42 418->422 420 a64b7a-a64b9a call a6a64d 419->420 432 a64bac 420->432 433 a64b9c-a64baa call a5d208 420->433 421->422 424 a64b4a-a64b5e call a6a6de * 2 421->424 425 a64b44-a64b48 422->425 426 a64b60-a64b70 call a6a6de FindCloseChangeNotification 422->426 424->419 424->426 425->424 425->426 426->419 436 a64b72-a64b78 426->436 434 a64bae-a64bb1 432->434 433->434 436->420
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00A649F9,00000000,CF830579,00AA1140,0000000C,00A64AB5,00A58BBD,?), ref: 00A64B68
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 170c1e8db5a26c68acbc55d5ddb96c804081f2e57d8ca5324cde8395b73af79a
                                  • Instruction ID: ffc6df3f2cadcb90990fa1419949dc177c4b317d025d9b6d8bf7ba76243c2c2e
                                  • Opcode Fuzzy Hash: 170c1e8db5a26c68acbc55d5ddb96c804081f2e57d8ca5324cde8395b73af79a
                                  • Instruction Fuzzy Hash: 5C116633A4022816D7257774E901B7EA7BACB9B774F290249F818AB0C2EF21EC824555
                                  Function 00A5E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 441 a5e05c-a5e074 call a6a6de 444 a5e076-a5e07d 441->444 445 a5e08a-a5e0a0 SetFilePointerEx 441->445 448 a5e084-a5e088 444->448 446 a5e0b5-a5e0bf 445->446 447 a5e0a2-a5e0b3 call a5d208 445->447 446->448 449 a5e0c1-a5e0d6 446->449 447->448 450 a5e0db-a5e0de 448->450 449->450
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00AA0DF8,0097A3EB,00000002,0097A3EB,00000000,?,?,?,00A5E166,00000000,?,0097A3EB,00000002,00AA0DF8), ref: 00A5E098
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 15963079bd9bc53b1a04b86de24b70cbe99455e6340db27d94b984d6c7dbebc1
                                  • Instruction ID: c0b22fa22f408c6605be8f7df0be2d69040707ff468f88a1acf46d643dde28ed
                                  • Opcode Fuzzy Hash: 15963079bd9bc53b1a04b86de24b70cbe99455e6340db27d94b984d6c7dbebc1
                                  • Instruction Fuzzy Hash: BB01D632654159AFCF19DF59CC05C9E7B6AEB81335F240248FC509B2D1EAB2EE419BD0
                                  Function 00A4F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 454 a4f290-a4f293 455 a4f2a2-a4f2a5 call a5df2c 454->455 457 a4f2aa-a4f2ad 455->457 458 a4f295-a4f2a0 call a617d8 457->458 459 a4f2af-a4f2b0 457->459 458->455 462 a4f2b1-a4f2b5 458->462 463 9721d0-972220 call 9721b0 call a50efb call a50651 462->463 464 a4f2bb 462->464 464->464
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0097220E
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 992a921226d8e4bb8ded6109923904ed1d90e9934d4cba8afb87cc543ea86abe
                                  • Instruction ID: 22a2696d432a6608e5b4a9cbd8fbeaa13c2650574e6b1bb6af919cd6a819077d
                                  • Opcode Fuzzy Hash: 992a921226d8e4bb8ded6109923904ed1d90e9934d4cba8afb87cc543ea86abe
                                  • Instruction Fuzzy Hash: 4201DB7A50430DAFCB14AFA8DC029997BACEA00310B54C43AFE1DDB591E770E954C791
                                  Function 00A663F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 471 a663f3-a663fe 472 a66400-a6640a 471->472 473 a6640c-a66412 471->473 472->473 474 a66440-a6644b call a5d23f 472->474 475 a66414-a66415 473->475 476 a6642b-a6643c RtlAllocateHeap 473->476 482 a6644d-a6644f 474->482 475->476 477 a66417-a6641e call a63f93 476->477 478 a6643e 476->478 477->474 484 a66420-a66429 call a617d8 477->484 478->482 484->474 484->476
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00A591F7,00000000,?,00A65D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00A5D244,00A589C3,00A591F7,00000000), ref: 00A66435
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: fa3a87d192a437a755ab2ddda1eccd140c05e05c0e54a564e2e30db1aa17cc4e
                                  • Instruction ID: 529a3740cc3afaf9aba86e3d9cf37160191f23531ed3d7e6cac42fe0b8cc6c97
                                  • Opcode Fuzzy Hash: fa3a87d192a437a755ab2ddda1eccd140c05e05c0e54a564e2e30db1aa17cc4e
                                  • Instruction Fuzzy Hash: DFF08931545125669B216B629F0AB6B7B7DEF51764F158411EC09961C0CF30E81146F1
                                  Function 00A66E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 487 a66e2d-a66e39 488 a66e6b-a66e76 call a5d23f 487->488 489 a66e3b-a66e3d 487->489 496 a66e78-a66e7a 488->496 491 a66e56-a66e67 RtlAllocateHeap 489->491 492 a66e3f-a66e40 489->492 494 a66e42-a66e49 call a63f93 491->494 495 a66e69 491->495 492->491 494->488 499 a66e4b-a66e54 call a617d8 494->499 495->496 499->488 499->491
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00A6D635,4D88C033,?,00A6D635,00000220,?,00A657EF,4D88C033), ref: 00A66E60
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: f6ea76123649671ffa8d5dad7d9a81f59ef093a178b06071640ac11d5c94d6e0
                                  • Instruction ID: 83dce4a03c76eb5cafc993d983e3c4f171c3a032bb6410c7a1a75b8e3675f6c7
                                  • Opcode Fuzzy Hash: f6ea76123649671ffa8d5dad7d9a81f59ef093a178b06071640ac11d5c94d6e0
                                  • Instruction Fuzzy Hash: 34E0223A9006226ADB3123A6DE00BAB7A7DDF823B0F050520FD05D60D0CB22CC0081E4

                                  Non-executed Functions

                                  Function 00A584A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: f55709fc0da3e202e67fb7834342b0a84c7d97547c7a0f559539964932f7284a
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: A7024A71E012199FDF14CFA9C9806AEBBB1FF48315F248269E919F7380DB35A905CB90
                                  Function 009DF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DF833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DF855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DF875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DF89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DF90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009DF959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009DF973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DFA08
                                  • std::_Facet_Register.LIBCPMT ref: 009DFA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: ce95517ed9ae2262f36a7bb950abbeed97c1b7178fe02e524446ade995658edb
                                  • Instruction ID: 63c04cd3117b45367caeea04aac56310e997395aa275b6a4486d6387f2ce2557
                                  • Opcode Fuzzy Hash: ce95517ed9ae2262f36a7bb950abbeed97c1b7178fe02e524446ade995658edb
                                  • Instruction Fuzzy Hash: 8561D375D40209DFEF20DFA4D956B9EBBB8BF54310F148469E806AB381D734E905CB92
                                  Function 009739F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00973A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00973AA4
                                  • __Getctype.LIBCPMT ref: 00973ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00973AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00973B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: c5beb7f35607ab28adfb175a2fb8cd48f15b82678a3e6ac1a652ca2eb6326910
                                  • Instruction ID: c25b72d9592859a4a20287e6987b0670515d93d32aa92165fe26244d2b11b8ed
                                  • Opcode Fuzzy Hash: c5beb7f35607ab28adfb175a2fb8cd48f15b82678a3e6ac1a652ca2eb6326910
                                  • Instruction Fuzzy Hash: B35120B5D002489FEF10DFA4D985B9EBBF8BF58314F148169E809AB341E775DA08CB91
                                  Function 00A52E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00A52E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00A52E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00A52ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00A52F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00A52F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 251493b1658508df91dbb4437bb223f77a8850d36551bf654a9003fb8abeab18
                                  • Instruction ID: 4a8beedb1b9461fc914fa3c721791dedbc84442d50f1b624fa15cc6961a56c10
                                  • Opcode Fuzzy Hash: 251493b1658508df91dbb4437bb223f77a8850d36551bf654a9003fb8abeab18
                                  • Instruction Fuzzy Hash: F5419E31A00209ABCF10DF68D885B9EBBB5BF46326F148455EC189B392D731EE59CB91
                                  Function 009DDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DDE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DDEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DDED6
                                  • std::_Facet_Register.LIBCPMT ref: 009DDF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DDF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 009DDF7B
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: cef3f70264490103a738cd5e9a658d8bd2c9932134364ed8dd810084ae79dd27
                                  • Instruction ID: e8fe439aa1ca1698fd6cc0f4a8d19c63444e17841397188fc35c44d37f2b361b
                                  • Opcode Fuzzy Hash: cef3f70264490103a738cd5e9a658d8bd2c9932134364ed8dd810084ae79dd27
                                  • Instruction Fuzzy Hash: 3C411271950216DFCB14DF98D841BAEBBB8FB46320F14866AE8159B392D730AD01CBE1
                                  Function 00974C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00974F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00974FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009750C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 0097504C
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 05034be23e4068c2c5b043ef95e177546d577267b8a25ef4d2fd9ef76001aaef
                                  • Instruction ID: b50a748b530d497b2759373a759b92376b38342d0ce41469dd6446c20653b8e9
                                  • Opcode Fuzzy Hash: 05034be23e4068c2c5b043ef95e177546d577267b8a25ef4d2fd9ef76001aaef
                                  • Instruction Fuzzy Hash: 30E115729002059FCB28DF68DD45B9EBBF9FF44300F148A2DE45A97782E774A944CBA1
                                  Function 00977820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0097799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00977B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 509614cdfe7299ca9431f89595ce8d8b327c487984186a240a8b98e915a3d215
                                  • Instruction ID: 569b8b12be433b157e908daacca14439ed5c5c42c22b36365998bceaea0f54e1
                                  • Opcode Fuzzy Hash: 509614cdfe7299ca9431f89595ce8d8b327c487984186a240a8b98e915a3d215
                                  • Instruction Fuzzy Hash: 64C147B1D012089FDB18DFA8D984B9DFBF5FF48300F14866AE419EB791E77499808B51
                                  Function 009773B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009775BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009775CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 06333f5a0d154ea9e27abbc6aa15f4c326c86b2fcb0a9f0046d5e58748153fb4
                                  • Instruction ID: d88c99eca1c0e348eefbe21aafcd950425fa6d7cb98718a424258a3a870d248a
                                  • Opcode Fuzzy Hash: 06333f5a0d154ea9e27abbc6aa15f4c326c86b2fcb0a9f0046d5e58748153fb4
                                  • Instruction Fuzzy Hash: 3E61C471A042059FDB08DFA8DD85BADFBB6FF84300F24862CF419A7791D774AA448B91
                                  Function 00973D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00973E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 62f00ca119f38a5272209346b175ad7011acff66e509405378e49455914f4586
                                  • Instruction ID: 4b60929013bc6c6b414cf6f1c8d5666f977da76cc58d54a0f2b2aae3ad228e65
                                  • Opcode Fuzzy Hash: 62f00ca119f38a5272209346b175ad7011acff66e509405378e49455914f4586
                                  • Instruction Fuzzy Hash: 234193B6900208AFCB14DF68CC45B9EB7F8FF49710F14C52AF919D7681E774AA058BA1
                                  Function 00973DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00973E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 94649afaf1194d6202ef468b41f9a190fad77f45f5a584f6a4b91849c2785a74
                                  • Instruction ID: b949226de5ec7f3a08aa8dcfd7a9c7d35bd240fe2b9e4922b1f02074032ef121
                                  • Opcode Fuzzy Hash: 94649afaf1194d6202ef468b41f9a190fad77f45f5a584f6a4b91849c2785a74
                                  • Instruction Fuzzy Hash: DB2193B39047056FC714DE68D806B96B7DCAF44310F18C82AFA6C8B641E774EA14DB91
                                  Function 00976F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00977340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: 05619d92f5c47758a82992666685f69589250bb8e0a527cce3c6fdef5c60cfcf
                                  • Instruction ID: eb2a72d160af7af67bdb59b79d3033e3b5e7c0a2e951242b18886a73271e84c0
                                  • Opcode Fuzzy Hash: 05619d92f5c47758a82992666685f69589250bb8e0a527cce3c6fdef5c60cfcf
                                  • Instruction Fuzzy Hash: 29E17F719042099FDB18CFA8D984B9DFBF1BF49300F248269E419EB792D7749A81CF91
                                  Function 00976C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00976F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00976F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 39ab16f2ef354aebdf1e4cb817c734e2cfe09b6fff32e3b69d78e6814c3df5e2
                                  • Instruction ID: 1ec21d78b14eb068462ac72ed4894373c312f8e587931c31e0e94822ad73d509
                                  • Opcode Fuzzy Hash: 39ab16f2ef354aebdf1e4cb817c734e2cfe09b6fff32e3b69d78e6814c3df5e2
                                  • Instruction Fuzzy Hash: 1991F671A006059FDB18CF68C984B9EBBF5FF45300F20C62CE459AB792D771AA41CB91
                                  Function 009EE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 009EE491
                                  Strings
                                  • type must be string, but is , xrefs: 009EE4F8
                                  • type must be boolean, but is , xrefs: 009EE582
                                  Memory Dump Source
                                  • Source File: 00000008.00000002.3307879772.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 00000008.00000002.3307833701.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3307879772.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308139365.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308181266.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3308951526.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 00000008.00000002.3309516714.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_8_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 461c970c5e6740df240f694f8d0ba8e13aced62032bf0b9a9bf37efa06b0e9a0
                                  • Instruction ID: 55046319a85a7420925dd2667c20934f3d2adbaf4b61c9ff1b4277c6160fbb05
                                  • Opcode Fuzzy Hash: 461c970c5e6740df240f694f8d0ba8e13aced62032bf0b9a9bf37efa06b0e9a0
                                  • Instruction Fuzzy Hash: 7C417BB5900248AFCB05EBA4D902B9EB7A8EB40310F148679F419D77D1FB35AD44C796

                                  Execution Graph

                                  Execution Coverage:3.1%
                                  Dynamic/Decrypted Code Coverage:0.5%
                                  Signature Coverage:0%
                                  Total number of Nodes:652
                                  Total number of Limit Nodes:68
                                  execution_graph 18505 97a210 18538 a4f290 18505->18538 18507 97a248 18543 972ae0 18507->18543 18509 97a28b 18559 a55362 18509->18559 18513 97a377 18515 97a34e 18515->18513 18588 a547b0 18515->18588 18519 a59136 4 API calls 18520 97a2fc 18519->18520 18525 97a318 18520->18525 18574 9dcf60 18520->18574 18579 a5dbdf 18525->18579 18540 9721d0 Concurrency::cancel_current_task std::_Xinvalid_argument ___std_exception_copy std::_Facet_Register 18538->18540 18539 a4f2af 18539->18507 18540->18539 18591 a50651 18540->18591 18544 972ba5 18543->18544 18550 972af6 18543->18550 18809 972270 18544->18809 18545 972b02 std::locale::_Locimp::_Locimp 18545->18509 18547 972b2a 18554 a4f290 std::_Facet_Register RtlAllocateHeap 18547->18554 18548 972baa 18819 9721d0 18548->18819 18550->18545 18550->18547 18552 972b65 18550->18552 18553 972b6e 18550->18553 18551 972b3d 18555 a547b0 RtlAllocateHeap 18551->18555 18558 972b46 std::locale::_Locimp::_Locimp 18551->18558 18552->18547 18552->18548 18557 a4f290 std::_Facet_Register RtlAllocateHeap 18553->18557 18553->18558 18554->18551 18556 972bb4 18555->18556 18557->18558 18558->18509 18832 a552a0 18559->18832 18561 97a2d7 18561->18515 18562 a59136 18561->18562 18563 a59149 ___std_exception_copy 18562->18563 18856 a58e8d 18563->18856 18565 a5915e 18566 a544dc ___std_exception_copy RtlAllocateHeap 18565->18566 18567 97a2ea 18566->18567 18568 a54eeb 18567->18568 18569 a54efe ___std_exception_copy 18568->18569 18989 a54801 18569->18989 18571 a54f0a 18572 a544dc ___std_exception_copy RtlAllocateHeap 18571->18572 18573 97a2f0 18572->18573 18573->18519 18575 9dcfa7 18574->18575 18578 9dcf78 __fread_nolock 18574->18578 19037 9e0560 18575->19037 18577 9dcfba 18577->18525 18578->18525 19052 a5dbfc 18579->19052 18581 97a348 18582 a58be8 18581->18582 18583 a58bfb ___std_exception_copy 18582->18583 19176 a58ac3 18583->19176 18585 a58c07 18586 a544dc ___std_exception_copy RtlAllocateHeap 18585->18586 18587 a58c13 18586->18587 18587->18515 18589 a546ec ___std_exception_copy RtlAllocateHeap 18588->18589 18590 a547bf __Getctype 18589->18590 18592 972213 18591->18592 18593 a5065e ___std_exception_copy 18591->18593 18592->18507 18593->18592 18596 a5068b 18593->18596 18597 a656b8 18593->18597 18606 a5d7d6 18596->18606 18598 a656c6 18597->18598 18599 a656d4 18597->18599 18598->18599 18603 a656ec 18598->18603 18609 a5d23f 18599->18609 18602 a656e6 18602->18596 18603->18602 18604 a5d23f __dosmaperr RtlAllocateHeap 18603->18604 18605 a656dc 18604->18605 18612 a547a0 18605->18612 18607 a66db3 ___std_exception_destroy RtlAllocateHeap 18606->18607 18608 a5d7ee 18607->18608 18608->18592 18615 a65d2c 18609->18615 18720 a546ec 18612->18720 18616 a65d35 __Getctype 18615->18616 18617 a5d244 18616->18617 18626 a663f3 18616->18626 18617->18605 18619 a65d79 __Getctype 18620 a65d81 __Getctype 18619->18620 18621 a65db9 18619->18621 18630 a66db3 18620->18630 18634 a65a09 18621->18634 18625 a66db3 ___std_exception_destroy RtlAllocateHeap 18625->18617 18627 a66400 __Getctype std::_Facet_Register 18626->18627 18628 a6643e __dosmaperr 18627->18628 18629 a6642b RtlAllocateHeap 18627->18629 18628->18619 18629->18627 18629->18628 18631 a66de8 18630->18631 18632 a66dbe __dosmaperr 18630->18632 18631->18617 18632->18631 18633 a5d23f __dosmaperr RtlAllocateHeap 18632->18633 18633->18631 18635 a65a77 __Getctype 18634->18635 18638 a659af 18635->18638 18637 a65aa0 18637->18625 18639 a659bb __fread_nolock std::_Lockit::_Lockit 18638->18639 18642 a65b90 18639->18642 18641 a659dd __Getctype 18641->18637 18643 a65bc6 __Getctype 18642->18643 18644 a65b9f __Getctype 18642->18644 18643->18641 18644->18643 18646 a6f2a7 18644->18646 18647 a6f327 18646->18647 18650 a6f2bd 18646->18650 18648 a6f375 18647->18648 18651 a66db3 ___std_exception_destroy RtlAllocateHeap 18647->18651 18714 a6f418 18648->18714 18650->18647 18652 a6f2f0 18650->18652 18657 a66db3 ___std_exception_destroy RtlAllocateHeap 18650->18657 18653 a6f349 18651->18653 18654 a6f312 18652->18654 18663 a66db3 ___std_exception_destroy RtlAllocateHeap 18652->18663 18655 a66db3 ___std_exception_destroy RtlAllocateHeap 18653->18655 18656 a66db3 ___std_exception_destroy RtlAllocateHeap 18654->18656 18658 a6f35c 18655->18658 18659 a6f31c 18656->18659 18661 a6f2e5 18657->18661 18664 a66db3 ___std_exception_destroy RtlAllocateHeap 18658->18664 18667 a66db3 ___std_exception_destroy RtlAllocateHeap 18659->18667 18660 a6f3e3 18668 a66db3 ___std_exception_destroy RtlAllocateHeap 18660->18668 18674 a6e5ab 18661->18674 18662 a6f383 18662->18660 18670 a66db3 RtlAllocateHeap ___std_exception_destroy 18662->18670 18665 a6f307 18663->18665 18666 a6f36a 18664->18666 18702 a6ea0a 18665->18702 18672 a66db3 ___std_exception_destroy RtlAllocateHeap 18666->18672 18667->18647 18673 a6f3e9 18668->18673 18670->18662 18672->18648 18673->18643 18675 a6e5bc 18674->18675 18701 a6e6a5 18674->18701 18676 a6e5cd 18675->18676 18677 a66db3 ___std_exception_destroy RtlAllocateHeap 18675->18677 18678 a66db3 ___std_exception_destroy RtlAllocateHeap 18676->18678 18680 a6e5df 18676->18680 18677->18676 18678->18680 18679 a6e5f1 18682 a6e603 18679->18682 18684 a66db3 ___std_exception_destroy RtlAllocateHeap 18679->18684 18680->18679 18681 a66db3 ___std_exception_destroy RtlAllocateHeap 18680->18681 18681->18679 18683 a6e615 18682->18683 18685 a66db3 ___std_exception_destroy RtlAllocateHeap 18682->18685 18686 a6e627 18683->18686 18687 a66db3 ___std_exception_destroy RtlAllocateHeap 18683->18687 18684->18682 18685->18683 18688 a6e639 18686->18688 18689 a66db3 ___std_exception_destroy RtlAllocateHeap 18686->18689 18687->18686 18690 a6e64b 18688->18690 18692 a66db3 ___std_exception_destroy RtlAllocateHeap 18688->18692 18689->18688 18691 a6e65d 18690->18691 18693 a66db3 ___std_exception_destroy RtlAllocateHeap 18690->18693 18694 a6e66f 18691->18694 18695 a66db3 ___std_exception_destroy RtlAllocateHeap 18691->18695 18692->18690 18693->18691 18696 a6e681 18694->18696 18697 a66db3 ___std_exception_destroy RtlAllocateHeap 18694->18697 18695->18694 18698 a6e693 18696->18698 18699 a66db3 ___std_exception_destroy RtlAllocateHeap 18696->18699 18697->18696 18700 a66db3 ___std_exception_destroy RtlAllocateHeap 18698->18700 18698->18701 18699->18698 18700->18701 18701->18652 18703 a6ea17 18702->18703 18713 a6ea6f 18702->18713 18704 a6ea27 18703->18704 18705 a66db3 ___std_exception_destroy RtlAllocateHeap 18703->18705 18706 a66db3 ___std_exception_destroy RtlAllocateHeap 18704->18706 18707 a6ea39 18704->18707 18705->18704 18706->18707 18708 a66db3 ___std_exception_destroy RtlAllocateHeap 18707->18708 18709 a6ea4b 18707->18709 18708->18709 18710 a6ea5d 18709->18710 18711 a66db3 ___std_exception_destroy RtlAllocateHeap 18709->18711 18712 a66db3 ___std_exception_destroy RtlAllocateHeap 18710->18712 18710->18713 18711->18710 18712->18713 18713->18654 18715 a6f444 18714->18715 18716 a6f425 18714->18716 18715->18662 18716->18715 18717 a6ef31 __Getctype RtlAllocateHeap 18716->18717 18718 a6f43e 18717->18718 18719 a66db3 ___std_exception_destroy RtlAllocateHeap 18718->18719 18719->18715 18721 a546fe ___std_exception_copy 18720->18721 18726 a54723 18721->18726 18723 a54716 18733 a544dc 18723->18733 18727 a54733 18726->18727 18729 a5473a ___std_exception_copy __Getctype 18726->18729 18739 a54541 18727->18739 18730 a54748 18729->18730 18731 a546ec ___std_exception_copy RtlAllocateHeap 18729->18731 18730->18723 18732 a547ac 18731->18732 18732->18723 18734 a544e8 18733->18734 18735 a544ff 18734->18735 18754 a54587 18734->18754 18737 a54512 18735->18737 18738 a54587 ___std_exception_copy RtlAllocateHeap 18735->18738 18737->18602 18738->18737 18740 a54550 18739->18740 18743 a65ddd 18740->18743 18744 a65df0 __Getctype 18743->18744 18745 a54572 18744->18745 18746 a663f3 __Getctype RtlAllocateHeap 18744->18746 18745->18729 18747 a65e20 __Getctype 18746->18747 18748 a65e5c 18747->18748 18749 a65e28 __Getctype 18747->18749 18751 a65a09 __Getctype RtlAllocateHeap 18748->18751 18750 a66db3 ___std_exception_destroy RtlAllocateHeap 18749->18750 18750->18745 18752 a65e67 18751->18752 18753 a66db3 ___std_exception_destroy RtlAllocateHeap 18752->18753 18753->18745 18755 a54591 18754->18755 18756 a5459a 18754->18756 18757 a54541 ___std_exception_copy RtlAllocateHeap 18755->18757 18756->18735 18758 a54596 18757->18758 18758->18756 18761 a60259 18758->18761 18762 a6025e std::locale::_Setgloballocale 18761->18762 18766 a60269 std::locale::_Setgloballocale 18762->18766 18767 a6c7c6 18762->18767 18788 a5f224 18766->18788 18768 a6c7d2 __fread_nolock 18767->18768 18769 a65d2c __dosmaperr RtlAllocateHeap 18768->18769 18770 a6c822 18768->18770 18774 a6c803 std::locale::_Setgloballocale 18768->18774 18775 a6c834 std::_Lockit::_Lockit std::locale::_Setgloballocale 18768->18775 18769->18774 18771 a5d23f __dosmaperr RtlAllocateHeap 18770->18771 18772 a6c827 18771->18772 18773 a547a0 ___std_exception_copy RtlAllocateHeap 18772->18773 18787 a6c80c 18773->18787 18774->18770 18774->18775 18774->18787 18776 a6c8a7 18775->18776 18777 a6c9a4 std::_Lockit::~_Lockit 18775->18777 18778 a6c8d5 std::locale::_Setgloballocale 18775->18778 18776->18778 18791 a65bdb 18776->18791 18779 a5f224 std::locale::_Setgloballocale RtlAllocateHeap 18777->18779 18782 a65bdb __Getctype RtlAllocateHeap 18778->18782 18785 a6c92a 18778->18785 18778->18787 18781 a6c9b7 18779->18781 18782->18785 18784 a65bdb __Getctype RtlAllocateHeap 18784->18778 18786 a65bdb __Getctype RtlAllocateHeap 18785->18786 18785->18787 18786->18787 18787->18766 18805 a5f094 18788->18805 18790 a5f235 18792 a65be4 __Getctype 18791->18792 18793 a663f3 __Getctype RtlAllocateHeap 18792->18793 18794 a65bfb 18792->18794 18796 a65c28 __Getctype 18793->18796 18795 a65c8b 18794->18795 18797 a60259 __Getctype RtlAllocateHeap 18794->18797 18795->18784 18798 a65c30 __Getctype 18796->18798 18799 a65c68 18796->18799 18800 a65c95 18797->18800 18801 a66db3 ___std_exception_destroy RtlAllocateHeap 18798->18801 18802 a65a09 __Getctype RtlAllocateHeap 18799->18802 18801->18794 18803 a65c73 18802->18803 18804 a66db3 ___std_exception_destroy RtlAllocateHeap 18803->18804 18804->18794 18806 a5f0c1 std::locale::_Setgloballocale 18805->18806 18807 a5ef23 std::locale::_Setgloballocale RtlAllocateHeap 18806->18807 18808 a5f10a std::locale::_Setgloballocale 18807->18808 18808->18790 18823 a4d6e9 18809->18823 18820 9721de Concurrency::cancel_current_task std::_Xinvalid_argument 18819->18820 18821 a50651 ___std_exception_copy RtlAllocateHeap 18820->18821 18822 972213 18821->18822 18822->18551 18826 a4d4af 18823->18826 18825 a4d6fa std::_Xinvalid_argument 18829 973010 18826->18829 18830 a50651 ___std_exception_copy RtlAllocateHeap 18829->18830 18831 97303d 18830->18831 18831->18825 18834 a552ac __fread_nolock 18832->18834 18833 a552b3 18835 a5d23f __dosmaperr RtlAllocateHeap 18833->18835 18834->18833 18836 a552d3 18834->18836 18837 a552b8 18835->18837 18839 a552e5 18836->18839 18840 a552d8 18836->18840 18838 a547a0 ___std_exception_copy RtlAllocateHeap 18837->18838 18845 a552c3 18838->18845 18846 a66688 18839->18846 18841 a5d23f __dosmaperr RtlAllocateHeap 18840->18841 18841->18845 18843 a552ee 18844 a5d23f __dosmaperr RtlAllocateHeap 18843->18844 18843->18845 18844->18845 18845->18561 18847 a66694 __fread_nolock std::_Lockit::_Lockit 18846->18847 18850 a6672c 18847->18850 18849 a666af 18849->18843 18854 a6674f __fread_nolock 18850->18854 18851 a66795 __fread_nolock 18851->18849 18852 a663f3 __Getctype RtlAllocateHeap 18853 a667b0 18852->18853 18855 a66db3 ___std_exception_destroy RtlAllocateHeap 18853->18855 18854->18851 18854->18852 18855->18851 18859 a58e99 __fread_nolock 18856->18859 18857 a58e9f 18858 a54723 ___std_exception_copy RtlAllocateHeap 18857->18858 18862 a58eba 18858->18862 18859->18857 18860 a58ee2 __fread_nolock 18859->18860 18863 a59010 18860->18863 18862->18565 18864 a59036 18863->18864 18865 a59023 18863->18865 18872 a58f37 18864->18872 18865->18862 18867 a59059 18871 a590e7 18867->18871 18876 a555d3 18867->18876 18871->18862 18873 a58f48 18872->18873 18875 a58fa0 18872->18875 18873->18875 18885 a5e13d 18873->18885 18875->18867 18877 a55613 18876->18877 18878 a555ec 18876->18878 18882 a5e17d 18877->18882 18878->18877 18912 a65f82 18878->18912 18880 a55608 18919 a6538b 18880->18919 18883 a5e05c __fread_nolock 2 API calls 18882->18883 18884 a5e196 18883->18884 18884->18871 18886 a5e151 ___std_exception_copy 18885->18886 18891 a5e05c 18886->18891 18888 a5e166 18889 a544dc ___std_exception_copy RtlAllocateHeap 18888->18889 18890 a5e175 18889->18890 18890->18875 18896 a6a6de 18891->18896 18893 a5e06e 18894 a5e08a SetFilePointerEx 18893->18894 18895 a5e076 __fread_nolock 18893->18895 18894->18895 18895->18888 18897 a6a700 18896->18897 18898 a6a6eb 18896->18898 18900 a5d22c __dosmaperr RtlAllocateHeap 18897->18900 18904 a6a725 18897->18904 18909 a5d22c 18898->18909 18902 a6a730 18900->18902 18905 a5d23f __dosmaperr RtlAllocateHeap 18902->18905 18903 a5d23f __dosmaperr RtlAllocateHeap 18906 a6a6f8 18903->18906 18904->18893 18907 a6a738 18905->18907 18906->18893 18908 a547a0 ___std_exception_copy RtlAllocateHeap 18907->18908 18908->18906 18910 a65d2c __dosmaperr RtlAllocateHeap 18909->18910 18911 a5d231 18910->18911 18911->18903 18913 a65fa3 18912->18913 18914 a65f8e 18912->18914 18913->18880 18915 a5d23f __dosmaperr RtlAllocateHeap 18914->18915 18916 a65f93 18915->18916 18917 a547a0 ___std_exception_copy RtlAllocateHeap 18916->18917 18918 a65f9e 18917->18918 18918->18880 18920 a65397 __fread_nolock 18919->18920 18921 a653d8 18920->18921 18923 a6541e 18920->18923 18925 a6539f 18920->18925 18922 a54723 ___std_exception_copy RtlAllocateHeap 18921->18922 18922->18925 18923->18925 18926 a6549c 18923->18926 18925->18877 18927 a654c4 18926->18927 18939 a654e7 __fread_nolock 18926->18939 18928 a654c8 18927->18928 18930 a65523 18927->18930 18929 a54723 ___std_exception_copy RtlAllocateHeap 18928->18929 18929->18939 18931 a5e17d 2 API calls 18930->18931 18933 a65541 18930->18933 18931->18933 18940 a64fe1 18933->18940 18935 a655a0 18937 a65609 WriteFile 18935->18937 18935->18939 18936 a65559 18936->18939 18945 a64bb2 18936->18945 18937->18939 18939->18925 18951 a70d44 18940->18951 18942 a64ff3 18944 a65021 18942->18944 18960 a59d10 18942->18960 18944->18935 18944->18936 18946 a64c1a 18945->18946 18947 a59d10 std::_Locinfo::_Locinfo_dtor 2 API calls 18946->18947 18950 a64c2b std::_Locinfo::_Locinfo_dtor std::locale::_Locimp::_Locimp 18946->18950 18947->18950 18948 a684be RtlAllocateHeap RtlAllocateHeap 18948->18950 18949 a64ee1 _ValidateLocalCookies 18949->18939 18949->18949 18950->18948 18950->18949 18952 a70d51 18951->18952 18953 a70d5e 18951->18953 18954 a5d23f __dosmaperr RtlAllocateHeap 18952->18954 18956 a70d6a 18953->18956 18957 a5d23f __dosmaperr RtlAllocateHeap 18953->18957 18955 a70d56 18954->18955 18955->18942 18956->18942 18958 a70d8b 18957->18958 18959 a547a0 ___std_exception_copy RtlAllocateHeap 18958->18959 18959->18955 18961 a54587 ___std_exception_copy RtlAllocateHeap 18960->18961 18962 a59d20 18961->18962 18967 a65ef3 18962->18967 18968 a59d3d 18967->18968 18969 a65f0a 18967->18969 18971 a65f51 18968->18971 18969->18968 18975 a6f4f3 18969->18975 18972 a59d4a 18971->18972 18973 a65f68 18971->18973 18972->18944 18973->18972 18984 a6d81e 18973->18984 18976 a6f4ff __fread_nolock 18975->18976 18977 a65bdb __Getctype RtlAllocateHeap 18976->18977 18979 a6f508 std::_Lockit::_Lockit 18977->18979 18978 a6f54e 18978->18968 18979->18978 18980 a6f574 __Getctype RtlAllocateHeap 18979->18980 18981 a6f537 __Getctype 18980->18981 18981->18978 18982 a60259 __Getctype RtlAllocateHeap 18981->18982 18983 a6f573 18982->18983 18985 a65bdb __Getctype RtlAllocateHeap 18984->18985 18986 a6d823 18985->18986 18987 a6d736 std::_Locinfo::_Locinfo_dtor RtlAllocateHeap RtlAllocateHeap 18986->18987 18988 a6d82e 18987->18988 18988->18972 18990 a5480d __fread_nolock 18989->18990 18991 a54835 __fread_nolock 18990->18991 18992 a54814 18990->18992 18996 a54910 18991->18996 18993 a54723 ___std_exception_copy RtlAllocateHeap 18992->18993 18995 a5482d 18993->18995 18995->18571 18999 a54942 18996->18999 18998 a54922 18998->18995 19000 a54951 18999->19000 19001 a54979 18999->19001 19002 a54723 ___std_exception_copy RtlAllocateHeap 19000->19002 19003 a65f82 __fread_nolock RtlAllocateHeap 19001->19003 19009 a5496c __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19002->19009 19004 a54982 19003->19004 19012 a5e11f 19004->19012 19007 a54a2c 19015 a54cae 19007->19015 19009->18998 19010 a54a43 19010->19009 19023 a54ae3 19010->19023 19030 a5df37 19012->19030 19014 a549a0 19014->19007 19014->19009 19014->19010 19016 a54cbd 19015->19016 19017 a65f82 __fread_nolock RtlAllocateHeap 19016->19017 19018 a54cd9 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19017->19018 19019 a5e11f 2 API calls 19018->19019 19022 a54ce5 _ValidateLocalCookies 19018->19022 19020 a54d39 19019->19020 19021 a5e11f 2 API calls 19020->19021 19020->19022 19021->19022 19022->19009 19024 a65f82 __fread_nolock RtlAllocateHeap 19023->19024 19025 a54af6 19024->19025 19026 a5e11f 2 API calls 19025->19026 19029 a54b40 __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z 19025->19029 19027 a54b9d 19026->19027 19028 a5e11f 2 API calls 19027->19028 19027->19029 19028->19029 19029->19009 19032 a5df43 __fread_nolock 19030->19032 19031 a5df86 19033 a54723 ___std_exception_copy RtlAllocateHeap 19031->19033 19032->19031 19034 a5dfcc 19032->19034 19036 a5df4b 19032->19036 19033->19036 19035 a5e05c __fread_nolock 2 API calls 19034->19035 19034->19036 19035->19036 19036->19014 19038 9e06a9 19037->19038 19041 9e0585 19037->19041 19039 972270 RtlAllocateHeap 19038->19039 19040 9e06ae 19039->19040 19042 9721d0 Concurrency::cancel_current_task RtlAllocateHeap 19040->19042 19043 9e05e3 19041->19043 19044 9e05f0 19041->19044 19046 9e059a 19041->19046 19047 9e05aa __fread_nolock std::locale::_Locimp::_Locimp 19042->19047 19043->19040 19043->19046 19044->19047 19049 a4f290 std::_Facet_Register RtlAllocateHeap 19044->19049 19045 a4f290 std::_Facet_Register RtlAllocateHeap 19045->19047 19046->19045 19048 a547b0 RtlAllocateHeap 19047->19048 19051 9e0667 __fread_nolock std::locale::_Locimp::_Locimp 19047->19051 19050 9e06b8 19048->19050 19049->19047 19051->18577 19054 a5dc08 __fread_nolock 19052->19054 19053 a5dc40 __fread_nolock 19053->18581 19054->19053 19056 a5dc52 __fread_nolock 19054->19056 19057 a5dc1b __fread_nolock 19054->19057 19055 a5d23f __dosmaperr RtlAllocateHeap 19058 a5dc35 19055->19058 19061 a5da06 19056->19061 19057->19055 19060 a547a0 ___std_exception_copy RtlAllocateHeap 19058->19060 19060->19053 19062 a5da18 __fread_nolock 19061->19062 19067 a5da35 19061->19067 19063 a5da25 19062->19063 19062->19067 19072 a5da76 __fread_nolock 19062->19072 19064 a5d23f __dosmaperr RtlAllocateHeap 19063->19064 19065 a5da2a 19064->19065 19066 a547a0 ___std_exception_copy RtlAllocateHeap 19065->19066 19066->19067 19067->19053 19068 a5dba1 __fread_nolock 19071 a5d23f __dosmaperr RtlAllocateHeap 19068->19071 19070 a65f82 __fread_nolock RtlAllocateHeap 19070->19072 19071->19065 19072->19067 19072->19068 19072->19070 19074 a64623 19072->19074 19133 a58a2b 19072->19133 19075 a64635 19074->19075 19076 a6464d 19074->19076 19077 a5d22c __dosmaperr RtlAllocateHeap 19075->19077 19078 a6498f 19076->19078 19082 a64690 19076->19082 19079 a6463a 19077->19079 19080 a5d22c __dosmaperr RtlAllocateHeap 19078->19080 19081 a5d23f __dosmaperr RtlAllocateHeap 19079->19081 19083 a64994 19080->19083 19087 a64642 19081->19087 19085 a6469b 19082->19085 19082->19087 19091 a646cb 19082->19091 19084 a5d23f __dosmaperr RtlAllocateHeap 19083->19084 19086 a646a8 19084->19086 19088 a5d22c __dosmaperr RtlAllocateHeap 19085->19088 19090 a547a0 ___std_exception_copy RtlAllocateHeap 19086->19090 19087->19072 19089 a646a0 19088->19089 19092 a5d23f __dosmaperr RtlAllocateHeap 19089->19092 19090->19087 19093 a646e4 19091->19093 19094 a646f1 19091->19094 19095 a6471f 19091->19095 19092->19086 19093->19094 19099 a6470d 19093->19099 19096 a5d22c __dosmaperr RtlAllocateHeap 19094->19096 19147 a66e2d 19095->19147 19098 a646f6 19096->19098 19101 a5d23f __dosmaperr RtlAllocateHeap 19098->19101 19102 a70d44 __fread_nolock RtlAllocateHeap 19099->19102 19104 a646fd 19101->19104 19115 a6486b 19102->19115 19103 a66db3 ___std_exception_destroy RtlAllocateHeap 19105 a64739 19103->19105 19106 a547a0 ___std_exception_copy RtlAllocateHeap 19104->19106 19108 a66db3 ___std_exception_destroy RtlAllocateHeap 19105->19108 19132 a64708 __fread_nolock 19106->19132 19107 a648e3 ReadFile 19109 a64957 19107->19109 19110 a648fb 19107->19110 19111 a64740 19108->19111 19120 a64964 19109->19120 19130 a648b5 19109->19130 19110->19109 19112 a648d4 19110->19112 19113 a64765 19111->19113 19114 a6474a 19111->19114 19123 a64937 19112->19123 19124 a64920 19112->19124 19112->19132 19118 a5e13d __fread_nolock 2 API calls 19113->19118 19116 a5d23f __dosmaperr RtlAllocateHeap 19114->19116 19115->19107 19119 a6489b 19115->19119 19121 a6474f 19116->19121 19117 a66db3 ___std_exception_destroy RtlAllocateHeap 19117->19087 19118->19099 19119->19112 19119->19130 19122 a5d23f __dosmaperr RtlAllocateHeap 19120->19122 19125 a5d22c __dosmaperr RtlAllocateHeap 19121->19125 19126 a64969 19122->19126 19123->19132 19168 a6417b 19123->19168 19158 a64335 19124->19158 19125->19132 19131 a5d22c __dosmaperr RtlAllocateHeap 19126->19131 19130->19132 19153 a5d1e5 19130->19153 19131->19132 19132->19117 19134 a58a3c 19133->19134 19138 a58a38 std::locale::_Locimp::_Locimp 19133->19138 19135 a58a43 19134->19135 19139 a58a56 __fread_nolock 19134->19139 19136 a5d23f __dosmaperr RtlAllocateHeap 19135->19136 19137 a58a48 19136->19137 19140 a547a0 ___std_exception_copy RtlAllocateHeap 19137->19140 19138->19072 19139->19138 19141 a58a84 19139->19141 19142 a58a8d 19139->19142 19140->19138 19143 a5d23f __dosmaperr RtlAllocateHeap 19141->19143 19142->19138 19144 a5d23f __dosmaperr RtlAllocateHeap 19142->19144 19145 a58a89 19143->19145 19144->19145 19146 a547a0 ___std_exception_copy RtlAllocateHeap 19145->19146 19146->19138 19148 a66e6b 19147->19148 19152 a66e3b __Getctype std::_Facet_Register 19147->19152 19149 a5d23f __dosmaperr RtlAllocateHeap 19148->19149 19151 a64730 19149->19151 19150 a66e56 RtlAllocateHeap 19150->19151 19150->19152 19151->19103 19152->19148 19152->19150 19154 a5d22c __dosmaperr RtlAllocateHeap 19153->19154 19155 a5d1f0 __dosmaperr 19154->19155 19156 a5d23f __dosmaperr RtlAllocateHeap 19155->19156 19157 a5d203 19156->19157 19157->19132 19172 a6402e 19158->19172 19160 a64391 __fread_nolock 19164 a6437d 19160->19164 19167 a5d1e5 __dosmaperr RtlAllocateHeap 19160->19167 19161 a643d7 19161->19160 19166 a5e13d __fread_nolock 2 API calls 19161->19166 19162 a643c7 19165 a5d23f __dosmaperr RtlAllocateHeap 19162->19165 19164->19132 19165->19164 19166->19160 19167->19164 19170 a641b5 19168->19170 19169 a64246 19169->19132 19170->19169 19171 a5e13d __fread_nolock 2 API calls 19170->19171 19171->19169 19173 a64062 19172->19173 19174 a640ce 19173->19174 19175 a5e13d __fread_nolock 2 API calls 19173->19175 19174->19160 19174->19161 19174->19162 19174->19164 19175->19174 19177 a58acf __fread_nolock 19176->19177 19178 a58ad9 19177->19178 19180 a58afc __fread_nolock 19177->19180 19179 a54723 ___std_exception_copy RtlAllocateHeap 19178->19179 19181 a58af4 19179->19181 19180->19181 19183 a58b5a 19180->19183 19181->18585 19184 a58b67 19183->19184 19185 a58b8a 19183->19185 19186 a54723 ___std_exception_copy RtlAllocateHeap 19184->19186 19187 a58b82 19185->19187 19188 a555d3 4 API calls 19185->19188 19186->19187 19187->19181 19189 a58ba2 19188->19189 19197 a66ded 19189->19197 19192 a65f82 __fread_nolock RtlAllocateHeap 19193 a58bb6 19192->19193 19201 a64a3f 19193->19201 19196 a66db3 ___std_exception_destroy RtlAllocateHeap 19196->19187 19198 a66e04 19197->19198 19199 a58baa 19197->19199 19198->19199 19200 a66db3 ___std_exception_destroy RtlAllocateHeap 19198->19200 19199->19192 19200->19199 19202 a58bbd 19201->19202 19203 a64a68 19201->19203 19202->19187 19202->19196 19204 a64ab7 19203->19204 19206 a64a8f 19203->19206 19205 a54723 ___std_exception_copy RtlAllocateHeap 19204->19205 19205->19202 19208 a649ae 19206->19208 19209 a649ba __fread_nolock 19208->19209 19211 a649f9 19209->19211 19212 a64b12 19209->19212 19211->19202 19213 a6a6de __fread_nolock RtlAllocateHeap 19212->19213 19216 a64b22 19213->19216 19214 a64b28 19224 a6a64d 19214->19224 19216->19214 19217 a64b5a 19216->19217 19218 a6a6de __fread_nolock RtlAllocateHeap 19216->19218 19217->19214 19219 a6a6de __fread_nolock RtlAllocateHeap 19217->19219 19220 a64b51 19218->19220 19221 a64b66 FindCloseChangeNotification 19219->19221 19222 a6a6de __fread_nolock RtlAllocateHeap 19220->19222 19221->19214 19222->19217 19223 a64b80 __fread_nolock 19223->19211 19225 a6a65c 19224->19225 19226 a5d23f __dosmaperr RtlAllocateHeap 19225->19226 19229 a6a686 19225->19229 19227 a6a6c8 19226->19227 19228 a5d22c __dosmaperr RtlAllocateHeap 19227->19228 19228->19229 19229->19223 19243 a5d168 19244 a5d17b ___std_exception_copy 19243->19244 19249 a5cf4a 19244->19249 19246 a5d190 19247 a544dc ___std_exception_copy RtlAllocateHeap 19246->19247 19248 a5d19d 19247->19248 19250 a5cf58 19249->19250 19256 a5cf80 19249->19256 19251 a5cf65 19250->19251 19252 a5cf87 19250->19252 19250->19256 19254 a54723 ___std_exception_copy RtlAllocateHeap 19251->19254 19257 a5cea3 19252->19257 19254->19256 19255 a5cfbf 19255->19246 19256->19246 19258 a5ceaf __fread_nolock 19257->19258 19261 a5cefe 19258->19261 19260 a5ceca 19260->19255 19268 a68644 19261->19268 19288 a68606 19268->19288 19270 a5cf16 19275 a5cfc1 19270->19275 19271 a68655 19271->19270 19272 a66e2d std::_Locinfo::_Locinfo_dtor 2 API calls 19271->19272 19273 a686ae 19272->19273 19274 a66db3 ___std_exception_destroy RtlAllocateHeap 19273->19274 19274->19270 19276 a5cf34 19275->19276 19279 a5cfd3 19275->19279 19284 a686ef 19276->19284 19277 a5cfe1 19278 a54723 ___std_exception_copy RtlAllocateHeap 19277->19278 19278->19276 19279->19276 19279->19277 19280 a5d017 std::locale::_Locimp::_Locimp 19279->19280 19280->19276 19281 a555d3 4 API calls 19280->19281 19282 a65f82 __fread_nolock RtlAllocateHeap 19280->19282 19283 a6538b 4 API calls 19280->19283 19281->19280 19282->19280 19283->19280 19285 a686fa 19284->19285 19286 a5cf40 19284->19286 19285->19286 19287 a555d3 4 API calls 19285->19287 19286->19260 19287->19286 19289 a68612 19288->19289 19290 a6863c 19289->19290 19291 a65f82 __fread_nolock RtlAllocateHeap 19289->19291 19290->19271 19292 a6862d 19291->19292 19293 a70d44 __fread_nolock RtlAllocateHeap 19292->19293 19294 a68633 19293->19294 19294->19271 19236 9d3a40 19239 9d3a55 19236->19239 19237 9d3b28 GetPEB 19237->19239 19238 9d3a73 GetPEB 19238->19239 19239->19237 19239->19238 19240 9d3b9d Sleep 19239->19240 19241 9d3ae8 Sleep 19239->19241 19242 9d3bc7 19239->19242 19240->19239 19241->19239 19443 4e5068d 19444 4e506a5 GetCurrentHwProfileW 19443->19444 19446 4e508bc 19444->19446 19230 98e0a0 WSAStartup 19231 98e0d8 19230->19231 19234 98e1a7 19230->19234 19232 98e175 socket 19231->19232 19231->19234 19233 98e18b connect 19232->19233 19232->19234 19233->19234 19235 98e19d closesocket 19233->19235 19235->19232 19235->19234

                                  Executed Functions

                                  Function 009D3A40 Relevance: 2.7, APIs: 2, Instructions: 157sleepCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 168 9d3a40-9d3a52 169 9d3a55-9d3a61 168->169 171 9d3b28-9d3b31 GetPEB 169->171 172 9d3a67-9d3a6d 169->172 173 9d3b34-9d3b48 171->173 172->171 174 9d3a73-9d3a7f GetPEB 172->174 175 9d3b99-9d3b9b 173->175 176 9d3b4a-9d3b4f 173->176 177 9d3a80-9d3a94 174->177 175->173 176->175 178 9d3b51-9d3b59 176->178 179 9d3ae4-9d3ae6 177->179 180 9d3a96-9d3a9b 177->180 181 9d3b60-9d3b73 178->181 179->177 180->179 182 9d3a9d-9d3aa3 180->182 183 9d3b75-9d3b88 181->183 184 9d3b92-9d3b97 181->184 185 9d3aa5-9d3ab8 182->185 183->183 186 9d3b8a-9d3b90 183->186 184->175 184->181 187 9d3add-9d3ae2 185->187 188 9d3aba 185->188 186->184 189 9d3b9d-9d3bc2 Sleep 186->189 187->179 187->185 190 9d3ac0-9d3ad3 188->190 189->169 190->190 191 9d3ad5-9d3adb 190->191 191->187 192 9d3ae8-9d3b0d Sleep 191->192 193 9d3b13-9d3b1a 192->193 193->171 194 9d3b1c-9d3b22 193->194 194->171 195 9d3bc7-9d3bd8 call 976bd0 194->195 198 9d3bde 195->198 199 9d3bda-9d3bdc 195->199 200 9d3be0-9d3bfd call 976bd0 198->200 199->200
                                  APIs
                                  • Sleep.KERNELBASE(000003E9,?,00000001,00000000,?,?,?,?,?,?,?,?,009D3DB6), ref: 009D3B08
                                  • Sleep.KERNELBASE(00000001,?,00000001,00000000,?,?,?,?,?,?,?,?,009D3DB6), ref: 009D3BBA
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Sleep
                                  • String ID:
                                  • API String ID: 3472027048-0
                                  • Opcode ID: f6c1435e940d217399ada86c42b8663570481760d96d672f37f0bbf3c256688d
                                  • Instruction ID: e5b48e8f24064d0f96d6701536eb56537ed6c8cb7b7f960de1ae89117d812772
                                  • Opcode Fuzzy Hash: f6c1435e940d217399ada86c42b8663570481760d96d672f37f0bbf3c256688d
                                  • Instruction Fuzzy Hash: 3B51B835A842198FCB24CF98C8D0EBAB3B9EF49705B28C59AD445AF311D735EE05CB80
                                  Function 0098E0A0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 100networkCOMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 0 98e0a0-98e0d2 WSAStartup 1 98e0d8-98e102 call 976bd0 * 2 0->1 2 98e1b7-98e1c0 0->2 7 98e10e-98e165 1->7 8 98e104-98e108 1->8 10 98e1b1 7->10 11 98e167-98e16d 7->11 8->2 8->7 10->2 12 98e16f 11->12 13 98e1c5-98e1cf 11->13 14 98e175-98e189 socket 12->14 13->10 19 98e1d1-98e1d9 13->19 14->10 15 98e18b-98e19b connect 14->15 17 98e19d-98e1a5 closesocket 15->17 18 98e1c1 15->18 17->14 20 98e1a7-98e1ab 17->20 18->13 20->10
                                  APIs
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Startupclosesocketconnectsocket
                                  • String ID: q
                                  • API String ID: 3098855095-831824133
                                  • Opcode ID: d93a9471f740276fdae34f736f5fb9e5b807c4e1701c70bb6e17499561d87745
                                  • Instruction ID: 3bd88a1881e20c106260885b353f03e2398eb6cb9f524045bf0d7cae92816104
                                  • Opcode Fuzzy Hash: d93a9471f740276fdae34f736f5fb9e5b807c4e1701c70bb6e17499561d87745
                                  • Instruction Fuzzy Hash: 9731C4726083016FD7209F258C9972FB7E8EB85334F015F1DF9A8962E0D33598048B92
                                  Function 04E50779 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 204COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID: G`PR
                                  • API String ID: 2104809126-1351489844
                                  • Opcode ID: c5789c56174094519403af1cede6581ebe445bf2c354066960940a5d33bf668c
                                  • Instruction ID: 3da18cd4d0240c836d42c186b2cacbe413ae98d2ab18d43be8161ad60e934a9a
                                  • Opcode Fuzzy Hash: c5789c56174094519403af1cede6581ebe445bf2c354066960940a5d33bf668c
                                  • Instruction Fuzzy Hash: 7941F2FB20C121BDF212D2556B60BFB57AEE7D2730B30A426FC47D151AF3946A892032
                                  Function 00A64623 Relevance: 3.3, APIs: 2, Instructions: 297COMMONLIBRARYCODE
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 56 a64623-a64633 57 a64635-a64648 call a5d22c call a5d23f 56->57 58 a6464d-a6464f 56->58 75 a649a7 57->75 60 a64655-a6465b 58->60 61 a6498f-a6499c call a5d22c call a5d23f 58->61 60->61 63 a64661-a6468a 60->63 77 a649a2 call a547a0 61->77 63->61 66 a64690-a64699 63->66 70 a646b3-a646b5 66->70 71 a6469b-a646ae call a5d22c call a5d23f 66->71 73 a6498b-a6498d 70->73 74 a646bb-a646bf 70->74 71->77 79 a649aa-a649ad 73->79 74->73 78 a646c5-a646c9 74->78 75->79 77->75 78->71 82 a646cb-a646e2 78->82 85 a64717-a6471d 82->85 86 a646e4-a646e7 82->86 87 a646f1-a64708 call a5d22c call a5d23f call a547a0 85->87 88 a6471f-a64726 85->88 89 a6470d-a64715 86->89 90 a646e9-a646ef 86->90 121 a648c2 87->121 91 a6472a-a64748 call a66e2d call a66db3 * 2 88->91 92 a64728 88->92 94 a6478a-a647a9 89->94 90->87 90->89 125 a64765-a64788 call a5e13d 91->125 126 a6474a-a64760 call a5d23f call a5d22c 91->126 92->91 95 a64865-a6486e call a70d44 94->95 96 a647af-a647bb 94->96 110 a64870-a64882 95->110 111 a648df 95->111 96->95 99 a647c1-a647c3 96->99 99->95 103 a647c9-a647ea 99->103 103->95 107 a647ec-a64802 103->107 107->95 113 a64804-a64806 107->113 110->111 116 a64884-a64893 110->116 112 a648e3-a648f9 ReadFile 111->112 117 a64957-a64962 112->117 118 a648fb-a64901 112->118 113->95 119 a64808-a6482b 113->119 116->111 128 a64895-a64899 116->128 137 a64964-a64976 call a5d23f call a5d22c 117->137 138 a6497b-a6497e 117->138 118->117 123 a64903 118->123 119->95 124 a6482d-a64843 119->124 127 a648c5-a648cf call a66db3 121->127 130 a64906-a64918 123->130 124->95 131 a64845-a64847 124->131 125->94 126->121 127->79 128->112 136 a6489b-a648b3 128->136 130->127 139 a6491a-a6491e 130->139 131->95 140 a64849-a64860 131->140 157 a648d4-a648dd 136->157 158 a648b5-a648ba 136->158 137->121 146 a64984-a64986 138->146 147 a648bb-a648c1 call a5d1e5 138->147 144 a64937-a64944 139->144 145 a64920-a64930 call a64335 139->145 140->95 153 a64946 call a6448c 144->153 154 a64950-a64955 call a6417b 144->154 165 a64933-a64935 145->165 146->127 147->121 166 a6494b-a6494e 153->166 154->166 157->130 158->147 165->127 166->165
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 715b0e42ac45a0e472d0acbf206c659c62b6b7e2063416eebb635cebba59f2a8
                                  • Instruction ID: 39427dfa854e7c9ba59bdfaecb78b077b870adb110accbc595581d43f7d1a5e5
                                  • Opcode Fuzzy Hash: 715b0e42ac45a0e472d0acbf206c659c62b6b7e2063416eebb635cebba59f2a8
                                  • Instruction Fuzzy Hash: 50B10271A04349AFEB11DFA8D881BAEBBB1FF4E314F144158E954AB382C7719D46CB60
                                  Function 04E5068D Relevance: 1.7, APIs: 1, Instructions: 243COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2d72b06bbab6265ea7cba3e53783492dccc30fa2aed5af810a2c7eb008c8cff3
                                  • Instruction ID: 269cdf874b387928a76bdeaafe265962e5930dcb15318766fc546e8844f0d309
                                  • Opcode Fuzzy Hash: 2d72b06bbab6265ea7cba3e53783492dccc30fa2aed5af810a2c7eb008c8cff3
                                  • Instruction Fuzzy Hash: 8F41D3F730C221BDF11291516B54EFB576EEBD2730B30A42AFC47D1915F3946A892431
                                  Function 04E506C4 Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ea2f3db90e373d2dd3e40e9495ff791bb5c20dc97d5224d33979cc71506aa7f5
                                  • Instruction ID: f7881a4d8d40825376108ef91dabb61262a738baceb161c28de925371e92716a
                                  • Opcode Fuzzy Hash: ea2f3db90e373d2dd3e40e9495ff791bb5c20dc97d5224d33979cc71506aa7f5
                                  • Instruction Fuzzy Hash: F241F2FB20C221BDF10291516B54AFB67AEEBD2730B30A42AFC47D1919F3946A892431
                                  Function 04E5069C Relevance: 1.7, APIs: 1, Instructions: 242COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f36034845ed2ffe3854a507954ec1cea9b2b156641cb91444aecfc7a721eebc4
                                  • Instruction ID: 20d4cd381013ca6c06088cd86a06a1872227104718743189402d7daa9affbe77
                                  • Opcode Fuzzy Hash: f36034845ed2ffe3854a507954ec1cea9b2b156641cb91444aecfc7a721eebc4
                                  • Instruction Fuzzy Hash: 2B41F3F730C211BDF20291516B54EFB576EEBD2730B30A42AFC47D1919F3946A892431
                                  Function 04E506B1 Relevance: 1.7, APIs: 1, Instructions: 240COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 339 4e506b1-4e506b2 340 4e506b4-4e5084f 339->340 341 4e50651 339->341 358 4e50866-4e508a6 GetCurrentHwProfileW 340->358 341->339 360 4e508bc-4e50a75 call 4e50916 call 4e5099b call 4e50a77 358->360
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 7a2a89163047bd87022bfa873cba6ccf97ea35b81676bf57aedd6e81d03e6f0b
                                  • Instruction ID: ed3dac3472190c27271a6de5113094f5c2ea0215eff9ad6dc4ad49eb080bf4c5
                                  • Opcode Fuzzy Hash: 7a2a89163047bd87022bfa873cba6ccf97ea35b81676bf57aedd6e81d03e6f0b
                                  • Instruction Fuzzy Hash: 124104F720C121BDF20292556B54BFB676EEBD2330B30A42AFC47D1919F3946A892431
                                  Function 04E506F0 Relevance: 1.7, APIs: 1, Instructions: 237COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 386 4e506f0-4e506fa 387 4e50727-4e50733 386->387 388 4e506fc-4e50710 386->388 392 4e50735-4e50737 387->392 393 4e50714-4e5071a 387->393 391 4e5071b-4e50720 388->391 394 4e50739-4e5084f 391->394 392->394 393->391 405 4e50866-4e508a6 GetCurrentHwProfileW 394->405 407 4e508bc-4e50a75 call 4e50916 call 4e5099b call 4e50a77 405->407
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: b986d39d91328e2bad3c8e0905634dc361c2f1ad760a37afe83fa2d061970753
                                  • Instruction ID: 2aac5eff4d536c21eb007094aa10db533723bb6d444f82e002ed677e6909feeb
                                  • Opcode Fuzzy Hash: b986d39d91328e2bad3c8e0905634dc361c2f1ad760a37afe83fa2d061970753
                                  • Instruction Fuzzy Hash: AD4117F730C121BDF20292556B54BFB57AEEBD2730B30A42AFC07C1919F3956A896431
                                  Function 0097A210 Relevance: 1.7, APIs: 1, Instructions: 231COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 433 97a210-97a2ab call a4f290 call 972ae0 438 97a2b0-97a2bb 433->438 438->438 439 97a2bd-97a2c8 438->439 440 97a2cd-97a2de call a55362 439->440 441 97a2ca 439->441 444 97a351-97a357 440->444 445 97a2e0-97a305 call a59136 call a54eeb call a59136 440->445 441->440 447 97a381-97a393 444->447 448 97a359-97a365 444->448 462 97a307 445->462 463 97a30c-97a316 445->463 449 97a377-97a37e call a4f511 448->449 450 97a367-97a375 448->450 449->447 450->449 452 97a394-97a3ae call a547b0 450->452 460 97a3b0-97a3bb 452->460 460->460 464 97a3bd-97a3c8 460->464 462->463 465 97a328-97a32f call 9dcf60 463->465 466 97a318-97a31c 463->466 467 97a3cd-97a3df call a55362 464->467 468 97a3ca 464->468 473 97a334-97a33a 465->473 469 97a320-97a326 466->469 470 97a31e 466->470 477 97a3e1-97a3f9 call a59136 call a54eeb call a58be8 467->477 478 97a3fc-97a403 467->478 468->467 469->473 470->469 475 97a33e-97a349 call a5dbdf call a58be8 473->475 476 97a33c 473->476 494 97a34e 475->494 476->475 477->478 479 97a405-97a411 478->479 480 97a42d-97a433 478->480 484 97a423-97a42a call a4f511 479->484 485 97a413-97a421 479->485 484->480 485->484 488 97a434-97a45e call a547b0 485->488 500 97a460-97a464 488->500 501 97a46f-97a474 488->501 494->444 500->501 502 97a466-97a46e 500->502
                                  APIs
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: __fread_nolock
                                  • String ID:
                                  • API String ID: 2638373210-0
                                  • Opcode ID: 51ad14613b883c48832360ea8ea9e6f2d336730a4e860c677c9ece7d37e534a9
                                  • Instruction ID: d6aa694ea035e7835bc71fa104833fa4d2a1adfafacafefe686184fa8ee496af
                                  • Opcode Fuzzy Hash: 51ad14613b883c48832360ea8ea9e6f2d336730a4e860c677c9ece7d37e534a9
                                  • Instruction Fuzzy Hash: AC715B71900205AFDB14DF68DD45B9EBBE8FF81704F10856DF8099B282E7B59944CB92
                                  Function 04E50725 Relevance: 1.7, APIs: 1, Instructions: 217COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 503 4e50725-4e50733 504 4e50735-4e50737 503->504 505 4e50714-4e50720 503->505 507 4e50739-4e5084f 504->507 505->507 518 4e50866-4e508a6 GetCurrentHwProfileW 507->518 520 4e508bc-4e50a75 call 4e50916 call 4e5099b call 4e50a77 518->520
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: ea12a148a4249c68fa425966708daae349d013b0476b27bb08be2f2b19e1df76
                                  • Instruction ID: a13e103e5013d4d13a31031ea2eb98c63bc25a3a4d950e0fb438816207d9ebd5
                                  • Opcode Fuzzy Hash: ea12a148a4249c68fa425966708daae349d013b0476b27bb08be2f2b19e1df76
                                  • Instruction Fuzzy Hash: C141F3F730C221BDF21292556B54BFB67AEEBD2730B30A42AFC47C1519F3946A892431
                                  Function 04E50715 Relevance: 1.7, APIs: 1, Instructions: 214COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 9e566b5183b9ed39fc3cb50764ce8ebe3c9d4b731da5287926a4c66c7e832272
                                  • Instruction ID: b2541ff18abdb6e9973b9a514a98e704dc349d30e6551c2bdaaca9d5f9605bb7
                                  • Opcode Fuzzy Hash: 9e566b5183b9ed39fc3cb50764ce8ebe3c9d4b731da5287926a4c66c7e832272
                                  • Instruction Fuzzy Hash: 3841C0E730C121BDF21292556B54BFB576EEBD2730B30A426FC47D191AF3946A892432
                                  Function 04E507CB Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 587 4e507cb-4e507cc 588 4e507ce 587->588 589 4e507d8-4e507de 587->589 590 4e507d0-4e507d4 588->590 591 4e50768 588->591 593 4e507df-4e5084f 589->593 590->589 594 4e507bb-4e507c6 591->594 595 4e5076a-4e50771 591->595 600 4e50866-4e508a6 GetCurrentHwProfileW 593->600 594->593 595->594 602 4e508bc-4e50a75 call 4e50916 call 4e5099b call 4e50a77 600->602
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 4b82b3b10d06e5b388b4777d8b17292bcbc8606b0b245fe362716f9ec5e638f6
                                  • Instruction ID: bfa32e37ed03fb97456dd03c83f73189062f673de161fd96e60f86d703f12c91
                                  • Opcode Fuzzy Hash: 4b82b3b10d06e5b388b4777d8b17292bcbc8606b0b245fe362716f9ec5e638f6
                                  • Instruction Fuzzy Hash: 794136FB20C1117DF202D6556A55EFB67AEEBC1730B30A42AFC43C2516F3956A892071
                                  Function 04E50749 Relevance: 1.7, APIs: 1, Instructions: 207COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: b97d5f2f6fc0436274dc946b795a815189d0369d2d3f6d768028e32465423c4d
                                  • Instruction ID: b8e9258b93709e0761eb2b21ad0972b1a876b13d25ead5f9bc942996c43ffcb8
                                  • Opcode Fuzzy Hash: b97d5f2f6fc0436274dc946b795a815189d0369d2d3f6d768028e32465423c4d
                                  • Instruction Fuzzy Hash: D141C1F720C121BDF21292556B54BFB57AEE7D2730B30A426FC47D1919F3946A892432
                                  Function 04E50758 Relevance: 1.7, APIs: 1, Instructions: 203COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 4f45a07af55a8170c4f71086b286e2b115545b0e94b1a5dbedc23e28d011814b
                                  • Instruction ID: fe0bfe884de7824542a5a84dd5e5f36296c3ad80f7f3fab58483b34d6c78eb79
                                  • Opcode Fuzzy Hash: 4f45a07af55a8170c4f71086b286e2b115545b0e94b1a5dbedc23e28d011814b
                                  • Instruction Fuzzy Hash: CC41CFE720C121BDF21292556A54BFB57AEE7D2730B30A426FC47C1919F2946A892431
                                  Function 00A6549C Relevance: 1.7, APIs: 1, Instructions: 198fileCOMMON
                                  Download Yara Rule
                                  APIs
                                  • WriteFile.KERNELBASE(?,00000000,00A59087,?,00000000,00000000,00000000,?,00000000,?,0097A3EB,00A59087,00000000,0097A3EB,?,?), ref: 00A65621
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FileWrite
                                  • String ID:
                                  • API String ID: 3934441357-0
                                  • Opcode ID: 3941bba524666be1c8fff27bc23793212f88fde9bc6b0f8adacdd1134579dd4c
                                  • Instruction ID: d3d80a81f956887cc5a1423a00545e11f2df6e435d4ef7e2bc845d84eb05bc07
                                  • Opcode Fuzzy Hash: 3941bba524666be1c8fff27bc23793212f88fde9bc6b0f8adacdd1134579dd4c
                                  • Instruction Fuzzy Hash: AD61B2B6D04519AFDF11DFB8C948EEEBBBAAF09304F180189E901A7255D772D911CBA0
                                  Function 04E507B2 Relevance: 1.7, APIs: 1, Instructions: 195COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 2edb7d6b96e4b3908d0e873ec7b12b3127341287667c848e2bd934bf2c80c85d
                                  • Instruction ID: 1049d50bcd5bb31aa1a83150b268282d5618b2baad3b865201107f6c93dca120
                                  • Opcode Fuzzy Hash: 2edb7d6b96e4b3908d0e873ec7b12b3127341287667c848e2bd934bf2c80c85d
                                  • Instruction Fuzzy Hash: 7B4103E720C1207DF212D2552B54BFB57AEE7D6730B30A42AFC47C161AF7856B892072
                                  Function 04E50799 Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: f2ff3c117da19df1bae074de34e7fbfc9bb0d536b56759e5753618f2796648a7
                                  • Instruction ID: f96ee68a27f29ee9e6f1e25e74ac9a9bd4febec8b0bf7059ea6fcd85f1aae376
                                  • Opcode Fuzzy Hash: f2ff3c117da19df1bae074de34e7fbfc9bb0d536b56759e5753618f2796648a7
                                  • Instruction Fuzzy Hash: E741D2F720C120BDF212D2556A50BFB67ADE7D1730B30A42AFD43D1519F3946A892432
                                  Function 04E5080E Relevance: 1.7, APIs: 1, Instructions: 192COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: b2bdf9af21949c432a0ef3709256386d3b762265e6ea702883b7e5b20e3e7eb6
                                  • Instruction ID: ff621ce0a8793b79c88801ecd65a905f9b06c5b2dd0d2567f5325dc59a37c43c
                                  • Opcode Fuzzy Hash: b2bdf9af21949c432a0ef3709256386d3b762265e6ea702883b7e5b20e3e7eb6
                                  • Instruction Fuzzy Hash: F54125F720C120BDF202D2512B50BFB67AEE7C6330B30A426FC47C191AF3846A896472
                                  Function 00A54942 Relevance: 1.7, APIs: 1, Instructions: 157COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fb3d1853bb73271abcc082419a7637254e54dd437727159dfa2d75c0e4455a09
                                  • Instruction ID: f7733db2ea583a5b7cb528d6510cef07c4aa86e6b92de43dfbaf766b49299466
                                  • Opcode Fuzzy Hash: fb3d1853bb73271abcc082419a7637254e54dd437727159dfa2d75c0e4455a09
                                  • Instruction Fuzzy Hash: ED51C670A00108AFDB54CF58CC81AAABFB1FF4D369F248158FD499B252D3319E85CB90
                                  Function 04E5082E Relevance: 1.7, APIs: 1, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: 5fce6261838ccab86e3847ba6ea9e6a3c07e13af5e066f24fbae3941013643b3
                                  • Instruction ID: 5f52ee124754124bdede378fce6b7786260cf75c12bddc21c67ebf5633b94693
                                  • Opcode Fuzzy Hash: 5fce6261838ccab86e3847ba6ea9e6a3c07e13af5e066f24fbae3941013643b3
                                  • Instruction Fuzzy Hash: 4431F6E730C1607DF212D2652A54BFB57AED7D2730B30A426FD47D161AF3856A892072
                                  Function 04E50841 Relevance: 1.6, APIs: 1, Instructions: 148COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: af5170e1eb00b0ceb666f88c0c53901edf2e25705e35cc565d21bc06c230cfec
                                  • Instruction ID: 583d9ff94de893bab965398790c3162e602d007428ff7bfad3b122d6bc1c1e8a
                                  • Opcode Fuzzy Hash: af5170e1eb00b0ceb666f88c0c53901edf2e25705e35cc565d21bc06c230cfec
                                  • Instruction Fuzzy Hash: C531E5EB30C2207DF212D2552A55BFB57ADD7C2730B30A426FD43C161AF7846A892072
                                  Function 04E50855 Relevance: 1.6, APIs: 1, Instructions: 147COMMON
                                  Download Yara Rule
                                  APIs
                                  • GetCurrentHwProfileW.ADVAPI32(-0000CF3E), ref: 04E50896
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315212624.0000000004E50000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E50000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e50000_RageMP131.jbxd
                                  Similarity
                                  • API ID: CurrentProfile
                                  • String ID:
                                  • API String ID: 2104809126-0
                                  • Opcode ID: d4971b7197e6ca0ba991dcf1ecefc52c9034618829ee39515baa3a7f7cf45154
                                  • Instruction ID: 8ecbac4b1cc2b3f879e05970e64663f52bdfc9972f2bab421987c8d15705847f
                                  • Opcode Fuzzy Hash: d4971b7197e6ca0ba991dcf1ecefc52c9034618829ee39515baa3a7f7cf45154
                                  • Instruction Fuzzy Hash: C83129FB70C2257DF212D2512651BFB67AEEBC2730B30A42AFD43C1519F7856A892071
                                  Function 009E0560 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 009E06AE
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID:
                                  • API String ID: 118556049-0
                                  • Opcode ID: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction ID: bfb87c6db5d751a9a300851af93400cfbac8374cbaa6342a9cb56f901a48dcec
                                  • Opcode Fuzzy Hash: 318ca63d53af118050337d2617cc9b2857a3311d5737a2fcb3013cc935154a5b
                                  • Instruction Fuzzy Hash: 7241E572A001549FCB16DF69D9806AE7BA9BFC8310F140669FC05DB306DB70DDA08BE1
                                  Function 00A64B12 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                  Download Yara Rule
                                  APIs
                                  • FindCloseChangeNotification.KERNELBASE(00000000,00000000,CF830579,?,00A649F9,00000000,CF830579,00AA1140,0000000C,00A64AB5,00A58BBD,?), ref: 00A64B68
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ChangeCloseFindNotification
                                  • String ID:
                                  • API String ID: 2591292051-0
                                  • Opcode ID: 09600d636bb50a51f07e02fc2baf45ba38d85402229e350d6626660c71418f57
                                  • Instruction ID: d6ed0fb69ee46de2e545384aefe1cbee0594c1282515821cd138d7be27fc79be
                                  • Opcode Fuzzy Hash: 09600d636bb50a51f07e02fc2baf45ba38d85402229e350d6626660c71418f57
                                  • Instruction Fuzzy Hash: 08116633B4022416D72577B4E901B7EA7BACB9B774F2A024DF818AB0C2EE21DC824555
                                  Function 00A5E05C Relevance: 1.6, APIs: 1, Instructions: 54COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • SetFilePointerEx.KERNELBASE(00000000,00000000,00AA0DF8,0097A3EB,00000002,0097A3EB,00000000,?,?,?,00A5E166,00000000,?,0097A3EB,00000002,00AA0DF8), ref: 00A5E098
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: FilePointer
                                  • String ID:
                                  • API String ID: 973152223-0
                                  • Opcode ID: 5def75eff799653aeb10b74b0b7c1d83ca20cf52a32fcc2b6a58832e4ef8068a
                                  • Instruction ID: e86192aed2cb7b99d5861739e0814e7a8891171ff9ffd2305932658a3ebe7e13
                                  • Opcode Fuzzy Hash: 5def75eff799653aeb10b74b0b7c1d83ca20cf52a32fcc2b6a58832e4ef8068a
                                  • Instruction Fuzzy Hash: EF012632654159AFCF19DF58CC01C9E3B6AEB81335B240208FC509B2D1E6B2EE458BD0
                                  Function 00A4F290 Relevance: 1.6, APIs: 1, Instructions: 51COMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0097220E
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID:
                                  • API String ID: 2659868963-0
                                  • Opcode ID: 992a921226d8e4bb8ded6109923904ed1d90e9934d4cba8afb87cc543ea86abe
                                  • Instruction ID: 22a2696d432a6608e5b4a9cbd8fbeaa13c2650574e6b1bb6af919cd6a819077d
                                  • Opcode Fuzzy Hash: 992a921226d8e4bb8ded6109923904ed1d90e9934d4cba8afb87cc543ea86abe
                                  • Instruction Fuzzy Hash: 4201DB7A50430DAFCB14AFA8DC029997BACEA00310B54C43AFE1DDB591E770E954C791
                                  Function 00A663F3 Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000008,00A591F7,00000000,?,00A65D79,00000001,00000364,00000000,00000006,000000FF,?,00000000,00A5D244,00A589C3,00A591F7,00000000), ref: 00A66435
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: fa3a87d192a437a755ab2ddda1eccd140c05e05c0e54a564e2e30db1aa17cc4e
                                  • Instruction ID: 529a3740cc3afaf9aba86e3d9cf37160191f23531ed3d7e6cac42fe0b8cc6c97
                                  • Opcode Fuzzy Hash: fa3a87d192a437a755ab2ddda1eccd140c05e05c0e54a564e2e30db1aa17cc4e
                                  • Instruction Fuzzy Hash: DFF08931545125669B216B629F0AB6B7B7DEF51764F158411EC09961C0CF30E81146F1
                                  Function 00A66E2D Relevance: 1.5, APIs: 1, Instructions: 33memoryCOMMONLIBRARYCODE
                                  Download Yara Rule
                                  APIs
                                  • RtlAllocateHeap.NTDLL(00000000,00A6D635,4D88C033,?,00A6D635,00000220,?,00A657EF,4D88C033), ref: 00A66E60
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: AllocateHeap
                                  • String ID:
                                  • API String ID: 1279760036-0
                                  • Opcode ID: f6ea76123649671ffa8d5dad7d9a81f59ef093a178b06071640ac11d5c94d6e0
                                  • Instruction ID: 83dce4a03c76eb5cafc993d983e3c4f171c3a032bb6410c7a1a75b8e3675f6c7
                                  • Opcode Fuzzy Hash: f6ea76123649671ffa8d5dad7d9a81f59ef093a178b06071640ac11d5c94d6e0
                                  • Instruction Fuzzy Hash: 34E0223A9006226ADB3123A6DE00BAB7A7DDF823B0F050520FD05D60D0CB22CC0081E4
                                  Function 04E60009 Relevance: .1, Instructions: 146COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e48daa1b11c6a74f6590a50e3a3528b61b6db4f3a762dc65780215c4844762ff
                                  • Instruction ID: ef11501feed3196f0745becd95cbccec2430e157600bc43eedc24867ac59694d
                                  • Opcode Fuzzy Hash: e48daa1b11c6a74f6590a50e3a3528b61b6db4f3a762dc65780215c4844762ff
                                  • Instruction Fuzzy Hash: 3F21E9EB2CC130BDE042D5416B14AF76B2EE7D67B4B30A917F417C5602F3A55A897432
                                  Function 04E60000 Relevance: .1, Instructions: 144COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25654c0eb250c6a965a2dc40f51908f31bff81436ac63278da23eaa13f52b71b
                                  • Instruction ID: 25c503e658ce1a5c75fe1ff73a579bbe623ccfa76a5bfb4dea0a294b2f7aeeb7
                                  • Opcode Fuzzy Hash: 25654c0eb250c6a965a2dc40f51908f31bff81436ac63278da23eaa13f52b71b
                                  • Instruction Fuzzy Hash: 3A21F8EB2CC130BEE083D4416B14AF76A2FE7D67B4B30A916F417C5602F3A55A997432
                                  Function 04E6002C Relevance: .1, Instructions: 139COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3914df3a6526794c9a3211e2cb477a227e38cc32e7e74e3f2dd31888d296c4c2
                                  • Instruction ID: 6ccc7580385e5c4fae20b75116d25e0081c5481ba8119d2fdb942f24eade8809
                                  • Opcode Fuzzy Hash: 3914df3a6526794c9a3211e2cb477a227e38cc32e7e74e3f2dd31888d296c4c2
                                  • Instruction Fuzzy Hash: A52105EB2CC130BDE042D4416B146F76A2EE7D6BB0B30A926F407C5602F3956A893432
                                  Function 04E6001C Relevance: .1, Instructions: 138COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f396956aaa77e5c5a15d0a2ecb20a4db9846b28fca2a512f9dc84e8c3c758057
                                  • Instruction ID: 714db0c6d7e435394e89b5eacc7489537fa71ffaf41951f095ee60d75e57848a
                                  • Opcode Fuzzy Hash: f396956aaa77e5c5a15d0a2ecb20a4db9846b28fca2a512f9dc84e8c3c758057
                                  • Instruction Fuzzy Hash: 2721B7EB2CC130BEF042D9416B14AF76B2EE7D67B4B309926F407C5602F3A55A997432
                                  Function 04E60053 Relevance: .1, Instructions: 115COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: d84613fc8afb7dc60d847ea94a01a16e00cea78a04382818d18af55cbdbf3ee9
                                  • Instruction ID: da158eea32353d404994708c4a8aafcf998f25b2958bf74d2fed6e80012c7356
                                  • Opcode Fuzzy Hash: d84613fc8afb7dc60d847ea94a01a16e00cea78a04382818d18af55cbdbf3ee9
                                  • Instruction Fuzzy Hash: B121F6EF2CC230BEE042D8516B116F66B1EEBD67B0B30A526F417C5602F3A556997432
                                  Function 04E6006D Relevance: .1, Instructions: 109COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: dbfae77ec76aaec689027f4adb11394ecb763c0777b251d8f8ff436981b41b35
                                  • Instruction ID: 0327c815b191066586e60834598b5c7cb396c61e9938d67d97ccc0c22c7bac05
                                  • Opcode Fuzzy Hash: dbfae77ec76aaec689027f4adb11394ecb763c0777b251d8f8ff436981b41b35
                                  • Instruction Fuzzy Hash: 642138EB2C8230EEE142D8516A112F67B5FEB927B0B306526F007C6602F3A566997432
                                  Function 04E60095 Relevance: .1, Instructions: 101COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4d6a1192fa4e9346fd148e756c25b3557aa7c8d1650eee1ced8801d5009d44a6
                                  • Instruction ID: 59fcc259c1e266f8b987b8d1737710a1957869187ad49471357c9bcb85e4cb39
                                  • Opcode Fuzzy Hash: 4d6a1192fa4e9346fd148e756c25b3557aa7c8d1650eee1ced8801d5009d44a6
                                  • Instruction Fuzzy Hash: CD1126EB2C8130BEE043D8516B116F66A1FEBD67B0F30A516F017C5A02F3A556997832
                                  Function 04E600AD Relevance: .1, Instructions: 95COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0b1c617e695ab42bb51ad4db5072370dd9065d9fcb3f93ca22956b550fbb407e
                                  • Instruction ID: d06dc87cc037d13de1fc6f016a52c3ea09397a029a562616690ed8c89535686c
                                  • Opcode Fuzzy Hash: 0b1c617e695ab42bb51ad4db5072370dd9065d9fcb3f93ca22956b550fbb407e
                                  • Instruction Fuzzy Hash: 121178EB2C8130BEE043C9515A012F66B1FEBA77B0F306212F04786602F2A467997832
                                  Function 04E600D6 Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e9b484eac68f002ead89ea028b2cbe0baafb804be7bf753f036bcfdf268ea5e
                                  • Instruction ID: a362274648511e48415a83c2a23a6029de89bc2a8a4a0dce05c001e75d500c00
                                  • Opcode Fuzzy Hash: 7e9b484eac68f002ead89ea028b2cbe0baafb804be7bf753f036bcfdf268ea5e
                                  • Instruction Fuzzy Hash: 8901D4DF2C8134FEC083D89567142F66D1BABA76F0F306216F05799B02B3A467987832
                                  Function 04E6013A Relevance: .1, Instructions: 72COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: bcf5dca5a0aa6eae240b85ed283660ac720dd41817826e8c32c96e57648d39e0
                                  • Instruction ID: 6704ddb0b729d1bc3b37aebbfdd31690577818fc7fe89f7bcc8d7d5e662fcb5d
                                  • Opcode Fuzzy Hash: bcf5dca5a0aa6eae240b85ed283660ac720dd41817826e8c32c96e57648d39e0
                                  • Instruction Fuzzy Hash: E801D4DB2C8134FEC083D89556152F66C1BABA77F0F306216F05795A02B3A56B987832
                                  Function 04E600EA Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fcec9b4d608de56509508670c197105fbfa39a2189b88bee0c50b779f2e502e3
                                  • Instruction ID: 4a3e3539c70540d9db19bf7dd1205d0e8f7d562dfbb9737104f0ca025167d448
                                  • Opcode Fuzzy Hash: fcec9b4d608de56509508670c197105fbfa39a2189b88bee0c50b779f2e502e3
                                  • Instruction Fuzzy Hash: C30166DB2C8230EFC083C95156442F17E2AABA32B0B301256F0939B642B3642A947932
                                  Function 04E60163 Relevance: .1, Instructions: 58COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 32eb00b50d636590fa07b0bd3c3a70d3ed63957cc6bc1adc913308c0714f718c
                                  • Instruction ID: 65283a8bb14f2c6a1b8fe61af79e37225bbe962b0e4d6179442b8d37b2885003
                                  • Opcode Fuzzy Hash: 32eb00b50d636590fa07b0bd3c3a70d3ed63957cc6bc1adc913308c0714f718c
                                  • Instruction Fuzzy Hash: A3F0288A2D8130DDC486DC2122082F67E5667632F0F307307E09794A07B6547B99BC32
                                  Function 04E60127 Relevance: .0, Instructions: 49COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 15ec27268cb921b94d5a5aa764a47a20a4778833bf578cfa7b869454b25fec2a
                                  • Instruction ID: 6df73116cce3ebd6ecfa99eeb7abe5b049099c6ffb3a75b07e7cfb44390b7d17
                                  • Opcode Fuzzy Hash: 15ec27268cb921b94d5a5aa764a47a20a4778833bf578cfa7b869454b25fec2a
                                  • Instruction Fuzzy Hash: 95F0E9DF2CC130DDC042DC5166092FA6D1AABA72F0F307617E02799A03B66467987C72
                                  Function 04E60153 Relevance: .0, Instructions: 38COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: efdaf2f8f4cd04f650ffc1a5812971d88da5ea3d90e918c92b6aa7c0b9f772c0
                                  • Instruction ID: 284033b0270c13694f37029029151f538211cc6e501dc61a664b6c22b461c87d
                                  • Opcode Fuzzy Hash: efdaf2f8f4cd04f650ffc1a5812971d88da5ea3d90e918c92b6aa7c0b9f772c0
                                  • Instruction Fuzzy Hash: B7E0D84E2CC170D9C082E85113042F51C573B672F0F303313E05799A17F7A463597831
                                  Function 04E60184 Relevance: .0, Instructions: 37COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3315244353.0000000004E60000.00000040.00001000.00020000.00000000.sdmp, Offset: 04E60000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_4e60000_RageMP131.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2f5e5c992a68ff7a2648e7ad8af8c0cd1a2a94586cb21ceea214373e66f2a4cf
                                  • Instruction ID: b4f6d94b6b05d64520819031be927fa307a16c5cebac70786f985f982737bf32
                                  • Opcode Fuzzy Hash: 2f5e5c992a68ff7a2648e7ad8af8c0cd1a2a94586cb21ceea214373e66f2a4cf
                                  • Instruction Fuzzy Hash: C1F0DC6B7CC2B4CFC381E87120882E86E537F633B0F30163ED08357847E2085208B012

                                  Non-executed Functions

                                  Function 00A584A0 Relevance: 6.5, APIs: 4, Instructions: 455COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction ID: f55709fc0da3e202e67fb7834342b0a84c7d97547c7a0f559539964932f7284a
                                  • Opcode Fuzzy Hash: 4df2230cf6d2b22dd9929c0dcf2eb738a93c5ed6b64abc4e5fced81a8044e2fc
                                  • Instruction Fuzzy Hash: A7024A71E012199FDF14CFA9C9806AEBBB1FF48315F248269E919F7380DB35A905CB90
                                  Function 009DF810 Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 175COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DF833
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DF855
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DF875
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DF89F
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DF90D
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 009DF959
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 009DF973
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DFA08
                                  • std::_Facet_Register.LIBCPMT ref: 009DFA15
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Locinfo::_$Facet_Locinfo_ctorLocinfo_dtorRegister
                                  • String ID: bad locale name$Ps
                                  • API String ID: 3375549084-1174896957
                                  • Opcode ID: ce95517ed9ae2262f36a7bb950abbeed97c1b7178fe02e524446ade995658edb
                                  • Instruction ID: 63c04cd3117b45367caeea04aac56310e997395aa275b6a4486d6387f2ce2557
                                  • Opcode Fuzzy Hash: ce95517ed9ae2262f36a7bb950abbeed97c1b7178fe02e524446ade995658edb
                                  • Instruction Fuzzy Hash: 8561D375D40209DFEF20DFA4D956B9EBBB8BF54310F148469E806AB381D734E905CB92
                                  Function 009739F0 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 156COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 00973A58
                                  • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 00973AA4
                                  • __Getctype.LIBCPMT ref: 00973ABA
                                  • std::_Locinfo::_Locinfo_dtor.LIBCPMT ref: 00973AE6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 00973B7B
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Locinfo::_Lockit$GetctypeLocinfo_ctorLocinfo_dtorLockit::_Lockit::~_
                                  • String ID: bad locale name
                                  • API String ID: 1840309910-1405518554
                                  • Opcode ID: c5beb7f35607ab28adfb175a2fb8cd48f15b82678a3e6ac1a652ca2eb6326910
                                  • Instruction ID: c25b72d9592859a4a20287e6987b0670515d93d32aa92165fe26244d2b11b8ed
                                  • Opcode Fuzzy Hash: c5beb7f35607ab28adfb175a2fb8cd48f15b82678a3e6ac1a652ca2eb6326910
                                  • Instruction Fuzzy Hash: B35120B5D002489FEF10DFA4D985B9EBBF8BF58314F148169E809AB341E775DA08CB91
                                  Function 00A52E10 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132COMMON
                                  Download Yara Rule
                                  APIs
                                  • _ValidateLocalCookies.LIBCMT ref: 00A52E47
                                  • ___except_validate_context_record.LIBVCRUNTIME ref: 00A52E4F
                                  • _ValidateLocalCookies.LIBCMT ref: 00A52ED8
                                  • __IsNonwritableInCurrentImage.LIBCMT ref: 00A52F03
                                  • _ValidateLocalCookies.LIBCMT ref: 00A52F58
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                  • String ID: csm
                                  • API String ID: 1170836740-1018135373
                                  • Opcode ID: 251493b1658508df91dbb4437bb223f77a8850d36551bf654a9003fb8abeab18
                                  • Instruction ID: 4a8beedb1b9461fc914fa3c721791dedbc84442d50f1b624fa15cc6961a56c10
                                  • Opcode Fuzzy Hash: 251493b1658508df91dbb4437bb223f77a8850d36551bf654a9003fb8abeab18
                                  • Instruction Fuzzy Hash: F5419E31A00209ABCF10DF68D885B9EBBB5BF46326F148455EC189B392D731EE59CB91
                                  Function 009DDE70 Relevance: 9.1, APIs: 6, Instructions: 124COMMON
                                  Download Yara Rule
                                  APIs
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DDE93
                                  • std::_Lockit::_Lockit.LIBCPMT ref: 009DDEB6
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DDED6
                                  • std::_Facet_Register.LIBCPMT ref: 009DDF4B
                                  • std::_Lockit::~_Lockit.LIBCPMT ref: 009DDF63
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 009DDF7B
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: std::_$Lockit$Lockit::_Lockit::~_$Concurrency::cancel_current_taskFacet_Register
                                  • String ID:
                                  • API String ID: 2081738530-0
                                  • Opcode ID: cef3f70264490103a738cd5e9a658d8bd2c9932134364ed8dd810084ae79dd27
                                  • Instruction ID: e8fe439aa1ca1698fd6cc0f4a8d19c63444e17841397188fc35c44d37f2b361b
                                  • Opcode Fuzzy Hash: cef3f70264490103a738cd5e9a658d8bd2c9932134364ed8dd810084ae79dd27
                                  • Instruction Fuzzy Hash: 3C411271950216DFCB14DF98D841BAEBBB8FB46320F14866AE8159B392D730AD01CBE1
                                  Function 00974C50 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 442COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00974F72
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00974FFF
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 009750C8
                                  Strings
                                  • recursive_directory_iterator::operator++, xrefs: 0097504C
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy$___std_exception_copy
                                  • String ID: recursive_directory_iterator::operator++
                                  • API String ID: 1206660477-953255998
                                  • Opcode ID: 05034be23e4068c2c5b043ef95e177546d577267b8a25ef4d2fd9ef76001aaef
                                  • Instruction ID: b50a748b530d497b2759373a759b92376b38342d0ce41469dd6446c20653b8e9
                                  • Opcode Fuzzy Hash: 05034be23e4068c2c5b043ef95e177546d577267b8a25ef4d2fd9ef76001aaef
                                  • Instruction Fuzzy Hash: 30E115729002059FCB28DF68DD45B9EBBF9FF44300F148A2DE45A97782E774A944CBA1
                                  Function 00977820 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 310COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 0097799A
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00977B75
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: out_of_range$type_error
                                  • API String ID: 2659868963-3702451861
                                  • Opcode ID: 509614cdfe7299ca9431f89595ce8d8b327c487984186a240a8b98e915a3d215
                                  • Instruction ID: 569b8b12be433b157e908daacca14439ed5c5c42c22b36365998bceaea0f54e1
                                  • Opcode Fuzzy Hash: 509614cdfe7299ca9431f89595ce8d8b327c487984186a240a8b98e915a3d215
                                  • Instruction Fuzzy Hash: 64C147B1D012089FDB18DFA8D984B9DFBF5FF48300F14866AE419EB791E77499808B51
                                  Function 009773B0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 184COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009775BE
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 009775CD
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: at line $, column
                                  • API String ID: 4194217158-191570568
                                  • Opcode ID: 06333f5a0d154ea9e27abbc6aa15f4c326c86b2fcb0a9f0046d5e58748153fb4
                                  • Instruction ID: d88c99eca1c0e348eefbe21aafcd950425fa6d7cb98718a424258a3a870d248a
                                  • Opcode Fuzzy Hash: 06333f5a0d154ea9e27abbc6aa15f4c326c86b2fcb0a9f0046d5e58748153fb4
                                  • Instruction Fuzzy Hash: 3E61C471A042059FDB08DFA8DD85BADFBB6FF84300F24862CF419A7791D774AA448B91
                                  Function 00973D10 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 152COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00973E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 62f00ca119f38a5272209346b175ad7011acff66e509405378e49455914f4586
                                  • Instruction ID: 4b60929013bc6c6b414cf6f1c8d5666f977da76cc58d54a0f2b2aae3ad228e65
                                  • Opcode Fuzzy Hash: 62f00ca119f38a5272209346b175ad7011acff66e509405378e49455914f4586
                                  • Instruction Fuzzy Hash: 234193B6900208AFCB14DF68CC45B9EB7F8FF49710F14C52AF919D7681E774AA058BA1
                                  Function 00973DE0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 79COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00973E7F
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                                  • API String ID: 2659868963-1866435925
                                  • Opcode ID: 94649afaf1194d6202ef468b41f9a190fad77f45f5a584f6a4b91849c2785a74
                                  • Instruction ID: b949226de5ec7f3a08aa8dcfd7a9c7d35bd240fe2b9e4922b1f02074032ef121
                                  • Opcode Fuzzy Hash: 94649afaf1194d6202ef468b41f9a190fad77f45f5a584f6a4b91849c2785a74
                                  • Instruction Fuzzy Hash: DB2193B39047056FC714DE68D806B96B7DCAF44310F18C82AFA6C8B641E774EA14DB91
                                  Function 00976F40 Relevance: 5.6, APIs: 1, Strings: 2, Instructions: 349COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_copy.LIBVCRUNTIME ref: 00977340
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_copy
                                  • String ID: parse error$parse_error
                                  • API String ID: 2659868963-1820534363
                                  • Opcode ID: 05619d92f5c47758a82992666685f69589250bb8e0a527cce3c6fdef5c60cfcf
                                  • Instruction ID: eb2a72d160af7af67bdb59b79d3033e3b5e7c0a2e951242b18886a73271e84c0
                                  • Opcode Fuzzy Hash: 05619d92f5c47758a82992666685f69589250bb8e0a527cce3c6fdef5c60cfcf
                                  • Instruction Fuzzy Hash: 29E17F719042099FDB18CFA8D984B9DFBF1BF49300F248269E419EB792D7749A81CF91
                                  Function 00976C60 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 247COMMON
                                  Download Yara Rule
                                  APIs
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00976F11
                                  • ___std_exception_destroy.LIBVCRUNTIME ref: 00976F20
                                  Strings
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: ___std_exception_destroy
                                  • String ID: [json.exception.
                                  • API String ID: 4194217158-791563284
                                  • Opcode ID: 39ab16f2ef354aebdf1e4cb817c734e2cfe09b6fff32e3b69d78e6814c3df5e2
                                  • Instruction ID: 1ec21d78b14eb068462ac72ed4894373c312f8e587931c31e0e94822ad73d509
                                  • Opcode Fuzzy Hash: 39ab16f2ef354aebdf1e4cb817c734e2cfe09b6fff32e3b69d78e6814c3df5e2
                                  • Instruction Fuzzy Hash: 1991F671A006059FDB18CF68C984B9EBBF5FF45300F20C62CE459AB792D771AA41CB91
                                  Function 009EE440 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140COMMON
                                  Download Yara Rule
                                  APIs
                                  • Concurrency::cancel_current_task.LIBCPMT ref: 009EE491
                                  Strings
                                  • type must be string, but is , xrefs: 009EE4F8
                                  • type must be boolean, but is , xrefs: 009EE582
                                  Memory Dump Source
                                  • Source File: 0000000A.00000002.3306912829.0000000000971000.00000040.00000001.01000000.00000006.sdmp, Offset: 00970000, based on PE: true
                                  • Associated: 0000000A.00000002.3306833326.0000000000970000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3306912829.0000000000AA3000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307526853.0000000000AA8000.00000004.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000AAC000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000C31000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D21000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D56000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D62000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3307579783.0000000000D70000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308342930.0000000000D71000.00000080.00000001.01000000.00000006.sdmpDownload File
                                  • Associated: 0000000A.00000002.3308817329.0000000000F1A000.00000040.00000001.01000000.00000006.sdmpDownload File
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_10_2_970000_RageMP131.jbxd
                                  Yara matches
                                  Similarity
                                  • API ID: Concurrency::cancel_current_task
                                  • String ID: type must be boolean, but is $type must be string, but is
                                  • API String ID: 118556049-436076039
                                  • Opcode ID: 461c970c5e6740df240f694f8d0ba8e13aced62032bf0b9a9bf37efa06b0e9a0
                                  • Instruction ID: 55046319a85a7420925dd2667c20934f3d2adbaf4b61c9ff1b4277c6160fbb05
                                  • Opcode Fuzzy Hash: 461c970c5e6740df240f694f8d0ba8e13aced62032bf0b9a9bf37efa06b0e9a0
                                  • Instruction Fuzzy Hash: 7C417BB5900248AFCB05EBA4D902B9EB7A8EB40310F148679F419D77D1FB35AD44C796